Under GDPR Article 17, visitors can request the deletion of their personal data. Yaplet's data erasure tool removes the visitor's profile and all their conversation data from the platform. The action is immediate and irreversible — there is no undo and no backup restoration path after erasure.
Only the workspace owner can erase visitor data. Each erasure is permanently recorded in the audit log.
What gets deleted
- Visitor profile — Name, email, country, custom data fields, external ID, session history, device fingerprints, IP addresses, risk signals, trust score.
- All conversations — Every conversation the visitor had across all widgets in your workspace.
- All messages — Every message in those conversations, from both the visitor and your agents.
- Media files — Uploaded files and images sent in those conversations, removed from storage.
What is NOT deleted
- Audit log entries — The record that the erasure happened (including which visitor ID was erased, and how many chats and messages were removed) is retained permanently. This is a legal requirement for GDPR accountability.
- Agent-authored content — Private notes written by agents that do not contain the visitor's personal data are not erased, but as all conversations are deleted, these notes go away in practice.
How to erase a visitor's data
- Go to Security → Visitors and find the visitor by email or name.
- Click the visitor's name to open their security profile.
- Click Erase data (or the GDPR erasure button).
- A confirmation dialog appears listing what will be deleted — read it carefully.
- Type the confirmation phrase and click Erase permanently.
Verify the erasure
After completion, the visitor profile no longer exists — searching for their email in Yaplet will find no results. Check the audit log for the visitor.erased event, which records the visitor ID and the count of chats and messages that were removed.
Right-to-erasure vs right-to-rectification
If the visitor only wants to correct data (not delete it), you can edit their profile fields directly in the visitor management section rather than running a full erasure.
GDPR timelines
You must respond to a right-to-erasure request within 30 days. The audit log entry gives you a verifiable timestamp you can share with the requester as proof of compliance.