Data Subject Access Request

Instructions

When to use: This is an internal process document for handling data subject requests (DSRs) received under the GDPR (Chapter III) and the CCPA/CPRA (Cal. Civ. Code 1798.100 et seq.). Use this template whenever a user, customer, or other individual submits a request to exercise their data protection rights.

Who fills it out: The privacy/compliance team member assigned to process the request. Engineering support may be required for data extraction, correction, or deletion.

Process owner: [PRIVACY_TEAM_LEAD_NAME] / [PRIVACY_TEAM_EMAIL]

1. Request Intake Form

Complete this form upon receipt of a data subject request.

Field	Value
Request ID	`[REQUEST_ID]`
Date Received	`[DATE_RECEIVED]`
Requestor Name	`[REQUESTOR_NAME]`
Requestor Email	`[REQUESTOR_EMAIL]`
Requestor Account Username	`[REQUESTOR_USERNAME]`
Request Type	`[REQUEST_TYPE]` (access / deletion / correction / portability / opt-out of sale or sharing)
Request Details	`[REQUEST_DETAILS]`
Request Channel	`[REQUEST_CHANNEL]` (email / in-app / web form / postal mail / other)
Assigned To	`[ASSIGNED_TEAM_MEMBER]`
Applicable Law	`[APPLICABLE_LAW]` (GDPR / CCPA / UK GDPR / other)

2. Identity Verification

Before processing any request, the identity of the requestor must be verified to prevent unauthorized disclosure of personal data.

2.1 Account Holders

Confirm the request was submitted from the email address associated with the Honeycomb account
If the request was not submitted from the account email, send a verification email to the account email address and require the user to confirm
If the user cannot access their account email, require two of the following:
- Account username
- Last four digits of the payment method on file
- Date the account was created (approximate month/year)
- Description of recent account activity

2.2 Non-Account Holders

Request a copy of a government-issued photo ID
Verify the name and other identifying information match records in the system
Redact or return the ID copy after verification; do not retain copies beyond the verification process

2.3 Authorized Agents

Request a signed authorization letter from the data subject
Verify the agent’s identity using the methods above
Under CCPA, verify the data subject directly authorized the agent unless the agent provides a power of attorney under Cal. Prob. Code 4000-4465

Verification completed: [ ] Yes / [ ] No

Verification date: [VERIFICATION_DATE]

Verified by: [VERIFIED_BY]

3. Data Collection Checklist

For access and portability requests, collect data from all of the following sources. For deletion requests, confirm deletion across all applicable sources.

Data Source	Description	System / Table	Collected / Deleted
User Profile	Name, email, username, bio, avatar, settings	`profiles` table	[ ]
Posts	All published and draft posts	`posts` table	[ ]
Comments	Comments on posts and content	`comments` table	[ ]
Messages / DMs	Direct messages, group messages	`messages` table	[ ]
Transactions	Purchase history, sales history, invoices	`transactions` table (+ Stripe records)	[ ]
Stories	Ephemeral story content and history	`stories` table	[ ]
Media Uploads	Images, videos, documents, and other files	Supabase Storage / `media` table	[ ]
App Extension Data	Data generated by each installed app extension (check per extension)	Per-extension tables	[ ]
Analytics / Usage	Page views, session logs, feature usage	`analytics` / `usage_events` tables	[ ]
Audit Logs	Account activity, login history, security events	`audit_logs` table	[ ]
AI Interaction Logs	Prompts, responses, AI feature usage history	`ai_logs` table (+ OpenAI records)	[ ]
E-Signature Records	Signed agreements and signature metadata	`signatures` table	[ ]
Affiliate Data	Referral links, commission records, tracking data	`affiliates` / `referrals` tables	[ ]
Notification Preferences	Email, push, and in-app notification settings	`notification_settings` table	[ ]

Notes on specific data sources:

Stripe: For transaction and payment data, a separate request to Stripe may be required. Stripe acts as an independent controller for some data categories.
OpenAI: AI interaction logs stored with OpenAI should be included. Check the OpenAI DPA for data retention terms.
App Extensions: Each of the 27 app extensions may store data in separate tables. Review the installed extensions for the specific user and collect data from each.
Backups: Deletion requests apply to live systems. Backup copies will be purged on the normal backup rotation cycle. Document the expected purge timeline.

4. Response Timeline

Step	Deadline
Acknowledge receipt	Within 3 business days
Complete identity verification	Within 5 business days
Provide response or fulfill request	Within 30 calendar days of receipt
Extension (if complex or voluminous)	Up to 60 additional calendar days (60-day extension); must notify the data subject within the initial 30-day period with reasons for the delay

CCPA / CPRA (Cal. Civ. Code 1798.130)

Step	Deadline
Acknowledge receipt	Within 10 business days
Complete identity verification	Within 10 business days
Provide response or fulfill request	Within 45 calendar days of receipt
Extension (if reasonably necessary)	Up to 45 additional calendar days (45-day extension); must notify the consumer within the initial 45-day period with reasons for the delay

Response deadline for this request: [RESPONSE_DEADLINE]

Extension requested: [ ] Yes / [ ] No

Extension reason: [EXTENSION_REASON]

Extended deadline: [EXTENDED_DEADLINE]

5. Response Letter Template

Use the following template to respond to the data subject upon completion of the request.

Date: [RESPONSE_DATE]

To: [REQUESTOR_NAME] ([REQUESTOR_EMAIL])

Re: Data Subject Request — [REQUEST_ID]

Dear [REQUESTOR_NAME],

We are writing in response to your [REQUEST_TYPE] request received on [DATE_RECEIVED].

For Access / Portability Requests:

We have compiled the personal data associated with your account. Please find the enclosed data export, which includes data from the following categories: [LIST_OF_DATA_CATEGORIES_PROVIDED].

The data is provided in [FORMAT] (e.g., JSON, CSV) format. If you require the data in a different format, please let us know.

For Deletion Requests:

We have completed the deletion of your personal data from our active systems. The following categories of data have been deleted: [LIST_OF_DATA_CATEGORIES_DELETED].

Please note the following:

Data in backup systems will be purged within [BACKUP_RETENTION_PERIOD].
Certain data may be retained as required by applicable law, including [LEGAL_RETENTION_REQUIREMENTS].

For Correction Requests:

We have updated the following personal data in accordance with your request: [DESCRIPTION_OF_CORRECTIONS].

For Opt-Out Requests:

We have processed your opt-out request. Your personal data will no longer be sold or shared for cross-context behavioral advertising purposes.

If you have any questions or concerns about our response, you may contact us at [PRIVACY_CONTACT_EMAIL]. You also have the right to lodge a complaint with a supervisory authority.

Sincerely,

[RESPONDER_NAME] [RESPONDER_TITLE] Honeycomb Privacy Team

6. Escalation Process

Condition	Escalation Path
Requestor disputes identity verification outcome	Escalate to `[PRIVACY_TEAM_LEAD_NAME]`
Request involves data processed by a third-party sub-processor	Coordinate with the sub-processor per the applicable DPA
Request involves legally privileged or litigation-hold data	Escalate to `[LEGAL_COUNSEL_NAME]` before processing
Request cannot be fulfilled within the statutory timeline	Notify `[PRIVACY_TEAM_LEAD_NAME]` and issue extension notice
Requestor threatens regulatory complaint or legal action	Escalate immediately to `[LEGAL_COUNSEL_NAME]`
Request involves data from multiple jurisdictions	Escalate to `[PRIVACY_TEAM_LEAD_NAME]` for jurisdiction analysis

7. Record-Keeping Requirements

Maintain a log of all data subject requests for a minimum of 3 years from the date of completion. The log must include:

Request ID and date received
Requestor identity (name, email, verified status)
Request type
Date identity was verified
Date request was fulfilled or denied (with reason for denial)
Any extension notices sent
Copies of all correspondence with the requestor
Internal notes and escalation records
Confirmation of data deletion or export delivery

Under CCPA: Businesses that handle 10 million or more consumers’ personal information annually must compile metrics on the number of requests received, complied with (in whole or in part), and denied, broken down by request type, and must disclose these metrics in the privacy policy. Review whether this threshold applies.

Notes for Counsel

Exemptions. Both the GDPR and CCPA provide exemptions to data subject rights. Before denying a request, consult with counsel to ensure the exemption applies. Common exemptions include legal claims (GDPR Art. 17(3)(e)), freedom of expression (GDPR Art. 17(3)(a)), and legal compliance obligations.
Third-Party Data. Responses to access requests may contain data relating to other individuals. Redact or exclude third-party personal data unless disclosure is appropriate.
AI-Generated Data. AI interaction logs may contain both user-provided prompts and system-generated responses. Clarify with counsel whether AI-generated outputs constitute “personal data” of the requestor under applicable law.
Litigation Holds. If any data subject to a request is under a litigation hold, do not delete that data. Coordinate with legal counsel before responding.
Fee Provisions. Under GDPR Article 12(5), the first copy of data is provided free of charge. For further copies or manifestly unfounded/excessive requests, a reasonable fee may be charged. Under CCPA, requests must be fulfilled free of charge (twice per 12-month period).