GDPR & CCPA Compliance

9 min read Updated Feb 6, 2026

In addition to HIPAA, Vantrexia implements data subject rights required by the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These rights — including data portability, erasure, access, and consent management — are enforced through a dedicated privacy API built into the authentication app.

HIPAA Takes Precedence

When GDPR/CCPA erasure requests conflict with HIPAA record retention requirements, HIPAA takes precedence. Medical records required for treatment, payment, or healthcare operations must be retained for a minimum of 6 years per HIPAA §164.530(j). The system enforces this automatically — erasure requests for data within the HIPAA retention window result in suppression (access restriction), not deletion.

Data Export (Right of Access / Portability)

Data subjects can request a complete export of all personal data Vantrexia holds about them. Exports include patient demographics, observation history, billing records, consent records, and audit trail entries. The export system supports both GDPR Article 20 (data portability) and CCPA §1798.100 (right to know).

Export Formats

Format Content Use Case
JSON Structured export with nested objects for patients, observations, billing, consents Machine-readable portability — import into another system
CSV Flat tabular export with separate files per data category Human-readable review — open in Excel, Google Sheets

Export API

POST /api/v1/auth/privacy/export/
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "format": "json",         // "json" or "csv"
  "categories": [            // Optional — omit for all data
    "demographics",
    "observations",
    "billing",
    "consents",
    "audit_trail"
  ]
}

// Response: 202 Accepted
{
  "request_id": "exp_a1b2c3d4",
  "status": "processing",
  "estimated_completion": "2026-02-06T15:30:00Z",
  "download_url": null       // Populated when ready
}
Export Security

7-day expiry: Export download links expire 7 days after generation. After expiry, the exported file is permanently deleted from S3 storage.

Encryption: Exported files are AES-256 encrypted at rest on S3 and delivered over TLS. The download URL uses a time-limited signed URL that cannot be shared.

Audit logging: Every export request is recorded in the audit log with the requesting user, categories requested, format, and file size.

Checking Export Status

GET /api/v1/auth/privacy/export/exp_a1b2c3d4/
Authorization: Bearer <access_token>

// Response: 200 OK
{
  "request_id": "exp_a1b2c3d4",
  "status": "completed",
  "format": "json",
  "file_size_bytes": 245890,
  "created_at": "2026-02-06T15:00:00Z",
  "expires_at": "2026-02-13T15:00:00Z",
  "download_url": "https://exports.vantrexia.com/exp_a1b2c3d4.json?sig=..."
}

Data Erasure (Right to Be Forgotten)

Vantrexia implements data erasure using a suppression model that respects HIPAA retention requirements while honoring GDPR Article 17 and CCPA §1798.105 deletion rights.

Erasure Flow

Erasure Request Flow:
┌──────────────────┐     ┌──────────────────┐     ┌──────────────────┐
│  User Submits    │────▶│  30-Day Grace     │────▶│  HIPAA Retention │
│  Deletion Request│     │  Period Starts    │     │  Check           │
└──────────────────┘     └──────────────────┘     └────────┬─────────┘
                                                            │
                                            ┌───────────────┴───────────────┐
                                            ▼                               ▼
                                  ┌──────────────────┐           ┌──────────────────┐
                                  │  Within 6-Year   │           │  Beyond 6-Year   │
                                  │  HIPAA Window    │           │  Retention       │
                                  │                  │           │                  │
                                  │  → SUPPRESS      │           │  → HARD DELETE   │
                                  │  → Restrict      │           │  → Remove all    │
                                  │    access        │           │    records       │
                                  │  → Mark inactive │           │  → Purge backups │
                                  │  → Retain data   │           │  → Confirm       │
                                  └──────────────────┘           └──────────────────┘

Suppression vs. Deletion

Scenario Action What Happens
Data within 6-year HIPAA retention window Suppression Patient record is marked as suppressed. Data is retained in encrypted storage but access is restricted to compliance administrators only. The record is excluded from all search results, dashboards, reports, and API responses. After the HIPAA retention period expires, the record is automatically hard-deleted.
Data beyond 6-year retention window Hard Delete All personal data is permanently removed from the database, cache, search indices, and backup systems. Audit log entries are anonymized (user reference replaced with a hash) but retained for compliance documentation.
Request cancelled during grace period Cancellation The erasure request is cancelled, and the record returns to normal active status. No data is modified or deleted.

Erasure API

POST /api/v1/auth/privacy/deletion/
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "reason": "User requested account deletion",  // Required
  "scope": "all_data",                            // "all_data" or "specific_categories"
  "categories": [],                               // If scope is "specific_categories"
  "confirm": true                                 // Must be true to proceed
}

// Response: 202 Accepted
{
  "request_id": "del_x9y8z7w6",
  "status": "pending_grace_period",
  "grace_period_ends": "2026-03-08T15:00:00Z",   // 30 days from now
  "hipaa_override": true,                          // Data within HIPAA retention
  "effective_action": "suppression",               // "suppression" or "deletion"
  "cancel_url": "/api/v1/auth/privacy/deletion/del_x9y8z7w6/cancel/"
}

Cancelling an Erasure Request

POST /api/v1/auth/privacy/deletion/del_x9y8z7w6/cancel/
Authorization: Bearer <access_token>

// Response: 200 OK
{
  "request_id": "del_x9y8z7w6",
  "status": "cancelled",
  "cancelled_at": "2026-02-10T09:00:00Z"
}

Vantrexia implements a granular cookie consent system that supports GDPR Article 7 (conditions for consent) and the ePrivacy Directive. Users can opt in or out of four cookie categories independently.

Category Required Default Examples
Strictly Necessary Yes Always On Session cookie, CSRF token, authentication state. Cannot be disabled — required for platform operation.
Functional No Opt-in Theme preference (light/dark), language selection, dashboard layout customization.
Analytics No Opt-in Page view tracking, feature usage metrics, error reporting. All analytics are first-party only — no third-party trackers.
Marketing No Opt-in Product update emails, feature announcements, satisfaction surveys. No third-party advertising cookies are used. 
// Get current cookie preferences
GET /api/v1/auth/privacy/cookies/
Authorization: Bearer <access_token>

// Response: 200 OK
{
  "consent_id": "cns_m3n4o5p6",
  "preferences": {
    "strictly_necessary": true,    // Always true, cannot be changed
    "functional": false,
    "analytics": false,
    "marketing": false
  },
  "consented_at": "2026-01-15T10:00:00Z",
  "ip_address": "203.0.113.42",
  "user_agent": "Mozilla/5.0 ..."
}

// Update cookie preferences
PUT /api/v1/auth/privacy/cookies/
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "functional": true,
  "analytics": true,
  "marketing": false
}

// Response: 200 OK
{
  "consent_id": "cns_q7r8s9t0",   // New consent record created
  "preferences": {
    "strictly_necessary": true,
    "functional": true,
    "analytics": true,
    "marketing": false
  },
  "consented_at": "2026-02-06T15:00:00Z"
}
Consent Record Immutability

Every time a user updates their cookie preferences, a new ConsentRecord is created — the previous record is never modified. This creates a complete audit trail of consent changes over time, documenting when consent was given, modified, or withdrawn. This satisfies GDPR Article 7(1) which requires the controller to be able to demonstrate that the data subject consented.

Privacy Policy Versioning

Vantrexia tracks privacy policy versions and requires users to re-consent when the policy is materially updated. This ensures ongoing compliance with GDPR Article 13 (information to be provided) and CCPA §1798.100 (notice at collection).

Field Description
version Semantic version of the privacy policy (e.g., 2.1.0)
effective_date Date the policy version became effective
summary_of_changes Human-readable summary of what changed from the previous version
requires_reconsent Boolean — whether users must accept the new version to continue using the platform
consent_deadline Date by which users must accept the new version (typically 30 days after publication)

When a new policy version with requires_reconsent: true is published, the frontend displays a modal prompting the user to review and accept the updated policy. API requests from users who have not consented to the latest required version receive a 403 Forbidden response with details about the pending consent requirement.

All consent records are stored in the ConsentRecord model with full provenance data. This applies to privacy policy consent, cookie preferences, data processing agreements, and marketing communications.

// List all consent records for the authenticated user
GET /api/v1/auth/privacy/consents/
Authorization: Bearer <access_token>

// Response: 200 OK
{
  "count": 4,
  "results": [
    {
      "id": "cns_a1b2c3d4",
      "type": "privacy_policy",
      "version": "2.1.0",
      "status": "accepted",
      "consented_at": "2026-02-01T12:00:00Z",
      "ip_address": "203.0.113.42",
      "user_agent": "Mozilla/5.0 ...",
      "expires_at": null
    },
    {
      "id": "cns_e5f6g7h8",
      "type": "cookie_preferences",
      "version": null,
      "status": "accepted",
      "consented_at": "2026-02-01T12:01:00Z",
      "preferences": {
        "strictly_necessary": true,
        "functional": true,
        "analytics": false,
        "marketing": false
      }
    },
    {
      "id": "cns_i9j0k1l2",
      "type": "data_processing",
      "version": "1.0.0",
      "status": "accepted",
      "consented_at": "2026-01-15T10:00:00Z"
    },
    {
      "id": "cns_m3n4o5p6",
      "type": "marketing_communications",
      "version": null,
      "status": "withdrawn",
      "consented_at": "2026-01-15T10:00:00Z",
      "withdrawn_at": "2026-02-05T14:30:00Z"
    }
  ]
}

Privacy API Reference

The following table summarizes all privacy-related API endpoints available in Vantrexia:

Method Endpoint Description Auth Required
POST /api/v1/auth/privacy/export/ Request a data export (JSON or CSV) Yes (any role)
GET /api/v1/auth/privacy/export/{id}/ Check export status and download link Yes (own exports)
POST /api/v1/auth/privacy/deletion/ Request data erasure/suppression Yes (any role)
GET /api/v1/auth/privacy/deletion/{id}/ Check erasure request status Yes (own requests)
POST /api/v1/auth/privacy/deletion/{id}/cancel/ Cancel erasure during 30-day grace period Yes (own requests)
GET /api/v1/auth/privacy/cookies/ Get current cookie consent preferences Yes (any role)
PUT /api/v1/auth/privacy/cookies/ Update cookie consent preferences Yes (any role)
GET /api/v1/auth/privacy/consents/ List all consent records for the user Yes (own records)
POST /api/v1/auth/privacy/consents/ Record new consent (policy acceptance, etc.) Yes (any role)
POST /api/v1/auth/privacy/consents/{id}/withdraw/ Withdraw a previously given consent Yes (own records)
GET /api/v1/auth/privacy/policy/ Get current privacy policy version and text No
GET /api/v1/auth/privacy/policy/history/ List all privacy policy versions with change summaries No

CCPA-Specific Provisions

In addition to the shared GDPR/CCPA mechanisms above, Vantrexia implements the following CCPA-specific requirements:

  • Do Not Sell: Vantrexia does not sell personal information to third parties. A "Do Not Sell My Personal Information" link is available in the privacy settings for California residents, per §1798.120.
  • Right to Know: The data export API fulfills the CCPA right to know what personal information is collected, the sources, the business purpose, and third parties with whom it is shared (§1798.100).
  • Non-Discrimination: Users who exercise their privacy rights (export, deletion, opt-out) receive the same level of service and are not charged different prices (§1798.125).
  • 12-Month Lookback: Data export requests include data collected within the preceding 12 months, per CCPA requirements.
  • Verified Requests: Deletion and export requests require the user to be authenticated with a valid JWT token. For requests via customer support, identity verification follows the two-step verification process.
Privacy by Design

Vantrexia follows the Privacy by Design framework — privacy controls are built into the core architecture, not added as afterthoughts. The privacy API, consent tracking, and suppression model were designed alongside the clinical features, ensuring that data subject rights are first-class citizens in every data flow.