Privacy Export and Erase Requests

Request intake

Privacy export and erase requests should have a named owner, verified requester identity, scope, deadline, and evidence trail. Separate ordinary support requests from privacy operations so operators do not expose or delete data casually.

SophMate evidence

Review prompts, audit events, support bundles, contact records, diagnostics, newsletter data, and any workflow artifacts that may relate to the requester. Use the public privacy policy for website-facing expectations and diagnostics and support for support-safe evidence handling.

Completion review

Before closing the request, record what was exported, erased, retained for legitimate operational reasons, or redacted. The privacy compliance use case explains how privacy admins should own this process.

Owner and cadence

• Primary owner: account owner, agency lead, privacy owner, or operations lead depending on risk area.
• Review cadence: monthly, after incidents, after staff changes, and before client or stakeholder reporting.
• Escalate when requester identity, scope, deadline, retained data, redaction, or legal basis for retention is unclear.

Production checklist

• Verify requester identity, request scope, deadline, owner, evidence sources, and retention exceptions before exporting or erasing data.
• Review prompts, audit events, support bundles, diagnostics, contact records, newsletter data, and workflow artifacts for relevant requester context.
• Assign owners for approval policy, audit review, retention, privacy handling, backup validation, and support escalation.
• Keep governance decisions visible in onboarding notes so agencies, developers, support leads, and store owners do not invent separate rules.

Acceptance checks

• The completed request records what was exported, erased, retained, or redacted and why.
• Privacy operations are handled by the assigned owner instead of ordinary support triage.
• A reviewer can identify the accountable owner for customer, commerce, theme, privacy, and provider decisions.
• The team has a repeatable monthly review for budgets, audit events, permissions, retention, and unresolved incidents.

Common mistakes

• Treating privacy requests as ordinary support tickets and losing the audit trail for export, erase, retention, or redaction decisions.
• Treating governance as a one-time setup task instead of a recurring review of roles, budgets, approvals, retention, and audit records.
• Sharing diagnostics, screenshots, or client reports before removing secrets and unrelated private data.

Related operations

• Read Privacy and Data Retention first.
• Review the Privacy and Compliance Admin use case.
• Use Backup and Staging Workflow before high-risk changes.
• Use Regulated Claims and Legal Review before publishing sensitive claims.
• Use Access Offboarding and Seat Review after staff, contractor, or agency changes.
• Use Privacy and Data Retention before sharing support evidence.
• Use Privacy Export and Erase Requests before handling requester data.
• Use WooCommerce High-Risk Actions before store-changing work.
• Use Personalization Privacy Review before visitor targeting launches.
• Use Storefront Panel Consent Review before launching visitor-facing panels.