Zumik
v2 · Native state

Compliance

Read the machine-readable sub-processor list and read or update per-project privacy preferences. One source of truth behind the published legal pages.

The compliance surface backs the published legal pages and the console privacy controls with a single source of truth: a machine-readable sub-processor list and per-project privacy preferences. Defaults are privacy-protective. See GDPR and CCPA.

All requests require a bearer API key. See authentication.

List sub-processors

GET /v2/compliance/sub-processors

Returns the canonical sub-processor list. It mirrors the published legal page, so any integration reads the same authoritative set.

curl https://api.zumik.ai/v2/compliance/sub-processors \
  -H "Authorization: Bearer $ZUMIK_API_KEY"
{
  "object": "list",
  "published_at": "2026-06-12",
  "data": [
    {
      "name": "Stripe",
      "purpose": "Billing, subscriptions, and payment processing",
      "data_categories": ["account", "billing", "payment_metadata"],
      "region": "us"
    },
    {
      "name": "Cloudflare",
      "purpose": "Edge TLS, WAF, DDoS protection, and CDN for all properties",
      "data_categories": ["request_metadata", "ip_address"],
      "region": "global_edge"
    }
  ]
}
objectstring

Always list.

published_atstring

The list's last review date.

dataarray

Each sub-processor with its name, purpose, data_categories, and region.

Read privacy preferences

GET /v2/compliance/privacy-preferences

Returns the project's privacy preferences, falling back to the protective defaults when none are set.

curl https://api.zumik.ai/v2/compliance/privacy-preferences \
  -H "Authorization: Bearer $ZUMIK_API_KEY"
{
  "object": "privacy_preferences",
  "project_id": "prj_01jy7n0a4c8m2t6v9q3wrxk7bd",
  "do_not_sell": true,
  "gpc_honored": true,
  "analytics_consent": false,
  "updated_at": "2026-06-15T16:42:30Z"
}
objectstring

Always privacy_preferences.

project_idstring

The owning project.

do_not_sellboolean

Always true. Zumik does not sell personal information regardless.

gpc_honoredboolean

Always true. Global Privacy Control signals are honored at the edge.

analytics_consentboolean

Opt-in consent for non-essential analytics. Defaults to false.

updated_atstring

RFC 3339 update timestamp.

Update privacy preferences

POST /v2/compliance/privacy-preferences

Updates the analytics-consent choice. The change is recorded in the audit log. do_not_sell is always honored and cannot be toggled off.

analytics_consentboolean

true to opt into non-essential analytics, false to opt out. Defaults to false.

curl https://api.zumik.ai/v2/compliance/privacy-preferences \
  -H "Authorization: Bearer $ZUMIK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "analytics_consent": true }'

Returns the updated preferences object.

Errors

StatusCodeWhen
401invalid_api_keyMissing or invalid API key.

See the full table on errors.

On this page