klaviyo-data-handling
Implement Klaviyo data privacy, GDPR/CCPA compliance, and PII handling patterns. Use when handling profile data, implementing right-to-deletion, configuring data retention, or ensuring compliance with privacy regulations. Trigger with phrases like "klaviyo data", "klaviyo PII", "klaviyo GDPR", "klaviyo data retention", "klaviyo privacy", "klaviyo CCPA", "klaviyo delete profile", "klaviyo data privacy".
Best use case
klaviyo-data-handling is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement Klaviyo data privacy, GDPR/CCPA compliance, and PII handling patterns. Use when handling profile data, implementing right-to-deletion, configuring data retention, or ensuring compliance with privacy regulations. Trigger with phrases like "klaviyo data", "klaviyo PII", "klaviyo GDPR", "klaviyo data retention", "klaviyo privacy", "klaviyo CCPA", "klaviyo delete profile", "klaviyo data privacy".
Teams using klaviyo-data-handling should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/klaviyo-data-handling/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How klaviyo-data-handling Compares
| Feature / Agent | klaviyo-data-handling | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement Klaviyo data privacy, GDPR/CCPA compliance, and PII handling patterns. Use when handling profile data, implementing right-to-deletion, configuring data retention, or ensuring compliance with privacy regulations. Trigger with phrases like "klaviyo data", "klaviyo PII", "klaviyo GDPR", "klaviyo data retention", "klaviyo privacy", "klaviyo CCPA", "klaviyo delete profile", "klaviyo data privacy".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Klaviyo Data Handling
## Overview
Handle profile data, PII, and privacy compliance with Klaviyo's Data Privacy API, GDPR right-to-deletion, CCPA requests, and safe logging patterns.
## Prerequisites
- `klaviyo-api` SDK installed
- API key with `data-privacy:write` scope (for deletion requests)
- Understanding of GDPR/CCPA requirements
- Audit logging infrastructure
## Klaviyo Data Privacy API
Klaviyo provides a dedicated **Data Privacy API** for GDPR/CCPA profile deletion. When you delete a profile via this API, Klaviyo performs a full GDPR erasure -- the profile is permanently removed and cannot be recovered.
## Instructions
### Step 1: GDPR Profile Deletion (Right to Erasure)
```typescript
import { ApiKeySession, DataPrivacyApi } from 'klaviyo-api';
const session = new ApiKeySession(process.env.KLAVIYO_PRIVATE_KEY!);
const dataPrivacyApi = new DataPrivacyApi(session);
/**
* Request profile deletion via Klaviyo's Data Privacy API.
* Accepts ONE identifier: email, phone_number, or profile ID.
* Providing multiple identifiers returns an error.
*
* WARNING: This is irreversible. Profile is permanently erased.
*/
async function requestProfileDeletion(identifier: {
email?: string;
phoneNumber?: string;
profileId?: string;
}): Promise<void> {
// Build the profile identifier (only ONE allowed)
const profileData: any = { type: 'profile' };
if (identifier.email) {
profileData.attributes = { email: identifier.email };
} else if (identifier.phoneNumber) {
profileData.attributes = { phone_number: identifier.phoneNumber };
} else if (identifier.profileId) {
profileData.id = identifier.profileId;
} else {
throw new Error('Must provide exactly one identifier: email, phoneNumber, or profileId');
}
await dataPrivacyApi.requestProfileDeletion({
data: {
type: 'data-privacy-deletion-job',
attributes: {
profile: { data: profileData },
},
},
});
// Audit log (required for compliance)
await auditLog({
action: 'GDPR_DELETION_REQUESTED',
identifier: identifier.email || identifier.phoneNumber || identifier.profileId!,
service: 'klaviyo',
timestamp: new Date().toISOString(),
});
console.log(`Deletion requested for ${JSON.stringify(identifier)}`);
}
// Usage
await requestProfileDeletion({ email: 'user-wants-deletion@example.com' });
```
### Step 2: Data Subject Access Request (DSAR)
```typescript
import { ProfilesApi, EventsApi, ListsApi } from 'klaviyo-api';
/**
* Export all Klaviyo data for a given profile (GDPR Article 15).
* Returns all profile attributes, event history, and list memberships.
*/
async function exportProfileData(email: string): Promise<{
profile: any;
events: any[];
lists: any[];
}> {
const profilesApi = new ProfilesApi(session);
const eventsApi = new EventsApi(session);
// 1. Get profile
const profiles = await profilesApi.getProfiles({
filter: `equals(email,"${email}")`,
});
const profile = profiles.body.data[0];
if (!profile) throw new Error(`No profile found for ${email}`);
// 2. Get profile's events
const events = await eventsApi.getEvents({
filter: `equals(profile_id,"${profile.id}")`,
sort: '-datetime',
});
// 3. Get profile's list memberships
const profileLists = await profilesApi.getProfileLists({ id: profile.id });
return {
profile: {
id: profile.id,
...profile.attributes,
},
events: events.body.data.map(e => ({
metric: e.attributes.metricId,
datetime: e.attributes.datetime,
properties: e.attributes.eventProperties,
})),
lists: profileLists.body.data.map(l => ({
id: l.id,
name: l.attributes.name,
})),
};
}
```
### Step 3: PII Detection and Redaction in Logs
```typescript
// src/klaviyo/pii.ts
const PII_PATTERNS = [
{ type: 'email', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g },
{ type: 'phone', regex: /\+?\d{10,15}/g },
{ type: 'api_key', regex: /pk_[a-zA-Z0-9]{20,}/g },
];
export function redactPII(text: string): string {
let redacted = text;
for (const pattern of PII_PATTERNS) {
redacted = redacted.replace(pattern.regex, `[REDACTED:${pattern.type}]`);
}
return redacted;
}
export function redactObject(data: Record<string, any>): Record<string, any> {
const sensitiveFields = ['email', 'phoneNumber', 'phone_number', 'firstName', 'lastName', 'apiKey'];
const redacted = { ...data };
for (const field of sensitiveFields) {
if (redacted[field]) {
redacted[field] = typeof redacted[field] === 'string'
? `${redacted[field].substring(0, 3)}***`
: '[REDACTED]';
}
}
return redacted;
}
// Usage: safe logging of Klaviyo API responses
console.log('Profile data:', redactObject(profile.attributes));
```
### Step 4: Consent Management
```typescript
/**
* Record consent and subscribe to marketing.
* Always include consent timestamp for GDPR compliance.
*/
async function recordConsent(
email: string,
channels: { email?: boolean; sms?: boolean },
listId: string,
consentSource: string
): Promise<void> {
const subscriptions: any = {};
const now = new Date().toISOString();
if (channels.email) {
subscriptions.email = {
marketing: { consent: 'SUBSCRIBED', consentTimestamp: now },
};
}
if (channels.sms) {
subscriptions.sms = {
marketing: { consent: 'SUBSCRIBED', consentTimestamp: now },
};
}
await profilesApi.subscribeProfiles({
data: {
type: 'profile-subscription-bulk-create-job',
attributes: {
profiles: {
data: [{
type: 'profile' as any,
attributes: {
email,
subscriptions,
},
}],
},
historicalImport: false, // Set true for pre-existing consent
},
relationships: {
list: { data: { type: 'list', id: listId } },
},
},
});
await auditLog({
action: 'CONSENT_RECORDED',
identifier: email,
channels: Object.keys(channels).filter(c => channels[c as keyof typeof channels]),
source: consentSource,
timestamp: now,
});
}
```
### Step 5: Audit Logging
```typescript
// src/klaviyo/audit.ts
interface AuditEntry {
action: string;
identifier: string;
service: string;
timestamp: string;
details?: Record<string, any>;
}
async function auditLog(entry: AuditEntry): Promise<void> {
// Write to your audit database (must be retained per GDPR)
await db.auditLog.create({
data: {
...entry,
retainUntil: new Date(Date.now() + 7 * 365 * 24 * 60 * 60 * 1000), // 7 years
},
});
console.log(`[AUDIT] ${entry.action}: ${entry.identifier} at ${entry.timestamp}`);
}
```
## Data Classification for Klaviyo
| Data Category | Examples in Klaviyo | Handling |
|--------------|---------------------|----------|
| PII | email, phoneNumber, firstName, lastName | Redact in logs, encrypt at rest |
| Sensitive | API keys, webhook secrets | Never log, rotate quarterly |
| Behavioral | Events, page views, purchases | Anonymize where possible |
| Marketing | List memberships, consent status | Audit trail required |
| Derived | Segments, predictive analytics | No special handling |
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Deletion request fails | Missing `data-privacy:write` scope | Update API key scopes |
| Multiple identifiers error | Providing email AND phone | Use exactly one identifier |
| Profile not found for DSAR | Wrong email or already deleted | Search by ID or phone instead |
| PII in error logs | Unredacted API responses | Wrap logger with `redactObject()` |
## Resources
- [Data Privacy API](https://developers.klaviyo.com/en/reference/data_privacy_api_overview)
- [Request Profile Deletion](https://developers.klaviyo.com/en/reference/request_profile_deletion)
- [Consent Collection Guide](https://developers.klaviyo.com/en/docs/collect_email_and_sms_consent_via_api)
- [GDPR Developer Guide](https://gdpr.eu/developers/)
## Next Steps
For enterprise access control, see `klaviyo-enterprise-rbac`.Related Skills
generating-test-data
Generate realistic test data including edge cases and boundary conditions. Use when creating realistic fixtures or edge case test data. Trigger with phrases like "generate test data", "create fixtures", or "setup test database".
managing-database-tests
Test database testing including fixtures, transactions, and rollback management. Use when performing specialized testing. Trigger with phrases like "test the database", "run database tests", or "validate data integrity".
encrypting-and-decrypting-data
Validate encryption implementations and cryptographic practices. Use when reviewing data security measures. Trigger with 'check encryption', 'validate crypto', or 'review security keys'.
scanning-for-data-privacy-issues
Scan for data privacy issues and sensitive information exposure. Use when reviewing data handling practices. Trigger with 'scan privacy issues', 'check sensitive data', or 'validate data protection'.
windsurf-data-handling
Control what code and data Windsurf AI can access and process in your workspace. Use when handling sensitive data, implementing data exclusion patterns, or ensuring compliance with privacy regulations in Windsurf environments. Trigger with phrases like "windsurf data privacy", "windsurf PII", "windsurf GDPR", "windsurf compliance", "codeium data", "windsurf telemetry".
webflow-data-handling
Implement Webflow data handling — CMS content delivery patterns, PII redaction in form submissions, GDPR/CCPA compliance for ecommerce data, and data retention policies. Trigger with phrases like "webflow data", "webflow PII", "webflow GDPR", "webflow data retention", "webflow privacy", "webflow CCPA", "webflow forms data".
vercel-data-handling
Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".
veeva-data-handling
Veeva Vault data handling for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva data handling".
vastai-data-handling
Manage training data and model artifacts securely on Vast.ai GPU instances. Use when transferring data to instances, managing checkpoints, or implementing secure data lifecycle on rented hardware. Trigger with phrases like "vastai data", "vastai upload data", "vastai checkpoints", "vastai data security", "vastai artifacts".
twinmind-data-handling
Handle TwinMind meeting data with GDPR compliance: transcript storage, memory vault management, data export, and deletion policies. Use when implementing data handling, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind data handling", "twinmind data handling".
supabase-data-handling
Implement GDPR/CCPA compliance with Supabase: RLS for data isolation, user deletion via auth.admin.deleteUser(), data export via SQL, PII column management, backup/restore workflows, and retention policies. Use when handling sensitive data, implementing right-to-deletion, configuring data retention, or auditing PII in Supabase database columns. Trigger: "supabase GDPR", "supabase data handling", "supabase PII", "supabase compliance", "supabase data retention", "supabase delete user", "supabase data export".
speak-data-handling
Handle student audio data, assessment records, and learning progress with GDPR/COPPA compliance. Use when implementing data handling, or managing Speak language learning platform operations. Trigger with phrases like "speak data handling", "speak data handling".