How it works
The deletion cycle, run end to end.
Lethe takes the Delete Act obligation off your desk and turns it into a repeatable cycle: retrieve, match, delete, suppress, report, and prove. Here is what runs, where it runs, and what you get back.
The cycle
Six steps, every 45 days.
Retrieve
Lethe pulls the current deletion list from DROP for the cycle. The first pull is the full opted-in universe. Every pull after that is deltas, plus any consumer withdrawals.
Match
Your records are standardized and hashed to the state's exact rules, then matched against the list. Matches are exact, checked field by field against CalPrivacy's own reference tool.
Delete
Lethe produces a deletion worklist keyed to your own record references, with exempt records flagged rather than erased, and a record that the instruction to your processors went out.
Suppress
Every match is added to a durable suppression record. On later cycles, that record is re-applied, and anyone who reappears is flagged with the feed that reintroduced them.
Report
Lethe writes the status file DROP expects, with the correct numeric codes and the original filenames, ready to upload before the window closes.
Prove
The cycle's record is hash-chained and anchored to a neutral authority, then bundled into an audit package you can hand to a regulator or your counsel.
Two ways to run it
You choose how much leaves your network.
The same engine runs in two modes. The difference is where your data sits and how much an outside auditor can independently confirm. Most brokers start with hash-and-send.
Hash and send
Your records are normalized and hashed on your own premises. Only hashes leave, never plaintext names, emails, or phone numbers. The deletion set, the suppression record, and the audit anchor live on the Lethe side, which is what makes continuity and proof possible.
Fully on-premise
Nothing leaves your network, not even a hash. The whole engine runs inside your environment under a time-bound license and signed spec packs. This is the strongest trust posture, for the most cautious brokers. The tradeoff is weaker independent proof, which we explain plainly rather than paper over.
What you get back
Files, not a dashboard you have to learn.
Exactly what to delete
A list keyed to your own record IDs, marked delete, verify, opted-out, or reappeared, so the action is unambiguous.
Ready to upload to DROP
The status file in the format the platform ingests, with the right codes and filenames, so reporting is a single step.
Your system of record
The full deletion set, held locally and re-applied every cycle, with reappearance counts and the feeds responsible.
Evidence for 2028
A bundled, human-readable package with the run history, the chained log, and the external anchor, ready for an auditor. More on evidence.
Onboarding
Setup is a config file and a call, not a six-week rollout.
You export your records as a CSV. We map your columns to the identifier lists that apply to you, hand you a configuration, and run the first cycle with you on the call. There is no portal to provision, no SSO to wire, and no integration project. When something repeats often enough to be worth automating, we automate it. Not before.
That keeps the cost down and the trust posture clean: the simplest thing that runs the cycle correctly, and nothing you are paying to ignore.
See it run on a real export.
Start with a readiness assessment. We map your obligations and show you the cycle against your own data.