LGPD
Data removal, consent log, and deletion requests
Auth required (Clerk Bearer). Jatobá's LGPD model: consent is recorded on every ingestion, deletion removes the stored bytes but preserves the SHA-256 (a hash alone cannot reconstruct content) so previously issued proofs remain verifiable.
DELETE /api/lgpd/documents/:id
Self-service immediate deletion (LGPD Art. 18, VI). The R2 object is deleted, the DB record is soft-deleted, and a withdrawn entry is written to the consent log. For IPFS imports the bytes can't be un-pinned from public networks — the obligation is met by removing the platform's reference. In an organization, deleting a team document requires admin+; personal documents are always deletable by their owner.
200
{
"documentId": "abc123xyz",
"serialNumber": "JAT-7K2M9",
"sha256": "a1b2c3...",
"deletedAt": "2026-05-02T10:00:00.000Z",
"message": "Document deleted. SHA-256 hash preserved for integrity verification..."
}410 already deleted · 403 insufficient org role.
POST /api/lgpd/removal-request
Formal, reviewable removal request (response within 15 business days per LGPD Art. 18). Use the DELETE endpoint above for immediate removal.
| Body field | Type | Description |
|---|---|---|
documentId | string (required) | Document to remove |
reason | string | Optional justification |
201 { "requestId", "documentId", "status": "pending", "message" } · 409 a pending request already exists.
GET /api/lgpd/removal-requests
Lists your removal requests with status (pending / approved / rejected), reviewedAt, and reviewerNote.
GET /api/lgpd/consent-log
Your consent audit trail (LGPD Art. 18, II). Each entry: action (given / withdrawn / re-given), documentId, ip, userAgent, createdAt.