GDPR retention and erasure for an agent mailbox Nylas developer tools enable GDPR-compliant retention and erasure for AI agent mailboxes. The platform provides API endpoints to set retention periods and hard-delete messages, ensuring personal data is not stored indefinitely. A step-by-step walkthrough demonstrates how to configure these features using curl commands or the Nylas CLI. Most "AI email" demos never think about deletion. The agent reads, replies, files things away, and the inbox just grows. That's fine in a demo. It is a problem the first time a real person emails your agent, because the moment that mailbox holds someone else's name, address, order history, or support complaint, you've taken on a data-protection obligation — and "we kept everything forever" is not a defensible retention policy. An Agent Account on Nylas accumulates personal data you have to be able to purge. It's a mailbox the agent owns — support@yourcompany.com answering to a model instead of a human — and every inbound message lands in it. Under GDPR that data needs two things you can prove: a retention window so it doesn't live forever, and an erasure path so you can delete a specific person's mail when they ask. This post builds both, with the curl and the CLI for each step. A quick, honest caveat before any of it: this is a docs-and-demo walkthrough, not legal advice. The Nylas primitives below cover the mail held in the mailbox . Any derived copy you made — rows in your own database, lines in your application logs, a vector store you embedded the message into — is yours to purge separately. The API can delete the message; it can't reach into your Postgres. Keep that in mind throughout. Nothing new to learn on the data plane. An Agent Account is just a grant with a grant id , so everything you already know about Messages and Threads applies directly — listing, reading, and deleting mail run against the same grant-scoped endpoints any other Nylas integration uses. Retention and erasure split cleanly into two layers: limit inbox retention period and limit spam retention period . Set them once and Nylas deletes aged-out mail for you, per account, with no cron job on your side. GET /v3/grants/{grant id}/messages filtered by sender, then hard-delete each one with DELETE .../messages/{id}?hard delete=true — a plain delete only trashes the message, which isn't erasure. For a full identity wipe, you delete the grant itself.The split matters because the two answer different questions. Retention answers "how long do we keep anything?" — a blanket time bound. Erasure answers "delete this person's data, now" — a targeted request. A compliant agent mailbox needs both; one doesn't substitute for the other. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. Where it matters I'll show the curl and the nylas ... form side by side, because in practice you set retention once through the API and run erasure ad hoc from a terminal when a request comes in. You need an Agent Account, an API key for the same application, and the host set to https://api.us.nylas.com . Every API call below carries Authorization: Bearer