Pending counsel review: placeholder language, not yet finalized. These documents will be updated to counsel-drafted text before our first paid customer signs.

Data Subject Rights

This page describes how to exercise your data protection rights under GDPR, CCPA, and other applicable privacy laws. It supplements Section 9 of our Privacy Policy, where the rights themselves are enumerated.

We treat every Data Subject Right (DSR) request as a serious obligation. We respond within 30 days (or 45 days for requests under the CCPA). Submitting a complete request through the channel below helps us respond quickly and without follow-up clarification.

1. What rights you have

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

Access — receive a copy of the personal data we hold about you, plus a description of how we use it.
Correction (also called rectification) — ask us to fix inaccurate or incomplete personal data.
Deletion (also called erasure or "right to be forgotten") — ask us to delete your personal data, subject to legal retention obligations and overrides described in our Privacy Policy.
Portability — receive your personal data in a structured, commonly used, machine-readable format (typically JSON).
Object to or restrict processing — ask us to stop processing your data for certain purposes (e.g., marketing) or to pause processing while a dispute is resolved.
Withdraw consent — for processing based on your consent (e.g., analytics cookies), withdraw that consent at any time.
Lodge a complaint — file a complaint with your jurisdiction's data protection authority if you believe we have violated your rights.

The Privacy Policy describes the legal basis for each category of processing.

2. How to make a request

Email privacy@documentblueprint.com with the following information:

Your full name — required so we can match the request to an account or to data held about you.
The email address associated with your Document Blueprint account — if you have one. (If you don't have an account, see Section 7 below.)
Your jurisdiction (country or US state) — determines which privacy framework applies and our response timeline.
Which right(s) you are exercising — Access, Correction, Deletion, Portability, etc.
What specifically you are requesting — for Access: which categories of data; for Correction: what to change; for Deletion: scope (e.g., full account or specific data); for Portability: format preference (default JSON).
Optional context — anything you'd like us to know about the request.

You may submit a request in any language; we will respond in English unless you specifically ask for a translation.

3. Identity verification

Before responding, we verify that the requester is the data subject (or their authorized agent). For account holders, we send a verification reply to the account email and wait for your confirmation. For a request submitted on behalf of someone else, we ask for proof of authorization (e.g., a signed authorization letter or a power of attorney).

If we cannot verify your identity within a reasonable period after our verification request, we may decline the request and inform you in writing.

4. Response timeline

We respond within 30 days of receipt of a complete and verified request. Under the CCPA, we may take up to 45 days with the option to extend by an additional 45 days for complex requests, with notice.

We do not charge a fee for the first request in a 12-month period. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive (e.g., repetitive requests for the same data within a short period). If we charge a fee or refuse a request, we will explain why.

If your request is complex or involves multiple data systems, we may extend the response period by up to two months under GDPR Article 12(3); we will notify you within the first 30 days if we need to do so.

5. What you'll receive

Responses depend on the right you're exercising:

Access requests — a structured response (typically a JSON file or a PDF report) covering: your account profile, workspace memberships, role assignments, audit log entries about your account, and metadata about cases or files you've created. For Customer Data documents themselves (e.g., uploaded PDFs), we provide download links rather than embedding the file contents in the response.
Correction requests — confirmation of which fields were updated, before-and-after values, and the date of the change. For self-service-correctable data (your name, email, profile fields), we may direct you to the Settings page rather than making the change ourselves.
Deletion requests — confirmation of what was deleted and what was retained for legitimate legal or operational reasons (e.g., audit records related to fraud prevention, billing records required by tax authorities). Backups containing your data are deleted on our standard backup retention schedule.
Portability requests — your data in JSON format, structured to be re-importable into another service.
Object/restrict — confirmation that the relevant processing has stopped, with an explanation of what processing remains essential to provide the service.
Withdraw consent — confirmation that the consent is withdrawn and any data dependent on that consent is no longer processed.

6. Appeal and complaint

If you are unsatisfied with our response, you have the right to lodge a complaint with your jurisdiction's data protection authority:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
European Union: your national data protection authority (find yours at edpb.europa.eu)
California: California Privacy Protection Agency — cppa.ca.gov
Other US states: your state attorney general's office

You also have the right to seek a judicial remedy under applicable law.

7. If your data is held in a customer's workspace

Document Blueprint is a multi-tenant platform: many of our customers (typically businesses, in industries like construction, legal, or healthcare) use the service to manage data about their own end users. If your data appears in a customer's workspace because they uploaded a file or created a case that mentions you, that customer is the Controller for your data; Document Blueprint is the Processor acting on the customer's instructions.

In that scenario, requests to exercise your rights should be directed to the customer (the data Controller). If you don't know who the customer is, you may contact us at privacy@documentblueprint.com and we will route the request to the relevant customer of record. We will not respond to the request directly because we don't have legal authority to alter or delete data on the customer's behalf without their instruction.

This routing model is consistent with GDPR Article 28 (Processor obligations) and the CCPA Service Provider provisions in our Data Processing Agreement Section 11.

Contact

For privacy questions, requests, or to escalate an unresolved issue: privacy@documentblueprint.com.