Under GDPR, VeloConnect is a data processor — you, the customer, are the data controller. The platform gives admins the buttons to honor a subject’s rights; the legal responsibility for deciding whether and how to respond stays with you.
Right to Erasure (the “Right to be Forgotten”)
When a contact asks you to delete their data, the workflow is one click:
- Open the contact’s profile.
- Use the Actions menu → Delete contact.
- Confirm.
Deletion removes the contact and all of their communication history — every message on every channel (WhatsApp, SMS, Viber, Telegram, email, Messenger, Instagram), every call recording, every call log, every note, every custom field value. It’s irreversible.
The audit log keeps a record of the deletion event — who did it, when — but not the deleted content itself. That’s by design: you can prove the deletion happened without re-creating the data you just removed.
Before you click delete, verify the request actually came from the contact. The cleanest check is to reply on the channel they originally used to opt in and confirm there. Impersonated deletion requests are a real attack pattern.
Right to Data Portability
When a contact asks for a copy of their data:
- Open the contact’s profile.
- Actions → Export contact data.
- Pick a format — JSON or CSV.
The export covers every field on the contact (built-in and custom), every message on every channel, every call record, every note, every timeline event, and the channel-by-channel opt-in / opt-out flags. It lands in the requesting admin’s email inbox within a few minutes.
This same export also serves a Right to Access request — just forward it to the contact with a short covering letter.
Other rights you can serve manually today
- Right to Rectification — edit the contact’s fields directly on their profile.
- Right to Object / withdraw consent — flip the channel opt-in flag to opted-out. The contact stays in your system (so you remember not to contact them again), but no outbound goes to that channel.
What’s coming in a future release
V2 will move several of these workflows from manual to automated:
- In-app consent register, channel by channel.
- Configurable retention policies — e.g. “delete WhatsApp conversations older than 12 months”.
- Data residency controls (EU-only storage).
- DPA and sub-processor disclosures, surfaced inside the admin UI.
- Automated deletion workflows that fire on a schedule or in response to subject requests submitted through a self-serve form.
- A per-tenant GDPR dashboard summarizing all of the above.
Until V2, the manual buttons described here are the supported path.