When you delete a contact and then restore it, HighLevel silently creates a new record instead of re-using the original. That creates duplicate contacts in the account with same email address. All users whether or not they had access to the contact, can see the contact's information in the 'Restore' tab which creates GDPR issues.

Any user, regardless of whether they had access to the contact or not, can view and restore deleted contacts.

This behavior:

Bypasses the built-in email uniqueness check

Lets restricted users see contacts they don’t “own”

Exposes personal data across users, which conflicts with GDPR principles

Steps to Reproduce:

Create a contact with a given email (e.g. test@test.com).

Delete that contact.

Go to “Deleted Contacts” and click “Restore.”

Observe that a second contact record appears with the same email.

Log in as a user with limited visibility and verify they can see contacts in the 'Restore' tab.

Expected Behavior:

Restoring a contact should re-activate the original record (no duplicate).

Users should only see contacts for which they have permission to view, whether the contacts are deleted or not.

Actual Behavior:

Each restore action creates a brand-new contact record with the same email.

All users, even those with restricted access, can view contacts in the 'Restore' tab

Impact:

Data Integrity: Duplicate records for the same email cause confusion and campaign errors.

Privacy Compliance: Exposes personal data to unauthorized users, risking GDPR violations.

Please address this as a high priority bug. Restoring contacts should not create duplicates, and visibility rules must apply consistently to deleted/restored records.