Pitchbar ships endpoints to satisfy GDPR Article 15 (right of access) and Article 17 (right to erasure) for any visitor that interacted with your widget. Workspace admins can look up, export, or erase a visitor's data from /app/dsr endpoints.

Who can use it

Admin and Owner roles only. Viewer and Editor get 403 Forbidden. The policy lives in App\Policies\DsrPolicy and the gate is manageMembers (same capability used for invite/remove member).

Lookup — find a visitor

POST /app/dsr/lookup. Provide any one of:

• email — matches against leads.email in the workspace.
• visitor_id — exact visitor uuid.
• anonymous_id — the widget's local-storage anonymous id (visible in the visitor's browser dev tools).

Response is a JSON list of matching visitors with country, first / last seen timestamps, and visit count. Cross-workspace lookups are blocked — an admin in workspace A cannot find a visitor that interacted only with workspace B.

Export — Article 15 data portability

POST /app/dsr/export with body {visitor_id: "..."}. Returns the visitor's full history as JSON: visitor row (sans IP hash), every conversation with its messages, every lead record, all events (CTA clicks, satisfaction submits, etc.). The export is also persisted (encrypted at rest) in dsr_requests for the audit trail.

Every export writes one audit_logs row with action=dsr.exported for the workspace's compliance record.

Erase — Article 17 right to be forgotten

POST /app/dsr/erase with body {visitor_id: "...", confirm_typed: "ERASE"}. The confirm_typed guard prevents accidental wipes — the string must be exactly ERASE (case sensitive).

Erasure runs inside a database transaction and:

1. Nulls leads.email, leads.phone, leads.name; clears leads.fields.
2. Hard-deletes the visitor row. The conversations.visitor_id foreign key has ON DELETE SET NULL, so conversations themselves survive with their messages intact, but the visitor link is gone.
3. Hard-deletes events rows tied to the visitor's conversations.
4. Writes audit_logs.action=dsr.erased for the compliance record.

Messages are deliberately retained because they carry no personalised text in the default configuration — they are model output and visitor questions to the bot. If your buyers paste PII into the chat box itself, ask your customer-success contact about full-message erasure as a separate workflow.

Note on the AI model

Pitchbar uses Retrieval-Augmented Generation, not fine-tuning, so the underlying LLM has not been trained on your visitor's data. The conversation content was sent to your LLM provider (Cloudflare Workers AI, OpenAI, or OpenRouter) at inference time — those providers' data handling is governed by the contract between you and them, not by Pitchbar.

Audit trail retention

GDPR also covers audit logs themselves; however, the audit row for a DSR is itself excluded from any subsequent DSR request to keep the compliance record provable. Document this carve-out in your privacy policy.