Data Subject Request Procedure

How to receive, process, and respond to data subject access, deletion, and portability requests

Public

Data Subject Request (DSAR) Procedure

Implements: Privacy Policy, GDPR Articles 15-22, CCPA Section 1798.100 Owner: Privacy Officer Last Updated: 21 May 2026 Next Review: 21 November 2026

Request Channels

DSARs are received via:

  • Email. privacy@maelstrom.au
  • From controllers. Controller forwards data subject request per DPA terms

Request Types and Responses

Access Request (GDPR Art. 15 / CCPA 1798.100)

What we can provide:

  • Whether we process any data about the requester
  • Categories of data processed (hashed IP, session metadata, nullifiers)
  • Retention periods
  • Processing purposes

What we cannot provide:

  • The requester’s original IP address (we only store SHA-256 hashes, which are not reversible to recover the original address)
  • Verification history linked to a person (sessions are unlinkable by design)
  • Date of birth (never stored. discarded after issuance)

Response: Template letter explaining zero knowledge architecture and confirming minimal data processing.

Deletion Request (GDPR Art. 17 / CCPA 1798.105)

What we can delete:

  • Nothing user-specific to delete. we don’t have persistent personal data linked to identifiable individuals
  • Hashed IP logs expire automatically after 90 days; critical security event logs are retained for up to 365 days
  • Challenge sessions expire after 5 minutes

Response: Template letter confirming that Maelstrom AI does not retain personal data that can be linked to the requester, and that all operational data expires automatically.

Portability Request (GDPR Art. 20)

Response: Not applicable. Maelstrom AI does not hold personal data in a structured, commonly used format that could be ported. The zero knowledge architecture means there is no personal data to export.

Objection / Restriction (GDPR Art. 21 / Art. 18)

Response: The requester can stop using the service. We do not process personal data for profiling, direct marketing, or any purpose the requester could meaningfully object to.

Processing Steps

1. Receive and Log

  • Log the request in the DSAR register with: date received, requester identity/contact, request type, source (direct or via controller)
  • Acknowledge receipt within 2 business days

2. Verify Identity

  1. For direct requests: Request sufficient information to confirm identity (email address associated with the request)
  2. For controller-forwarded requests: The controller has already verified identity
  3. Do NOT request excessive identification documents. we hold minimal data

3. Assess and Respond

  1. Determine which request type applies
  2. Prepare response using the appropriate template
  3. Response deadline: 30 days from receipt (GDPR), 45 days (CCPA)

4. Send Response

  1. Send via email to the requester or the forwarding controller
  2. Use plain language appropriate to the audience
  3. If the requester is a child (or their parent/guardian), adjust language accordingly

5. Close and Record

  • Record the response date, outcome, and any notes in the DSAR register
  • Retain the DSAR register entry for 90 days (audit log retention period); critical security event logs are retained for up to 365 days

DSAR Register

FieldDescription
DSAR IDDSAR-YYYY-NNN
Date receivedWhen the request arrived
SourceDirect / Controller-forwarded
Request typeAccess / Deletion / Portability / Objection
Requester contactEmail or controller reference
Date acknowledgedWhen we confirmed receipt
Date respondedWhen we sent the substantive response
OutcomeCompleted / No data found / Referred to controller
NotesAny relevant details