Operate

Privacy

GDPR / ePrivacy consent state per user. SDK consent gate buffers events until granted.

Features

**Per-purpose consent state** — analytics / marketing / functional / etc. tracked per-user (or per email / phone / userId), per-purpose, immutable retention. Every grant + revoke also writes an `events` row so analytics can plot consent rates over time.
**Real send-time enforcement on Email** — broadcast + workflow categories check the most-recent `marketing` row at dispatch. No record OR revoked → `email_sends` row with `status='failed' provider='suppressed' suppressed_reason='no_consent'`. Toggle in `/dashboard/consent`. Transactional / auth / ticket bypass — platform-critical.
**Push + SMS enforcement** — same posture, shipping next release. Phone column + 3 partial indexes (`org_id, {email,user_id,phone}, purpose, created_at DESC`) already landed in migration 0057.
**Art. 15 DSAR export** — one POST returns a JSON bundle across 7 tables: `events`, `profiles`, `push_tokens`, `email_sends`, `sms_sends`, `support_tickets`, `auth_service_users`. Enumerated in `gdpr/routes.ts` — auditable in source.
**Art. 17 erasure** — one POST hard-deletes the same 7 tables. Requires ADMIN role + recent-passkey-UV step-up (Touch ID / passkey within 5 min) + the literal string `confirm="DELETE"` in the body. Audit log records actor + table + row count for regulator export.
**Data residency** — EU or US tenancy at sign-up; data stays in-region. Backups respect the boundary.
**Auditor-ready posture** — consent ledger + DSAR runbook + audit log all exportable. Per-action audit log records actor + IP-hash + timestamp + intent for every privileged operation.
**First-class SDK helpers** — `consent.record({ purpose, granted, email?, phone?, userId?, source? })` + `consent.requestDeletion()` on RN 0.18.3+ and Web 2.17.0+. Cookie-banner integrations ship in one call.

Common use cases

Replace OneTrust ($3,680+/mo enterprise tier) for consent ledger + DSAR — keep enterprise tier only if you also need vendor-risk / third-party-risk modules.
Replace Osano ($199-1,000+/mo) — same posture, plus consent enforcement happens inside Sendora's senders instead of via per-vendor connectors.
Keep Cookiebot (or any banner-only vendor) for the cookie UI — wire it to Sendora's `consent.record()` for the enforcement + DSAR side.
GDPR / CCPA / DPF compliance baked into the platform — auditor sees a single ledger, runbook, audit log, no per-vendor stitching.
Enterprise DPA: auditor sees consent ledger + residency + DSAR endpoints + step-up posture out of the box. No "we'll wire it later" claims.

Consent

Record a consent decision

FREE

Call from a cookie-banner accept / reject handler. Sendora persists the decision per user × purpose with timestamp + IP hash for audit.

await sendora.consent.record({
  purpose: "analytics",
  granted: true,
  policyVersion: "2026-04-15",
});

Submit a GDPR / CCPA deletion request

FREE

Customer-initiated right-to-erasure. Sendora queues + processes asynchronously; the deletion-requests dashboard shows status.

await sendora.consent.requestDeletion({
  email: "alice@example.com",
  reason: "Account closed",
});

Audit consent records

STARTER+

Server-side: pull every consent record for compliance reporting. Filter by purpose, granted state, or date range.

curl "https://api.sendoracloud.com/api/v1/orgs/<ORG_ID>/consent/records?purpose=analytics&granted=true" \
  -H "x-api-key: pk_prod_…"

Product overview

All modules