Privacy Notices API
Manage privacy notices, processing purposes, and generate RoPA (Record of Processing Activities) reports.
Endpoints Overview
| Method | Endpoint | Description |
|---|---|---|
| GET | /spaces/{slug}/ropa-report | Generate a paginated RoPA report |
| GET | /spaces/{slug}/privacy-notices | List all privacy notices |
| POST | /spaces/{slug}/privacy-notices | Create a privacy notice |
| GET | /spaces/{slug}/privacy-notices/{id} | Get a privacy notice |
| PUT | /spaces/{slug}/privacy-notices/{id} | Update a privacy notice |
| DELETE | /spaces/{slug}/privacy-notices/{id} | Delete a privacy notice |
| POST | /spaces/{slug}/privacy-notices/{id}/purposes | Add a processing purpose |
| PUT | /spaces/{slug}/privacy-notices/{id}/purposes/{pid} | Update a processing purpose |
| DELETE | /spaces/{slug}/privacy-notices/{id}/purposes/{pid} | Delete a processing purpose |
RoPA Report
Generate a paginated, filterable Record of Processing Activities report for a space.
GET /spaces/{slug}/ropa-report
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
limit | integer | 20 | Page size (1–100) |
offset | integer | 0 | Records to skip |
search | string | — | Search product name, lawful basis, or purpose |
lawful_basis | string | — | Filter by lawful basis |
environment | string | — | Filter by environment |
mapping_status | string | all | mapped, unmapped, or all |
Response
[
{
"product_id": "...",
"product_name": "Customer Events",
"product_type": "table",
"environment": "production",
"lawful_basis": "Legitimate Interest",
"retention_period": "36 months",
"data_subject_categories": ["Customers", "Prospects"],
"processing_purpose_id": "...",
"processing_purpose_name": "Marketing Analytics",
"privacy_notice_id": "...",
"privacy_notice_name": "Global Privacy Policy"
}
]
Pagination headers (X-Total-Count, X-Limit, X-Offset) are included in the response.
List Privacy Notices
GET /spaces/{slug}/privacy-notices
Response
[
{
"id": "...",
"space_id": "...",
"name": "Global Privacy Policy",
"version": "v1.2",
"status": "ACTIVE",
"content_url": "https://example.com/privacy-policy",
"valid_from": "2026-01-01T00:00:00Z",
"valid_to": null,
"created_at": "2025-12-01T10:00:00Z",
"updated_at": "2026-01-15T14:30:00Z",
"purposes": [
{
"id": "...",
"notice_id": "...",
"name": "Marketing Analytics",
"description": "Analyze customer behavior for marketing campaigns",
"is_essential": false,
"created_at": "2025-12-01T10:00:00Z",
"updated_at": "2025-12-01T10:00:00Z"
}
]
}
]
Create Privacy Notice
POST /spaces/{slug}/privacy-notices
Request Body
{
"name": "Global Privacy Policy",
"version": "v1.0",
"status": "DRAFT",
"content_url": "https://example.com/privacy-policy",
"valid_from": "2026-03-01T00:00:00Z"
}
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Name of the privacy notice |
version | string | Yes | Version string (e.g., v1.0) |
status | string | No | DRAFT (default), ACTIVE, or ARCHIVED |
content_url | string | No | Link to the hosted policy text |
valid_from | datetime | No | When this version comes into effect |
valid_to | datetime | No | When this version was superseded |
Response: 201 Created with the full privacy notice object.
Update Privacy Notice
PUT /spaces/{slug}/privacy-notices/{notice_id}
Accepts the same fields as creation. Only provided fields are updated (partial update).
Delete Privacy Notice
DELETE /spaces/{slug}/privacy-notices/{notice_id}
Response: 200 OK with {"message": "Privacy notice deleted"}.
Add Processing Purpose
POST /spaces/{slug}/privacy-notices/{notice_id}/purposes
Request Body
{
"name": "Marketing Analytics",
"description": "Analyze customer behavior for marketing campaigns",
"is_essential": false
}
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Name of the processing purpose |
description | string | No | Detailed description |
is_essential | boolean | No | Whether this processing is strictly necessary (default: false) |
Response: 200 OK with the processing purpose object.
Update Processing Purpose
PUT /spaces/{slug}/privacy-notices/{notice_id}/purposes/{purpose_id}
Accepts name, description, and is_essential. Only provided fields are updated.
Delete Processing Purpose
DELETE /spaces/{slug}/privacy-notices/{notice_id}/purposes/{purpose_id}
Response: 200 OK with {"message": "Processing purpose deleted"}.
Related
- Compliance — GDPR — How privacy notices support GDPR compliance
- Compliance — CCPA/HIPAA — Privacy notices in US regulatory context