API Integration

Trigger GDPR deletion requests programmatically, monitor delivery, and receive webhook events — secure and simple.

Base URL: https://supacheap.eu • JSON over HTTPS

Quickstart

Get your API key from the dashboard.
Send a dry run to validate access and payload.
Send the real request (or queue via provider fallback).

Authentication: include your api_key in the JSON body. Rate limit: 10 requests/min per key.

Endpoint: Send deletion request

POST /api/user/remove

{
  "api_key": "YOUR_API_KEY",
  "broker": "CoreLogic",
  "dry_run": true
}

Use dry_run=true to test without sending email. If the broker requires a form, the API responds with type "form" and a removal_form_url.

Examples (curl)

curl -sS -L https://supacheap.eu/api/user/remove \
  -H 'Content-Type: application/json' \
  -d '{"api_key":"<KEY>","broker":"CoreLogic","dry_run":true}'

curl -sS -L https://supacheap.eu/api/user/remove \
  -H 'Content-Type: application/json' \
  -d '{"api_key":"<KEY>","broker":"CoreLogic"}'

Response (dry run)

{
  "ok": true,
  "dry_run": true,
  "broker": "CoreLogic",
  "signature": "user_remove providers v1"
}

Response (sent via Mailjet)

{
  "ok": true,
  "sent_via": "mailjet",
  "to": "privacy@corelogic.com",
  "provider_status_code": 200,
  "provider_message_id": "288230407927261671",
  "broker": "CoreLogic"
}

Response (queued fallback)

{
  "ok": true,
  "queued": true,
  "queue_id": "7844f711-a12c-40c5-a215-4b1aa55ea57e",
  "to": "privacy@corelogic.com",
  "broker": "CoreLogic"
}

Response (form required)

{
  "ok": true,
  "type": "form",
  "info": "Dieser Broker verlangt ein Online-Formular.",
  "removal_form_url": "https://broker.example.com/remove"
}

Errors

{
  "ok": false,
  "error": "Broker nicht erlaubt"
}

Other errors include: Ungültiger Account, Account inaktiv, Account abgelaufen, Broker nicht gefunden.

Optional personal data fields

To improve verification at some brokers, you can include optional fields. These are inserted into the deletion email body; full message contents are not stored long-term.

{
  "api_key": "<KEY>",
  "broker": "CoreLogic",
  "personal_data": {
    "full_name": "Jane Doe",
    "address": "Street 1, 12345 City, DE",
    "phone": "+49 170 000000",
    "country": "DE",
    "birth_date": "1990-01-01"
  }
}

If omitted, the system falls back to the user profile data you provided during account setup (if available) or includes only your email.

Health Check

GET /api/health/email

{
  "env_key_present": true,
  "env_secret_present": true,
  "mailjet_available": true,
  "sender_present": true,
  "use_mailjet": true
}

Webhook (Mail events)

Configure your provider to POST events to: /api/webhooks/mailjet?token=<WEBHOOK_TOKEN>

[
  {
    "event": "sent",
    "email": "privacy@corelogic.com",
    "MessageID": 999,
    "MessageUUID": "uuid-999",
    "Subject": "Deletion request"
  }
]

Your token is configured server-side in MAILJET_WEBHOOK_TOKEN. The backend stores event metadata in mail_events for delivery audits.

Security

TLS only, JSON only. Principle of least privilege.
No permanent storage of email bodies — only minimal metadata (recipient, subject, provider IDs, status) for up to 180 days.
Reply-To is set to the user’s email; confirmations go directly to the user.