General Data Protection Regulation (GDPR)

As part of compliance with GDPR and CCPA regulations, users need to be able to request the information that has been collected about them. OpenWeb enables you to provide this information in response to a user's request.


Required items

ItemLocating the value
OpenWeb Spot ID
(Required only for user data exports)
1. Log into your Admin Dashboard.
2. Copy your Spot ID from the URL: https://admin.spot.im/spot/{SPOT_ID}/...
Export token
(Required only for user data exports)
1. From your OpenWeb Admin Dashboard, click Settings.
2. In the Authentication Tokens, copy the export token.
SSO access tokenRequest this from your OpenWeb PSM


Export user data

  1. Make a GET /v1/user/{primary_key} call which includes your SSO access token in the request header. The primary_key is the unique user ID generated by your backend user management system. Making this call enables you to obtain the user's OpenWeb user ID.

    This must be a backend-to-backend call to maintain the security of your access token.
GET https://www.spot.im/api/sso/v1/user/:primary_key
Header: x-spotim-sso-access-token: ACCESS_TOKEN

Within the API response, user.spotim_user_id is the OpenWeb user ID.

{
    "success": true,
    "user": {
        "primary_key": "PKEY",
        "spotim_user_id": "string",
        "user_name": "string",
        "display_name": "string",
        "image_url": string,
        "email": string,
        "email_verified": boolean,
        "livefyre_user_id": string,
        "settings": {
            "notifications": {
                "email": {
                    "liked_your_message": integer,
                    "user_mentioned": integer,
                    "replied_to_message": integer
                }
            }
        }
    }
}

  1. Make a POST /gdpr/export call with your Spot ID, export token, and OpenWeb user ID.
POST https://open-api.spot.im/gdpr/export

{ 
    "access_token": "1234567890",  
    "spot_id": "sp_123",  
    "user_id": "u_123"
}

The POST call returns the export ID.



Get GDPR user data export status

  1. Follow the steps in the Export user data section to obtain the OpenWeb user ID and export ID.
  2. Make a GET /gdpr/export/status/{ID}?access_token={TOKEN}&spot_id={SPOT_ID} request. Be sure to replace the following placeholders:

    {ID}: Replace with the OpenWeb user ID
    {SPOT_ID}: Replace with your Spot ID
    {TOKEN}: Replace with the export token.
GET https://open-api.spot.im/gdpr/export/status/{ID}?access_token={TOKEN}&spot_id={SPOT_ID}`

The GET call returns the status.

{
   "status": "pending"
}
{
   "status": "completed",
   "link": "{download_link}"
}
{
   "status": "failed"
}

When the export completes ("status":"completed"), the response includes a link to a .zip file with the user's data. The .zip file includes the following JSON files:

  • credentials.json: All tokens, devices, and roles of the user
  • dislikes.json: Single array of all disliked comments by the user
  • likes.json: Single array of all liked comments by the user
  • message.json: All of the user's message metadata
  • profile.json: User's profile metadata


Delete user data

When requested by a user, you must delete the user’s OpenWeb account to remain compliant with GDPR and CCPA regulations.

  1. Make a GET /v1/user/{primary_key} call which includes your SSO access token in the request header. The primary_key is the unique user ID generated by your backend user management system. Making this call enables you to obtain the user's OpenWeb user ID.

    This must be a backend-to-backend call to maintain the security of your access token.
GET https://www.spot.im/api/sso/v1/user/{primary_key}
Header: x-spotim-sso-access-token: ACCESS_TOKEN

Within the API response, user.spotim_user_id is the OpenWeb user ID.

{
    "success": true,
    "user": {
        "primary_key": "PKEY",
        "spotim_user_id": "string",
        "user_name": "string",
        "display_name": "string",
        "image_url": string,
        "email": string,
        "email_verified": boolean,
        "livefyre_user_id": string,
        "settings": {
            "notifications": {
                "email": {
                    "liked_your_message": integer,
                    "user_mentioned": integer,
                    "replied_to_message": integer
                }
            }
        }
    }
}

  1. Make a DELETE /v1/user/{primary_key} call which includes your SSO access token in the request header.
DELETE https://www.spot.im/api/sso/v1/user/{primary_key}
Header: x-spotim-sso-access-token: ACCESS_TOKEN

Once the user has been deleted, comments by the deleted user remain and are linked to a random guest user.



Did this page help you?