UX Patterns Guide
UI + UX Trust, Safety, And Privacy established

Data export

Provide a scoped export workflow that explains eligible data, category selection, format, destination, identity or permission checks, job progress, manifest, omissions, package security, expiry, download or transfer actions, retry paths, and completion evidence.

Open in lab Compare alternatives
Decision first

Choose this pattern when the problem matches

Use when

  • Users need to download or transfer a copy of account, workspace, personal, product, activity, or organization data.
  • The export is asynchronous, sensitive, scoped, multi-category, format-dependent, or subject to portability or compliance obligations.
  • Users need a manifest, package status, expiry, secure download, or retry path.
  • The product must distinguish included, excluded, redacted, delayed, and unavailable data.

Avoid when

  • The user is importing records into the product; use bulk import.
  • The user is exporting one visible table view and no broader package, privacy, or account scope is involved.
  • The task is viewing audit evidence rather than downloading a data package.
  • The user is deleting account data or changing privacy preferences.
  • Security policy forbids export for the requested category; show a policy-blocked state and support path.

Problem it prevents

Data export workflows become risky when they hide scope, confuse export with deletion or import, omit format and portability limits, expose sensitive archives through weak links, or provide no recovery when a long-running export is partial, delayed, expired, or failed.

Pattern anatomy

What a strong implementation has to make clear

User need

The exported data may include personal information, activity history, files, messages, contacts, billing records, audit records, workspace content, settings, generated outputs, or organization archives.

Pattern promise

Provide a scoped export workflow that explains eligible data, category selection, format, destination, identity or permission checks, job progress, manifest, omissions, package security, expiry, download or transfer actions, retry paths, and completion evidence.

Required state

Eligible data categories and unavailable categories state.

Recovery path

Users download a package but cannot tell whether messages, files, audit events, or activity history are missing.

Access contract

Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone.

Quality bar

The difference between expert and weak execution

Strong implementation

Specific, visible, recoverable

  • A privacy dashboard lets a user choose activity, profile, files, messages, and billing categories, shows JSON or CSV availability, requires reauthentication, creates archive EXP-2048, then shows download expiry and checksum.
  • An admin export page shows workspace data families, estimated size, cloud archive destination, support requirements, preparation progress, partial failures, and a manifest before download.
  • A user requests a machine-readable archive, sees which data categories are eligible for portability, waits for preparation, downloads the package before expiry, and gets a manifest listing omitted records.
  • A workspace owner exports organization data to a cloud archive, sees that chat history is delayed, retries the failed category, and verifies that the final package matches the visible scope.
Weak implementation

Vague, hidden, hard to recover from

  • A button says Export all data but does not say which services, formats, accounts, dates, or unavailable records are included.
  • The export link stays valid forever, exposes sensitive files to the wrong account, and is presented next to Delete account as though export deletes data.
  • A user downloads a huge ZIP with no manifest, cannot tell whether messages or attachments are missing, and assumes export completed because one file downloaded.
  • A support admin exports another user's data without role explanation, approval, redaction, audit trail, or notification.
UI guidance
  • Render data export as a job-based workflow with export scope, data categories, format, destination, estimated size, preparation status, expiry, security requirements, and download or transfer actions.
  • Show what is included, excluded, redacted, delayed, permission-limited, or unavailable before the export starts; keep package readiness, partial success, failure, and link expiry visible until resolved.
UX guidance
  • Use data export when users need a portable copy of personal, account, workspace, product, activity, or organization data for reuse, compliance, migration, backup, or review.
  • Protect trust by separating export from deletion, import, audit evidence, reporting, and settings changes; make identity checks, sensitive-data handling, package retention, and recovery explicit.
Implementation contract

What the implementation must handle

States

  • Eligible data categories and unavailable categories state.
  • Category selection, date range, account, workspace, format, and destination state.
  • Identity verification, permission check, approval required, or policy blocked state.
  • Export requested, queued, preparing, estimating size, compressing, and packaging states.

Interaction

  • Export scope is explicit before the job starts and remains visible through progress, completion, failure, and download.
  • The product does not imply that export removes, deletes, imports, transfers, or anonymizes source data unless that separate action is actually happening.
  • Start export records selected categories, filters, format, destination, requester, account or workspace, and timestamp.
  • Long-running exports can be left and resumed from a status page, notification, email, or job history without losing context.

Accessibility

  • Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone.
  • Associate category checkboxes, date ranges, format choices, and destination controls with clear labels and descriptions.
  • Expose package ID, expiry, size, format, manifest, checksum, omitted categories, and download status as text.
  • Do not rely on color alone to show sensitive, unavailable, redacted, failed, or ready categories.

Review

  • What exact data categories, services, date range, account, workspace, and format are included?
  • Which data is not eligible, redacted, delayed, deleted, archived, outside retention, or permission-limited?
  • What identity, role, approval, or policy check protects the export?
  • How does the user verify the package contents: manifest, checksum, file count, record count, or package ID?
Interactive lab

Inspect the states before you copy the pattern

Prepare and download scoped data packages

Inspect data export, category selection, date range, format, destination, identity check, permission check, export requested, queued, estimating size, packaging archive, large background job, partial export, ready package, secure download, transfer destination, expired link, regenerate link, failed export, canceled export, rate limited, unsupported format, storage full, post-download, mobile compact export, and compare export-all-mystery, delete-confusion, visible-rows-only, permanent-link, silent-partial, wrong-account-download, and raw-secret-manifest failures.

Data export
Interactive demo is ready

Launch the live UI/UX lab when you want to inspect states, keyboard behavior, and common failure modes.

State To Inspect

Eligible data categories and unavailable categories state.

Keyboard / Access

Tab order reaches category selection, select all or none, date range, format, destination, verification, start export, job status, manifest, download, retry, and cancel controls.

Avoid Generating

Using one Export all button with no scope, format, account, destination, date range, or size estimate.
Evidence trail

Source-backed claims behind this guidance

ICO: Right to data portability

Information Commissioner's Office - checked

Supports obtaining and reusing personal data across services in structured, commonly used, machine-readable forms.

Google Takeout

Google - checked

Supports user-facing account data export archive creation.

Full agent/debug reference

Problem Context

  • The exported data may include personal information, activity history, files, messages, contacts, billing records, audit records, workspace content, settings, generated outputs, or organization archives.
  • Exports may be requested by account holders, admins, compliance staff, support agents, organization owners, or migration operators.
  • The export may be synchronous for small tables, asynchronous for archives, category-scoped for privacy dashboards, destination-based for cloud archives, or API-driven for enterprise tools.
  • Data may be unavailable because of retention, permission, product support, legal hold, deleted objects, redaction policy, processing delay, or format limits.

Selection Rules

  • Choose data export when the user needs a copy or transfer of existing data outside the current product workflow.
  • Use bulk import when the task is bringing structured records into the product, including mapping and validation, rather than taking data out.
  • Use audit log when the primary task is governed event evidence; data export may package audit records but does not replace audit-log review.
  • Use table or data grid export for local row downloads when the scope is one visible dataset; use data export when the workflow needs account, workspace, category, privacy, retention, or package handling.
  • Use sensitive-data reveal when the task is briefly exposing one protected value, not preparing a portable archive.
  • Require identity, permission, or approval checks when export contains sensitive personal data, organization data, financial data, private files, or another user's records.
  • Show data categories, date range, services, account, workspace, format, destination, estimated size, and expected preparation time before starting export.
  • State whether export includes deleted, archived, redacted, unavailable, retained, encrypted, or third-party data.
  • Provide a manifest, checksum, package ID, or export reference when users need to verify what was produced.
  • Keep export distinct from delete account, privacy setting changes, consent withdrawal, notification preferences, and migration import actions.

Required States

  • Eligible data categories and unavailable categories state.
  • Category selection, date range, account, workspace, format, and destination state.
  • Identity verification, permission check, approval required, or policy blocked state.
  • Export requested, queued, preparing, estimating size, compressing, and packaging states.
  • Large export background job with progress, expected wait, and notification route.
  • Partial export with omitted records, redacted fields, failed categories, and retry actions.
  • Export ready with package ID, expiry time, size, format, checksum or manifest, and download action.
  • Secure download, transfer to another service, copy link, expired link, and regenerate link states.
  • Export failed, canceled, rate limited, storage full, unsupported format, and recovery states.
  • Post-download state that explains export does not delete source data and records completion where appropriate.

Interaction Contract

  • Export scope is explicit before the job starts and remains visible through progress, completion, failure, and download.
  • The product does not imply that export removes, deletes, imports, transfers, or anonymizes source data unless that separate action is actually happening.
  • Start export records selected categories, filters, format, destination, requester, account or workspace, and timestamp.
  • Long-running exports can be left and resumed from a status page, notification, email, or job history without losing context.
  • Ready packages show expiry, size, format, checksum or manifest, sensitive-data warning, and the account or destination that can download them.
  • Partial or failed exports name affected categories and provide retry, regenerate, support, or archive-request paths.
  • Export links, API tokens, and package URLs are time-limited, permission-checked, and do not expose data to the wrong account.
  • After download or transfer, the UI states whether the package was downloaded, transferred, expired, canceled, or still available.

Implementation Checklist

  • Model export jobs with request ID, requester, account/workspace, category set, filters, date range, format, destination, status, package ID, expiry, manifest, checksum, and error details.
  • Classify export data by sensitivity, portability eligibility, file size, product support, retention, legal hold, redaction, and permission requirements.
  • Add identity verification, role check, approval, or policy gates for sensitive, admin, organization, or cross-user exports.
  • Provide progress for queued, preparing, packaging, ready, partial, failed, canceled, expired, and regenerated-link states.
  • Generate a manifest that names included categories, omitted categories, redacted fields, unavailable products, file counts, record counts, format, and timestamps.
  • Make download links short-lived and account-bound; support link regeneration and clear expired-link recovery.
  • Test large archives, many categories, slow packaging, failed category, partial result, expired link, wrong account, mobile download handoff, storage limits, and screen-reader progress updates.
  • Log export requests and downloads without logging raw exported contents in unrelated telemetry.

Common Generated-UI Mistakes

  • Using one Export all button with no scope, format, account, destination, date range, or size estimate.
  • Confusing export with delete account, privacy preference changes, migration import, or audit-log investigation.
  • Leaving sensitive export archives available forever or downloadable by any signed-in user with the link.
  • Claiming the export is complete when categories failed, were redacted, or were outside retention.
  • Exporting only visible table rows while labelling the result as full account data.
  • Putting raw secrets, tokens, private files, or AI prompts into export manifests where broad admins can see them.
  • Failing silently after a long-running export job expires or hits an archive size limit.

Critique Questions

  • What exact data categories, services, date range, account, workspace, and format are included?
  • Which data is not eligible, redacted, delayed, deleted, archived, outside retention, or permission-limited?
  • What identity, role, approval, or policy check protects the export?
  • How does the user verify the package contents: manifest, checksum, file count, record count, or package ID?
  • How long is the package available, who can download it, and how can an expired link be regenerated?
  • Does the interface clearly say that exporting data does not delete, import, or transfer source data unless a separate action occurs?
Accessibility
  • Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone.
  • Associate category checkboxes, date ranges, format choices, and destination controls with clear labels and descriptions.
  • Expose package ID, expiry, size, format, manifest, checksum, omitted categories, and download status as text.
  • Do not rely on color alone to show sensitive, unavailable, redacted, failed, or ready categories.
  • Keep download, regenerate link, retry failed category, cancel export, and view manifest controls keyboard reachable.
  • Announce progress milestones and completion without repeatedly interrupting screen reader users during long-running jobs.
Keyboard Behavior
  • Tab order reaches category selection, select all or none, date range, format, destination, verification, start export, job status, manifest, download, retry, and cancel controls.
  • Enter or Space toggles categories and activates export, download, retry, regenerate link, and cancel controls.
  • Escape closes format, destination, or manifest dialogs without canceling the export job unless the user explicitly chooses cancel.
  • After starting export, focus moves to a status region or remains near the start control with status announced.
  • After a package becomes ready, focus can move to the download action or ready status without losing the job reference.
  • Expired link recovery returns focus to the regenerated link or package status.
Variants
  • Personal data portability export
  • Account data archive
  • Organization data export
  • Workspace export
  • Report export package
  • Privacy dashboard data export
  • Export to cloud archive
  • Direct transfer to another service
  • Export manifest and checksum
  • Expired export link
  • Partial export retry

Verification

Last verified: