Privacy request
This page is a starter intake flow for privacy rights requests. Your operational process should include identity verification, request logging, response timing, and internal routing.
Use this form for access, deletion, correction, portability, objection, restriction, consent withdrawal, or authorized-agent requests. Do not ask for more personal information than you reasonably need to verify and handle the request.
For many privacy regimes, requests are acknowledged promptly and then processed within the legally applicable timeline. A common benchmark is around 30 to 45 days, but the exact response period depends on the law, the request type, and whether additional time is permitted for complexity or verification.
Verification guidance: Ask only for the information reasonably necessary to verify the requester. Email-based verification may be enough for lower-risk requests, while more sensitive requests may require proportionate additional verification.
Alternate submission methods: Add any other request channels your business must support, such as a dedicated privacy email address, toll-free number, in-account portal, mail form, or in-person option where applicable.
Jurisdiction note: Request rights, deadlines, verification standards, and response obligations can differ by law. Your final workflow should route requests based on the requester location, relationship to the business, and request type.
Alternate contact placeholders: Add your privacy email, toll-free number, mailing address, and any in-account request channel here so users can choose a submission path that matches your legal obligations and business model.
Appeal rights note: Some U.S. state privacy laws require a clear way to appeal denied requests. If your business is subject to those laws, explain how a requester can appeal, how quickly appeals should be submitted, and where complaints may be directed if the appeal is denied.
Identity proofing note: Use the least intrusive verification step that reasonably matches the request risk. Start with existing account or email-channel checks when possible, and only escalate to stronger proofing for higher-risk or sensitive requests.
Retention note: Any extra information collected only for verification should be stored securely, access-limited, and deleted or restricted once the verification process is complete and your policy allows.