Data rights
Export everything Zumik retains for a project, or request erasure. GDPR and CCPA data-subject rights, scoped strictly to the caller's project.
Two data-subject flows, both scoped strictly to the caller's project. A data export assembles a machine-readable bundle of everything Zumik retains (right to access and portability). A deletion request erases the project's retained data, bumps the namespace generation so stale cache entries cannot be resurrected, and issues a signed receipt (right to erasure). Export ids are prefixed exp_; deletion requests del_. See GDPR and CCPA.
Billing records required for tax compliance are kept for the legally required period and noted in the receipt, rather than silently dropped.
All requests require a bearer API key. See authentication.
Create a data export
POST /v2/data-exports
Assembles and stores the export bundle inline. No request body.
curl -X POST https://api.zumik.ai/v2/data-exports \
-H "Authorization: Bearer $ZUMIK_API_KEY"{
"id": "exp_01jy7nst01u3v4w5x6y7z8a9b2",
"object": "data_export",
"project_id": "prj_01jy7n0a4c8m2t6v9q3wrxk7bd",
"created_at": "2026-06-15T16:45:09Z",
"status": "completed",
"format": "json",
"data": {
"project": { "id": "prj_01jy7n0a4c8m2t6v9q3wrxk7bd", "name": "Acme" },
"billing_account": { "...": "..." },
"usage_events": [],
"artifacts": [],
"sessions": [],
"provider_credentials": [],
"subscription_credentials": [],
"regional_policy": null,
"retention_profile": null,
"audit_log": []
}
}idstringOpaque export id, prefixed exp_.
objectstringAlways data_export.
project_idstringThe owning project.
created_atstringRFC 3339 creation timestamp.
statusstringAlways completed.
formatstringAlways json.
dataobjectThe exported bundle: project, billing account, usage events, artifacts, sessions, provider and subscription credentials, regional policy, retention profile, and audit log.
Retrieve a data export
GET /v2/data-exports/{export_id}
export_idstringpathrequiredThe exp_... id to fetch.
curl https://api.zumik.ai/v2/data-exports/exp_01jy7nst01u3v4w5x6y7z8a9b2 \
-H "Authorization: Bearer $ZUMIK_API_KEY"Returns the same stored export object.
Create a deletion request
POST /v2/deletion-requests
Erases the project's retained data, bumps the namespace generation, and returns a signed receipt. No request body. Billing records are intentionally kept.
curl -X POST https://api.zumik.ai/v2/deletion-requests \
-H "Authorization: Bearer $ZUMIK_API_KEY"{
"id": "del_01jy7ntu12v4w5x6y7z8a9b0c3",
"object": "deletion_request",
"project_id": "prj_01jy7n0a4c8m2t6v9q3wrxk7bd",
"requested_at": "2026-06-15T16:46:40Z",
"completed_at": "2026-06-15T16:46:40Z",
"status": "completed",
"erased": {
"artifacts": 12,
"sessions": 3,
"usage_events": 124,
"namespace_generation": 4
},
"retained": {
"billing_records": "retained for the legally-required tax period"
},
"guarantee": "verified_namespace_invalidation",
"receipt_digest": "sig_a18f...9c"
}idstringOpaque deletion-request id, prefixed del_.
objectstringAlways deletion_request.
project_idstringThe owning project.
requested_atstringRFC 3339 request timestamp.
completed_atstringRFC 3339 completion timestamp.
statusstringAlways completed.
erasedobjectCounts of what was erased, plus the new namespace_generation.
retainedobjectRecords kept for legal or tax compliance, with the basis.
guaranteestringAlways verified_namespace_invalidation.
receipt_digeststringA SHA-256 receipt digest, prefixed sig_. Recompute it to confirm integrity.
Retrieve a deletion request
GET /v2/deletion-requests/{deletion_id}
deletion_idstringpathrequiredThe del_... id to fetch.
curl https://api.zumik.ai/v2/deletion-requests/del_01jy7ntu12v4w5x6y7z8a9b0c3 \
-H "Authorization: Bearer $ZUMIK_API_KEY"Returns the same stored deletion request.
Errors
| Status | Code | When |
|---|---|---|
| 401 | invalid_api_key | Missing or invalid API key. |
| 404 | invalid_request_error | The export or deletion request does not exist in this project. |
See the full table on errors.
Compliance
Read the machine-readable sub-processor list and read or update per-project privacy preferences. One source of truth behind the published legal pages.
BYOC clusters
Register, list, retrieve, heartbeat, and deregister bring-your-own-cloud clusters. The control plane records your data planes; it never holds GPUs.