Exercise Your Data Protection Rights
Last updated: June 17, 2026
Your Rights: Under GDPR, CCPA, and UK GDPR, you have rights to access, correct, delete, and port your personal data. This page explains your rights and how to exercise them.
1. Your Rights Under GDPR (EU/EEA/UK)
1.1 Right of Access (Article 15)
What it means: You can request a copy of all personal data we hold about you.
What we provide:
- All personal data we process (account details, usage data, workspace data)
- Purposes of processing
- Categories of personal data
- Recipients of your data (sub-processors)
- Retention periods
- Your rights (including right to complain to supervisory authority)
How to exercise: Use our self-service export tool in account settings, or email privacy@semlypro.com.
1.2 Right of Rectification (Article 16)
What it means: You can correct inaccurate or incomplete personal data.
How to exercise: Update your information directly in account settings, or email privacy@semlypro.com if you cannot correct it yourself.
1.3 Right of Erasure / "Right to be Forgotten" (Article 17)
What it means: You can request deletion of your personal data.
When it applies:
- Data no longer necessary for the purposes collected
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- Data was unlawfully processed
- Legal obligation requires deletion
Exceptions: We may retain data if needed for:
- Compliance with legal obligations (e.g., tax records)
- Establishment, exercise, or defense of legal claims
- Fulfilling contractual obligations (e.g., active subscription)
How to exercise: Use account deletion in settings (deletes all data), or email privacy@semlypro.com for selective deletion.
1.4 Right to Restriction of Processing (Article 18)
What it means: You can limit how we process your data while we investigate accuracy or lawfulness.
When it applies:
- You contest the accuracy of data (we restrict processing until verified)
- Processing is unlawful but you prefer restriction over erasure
- We no longer need the data but you need it for legal claims
- You object to processing (pending verification of legitimate grounds)
How to exercise: Email privacy@semlypro.com with details of why you're requesting restriction.
1.5 Right to Data Portability (Article 20)
What it means: You can receive your data in a machine-readable format and transfer it to another service.
Scope: Data you provided to us (not derived or inferred data), processed automatically based on:
- Your consent, OR
- Performance of a contract
Format: JSON (primary), CSV (for tabular data), or PDF (for reports)
How to exercise: Use the "Export Data" feature in account settings (JSON export), or email privacy@semlypro.com for specific formats.
1.6 Right to Object (Article 21)
What it means: You can object to processing based on legitimate interests or direct marketing.
Direct marketing: Absolute right - we must stop upon request
Legitimate interests: We must stop unless we can demonstrate compelling legitimate grounds that override your interests
How to exercise:
- Marketing: Unsubscribe link in emails or email settings
- Other processing: Email privacy@semlypro.com
1.7 Right Not to Be Subject to Automated Decision-Making (Article 22)
What it means: You can object to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.
Does Semly Pro do this? No. We do not make automated decisions that produce legal effects or significantly affect you. AI content generation requires your review and approval before publication.
1.8 Right to Withdraw Consent
What it means: Where processing is based on consent, you can withdraw consent at any time.
Examples at Semly Pro:
- Analytics cookies (withdraw via cookie banner or browser settings)
- Marketing emails (unsubscribe link or email settings)
- Optional data processing (e.g., AI tracking of specific brands)
Effect: Withdrawal does not affect lawfulness of processing before withdrawal.
1.9 Right to Lodge a Complaint
What it means: You can file a complaint with your data protection supervisory authority.
Netherlands (our lead supervisory authority):
Autoriteit Persoonsgegevens (Dutch DPA)
Website: autoriteitpersoonsgegevens.nl/en
Email: info@autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00
Other EU countries: Find your supervisory authority at edpb.europa.eu
2. Your Rights Under CCPA (California)
2.1 Right to Know
California residents can request disclosure of:
- Categories of personal information collected
- Categories of sources from which information is collected
- Business or commercial purpose for collecting or selling information
- Categories of third parties with whom we share personal information
- Specific pieces of personal information collected
2.2 Right to Delete
Request deletion of personal information we collected from you, subject to certain exceptions.
2.3 Right to Opt-Out of Sale
We do not sell personal information. There is no opt-out needed because we never sell your data to third parties.
2.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights (no denial of service, different pricing, or different quality of service).
3. How to Submit a Request
3.1 Self-Service Tools (Fastest)
For most requests, use our self-service tools:
- Access/Export: Dashboard → Settings → Privacy → Export Data
- Rectification: Dashboard → Settings → Account → Edit details
- Erasure: Dashboard → Settings → Account → Delete Account
- Portability: Dashboard → Settings → Privacy → Export Data (JSON)
- Marketing opt-out: Dashboard → Settings → Notifications → Unsubscribe
- Cookie preferences: Cookie banner (bottom of page) or browser settings
3.2 Email Request
If self-service doesn't work, email privacy@semlypro.com with:
- Subject line: "GDPR Request: [Type of Request]"
- Your details: Name, email address associated with account
- Request type: Access, rectification, erasure, restriction, portability, objection
- Details: Specific information you want (if applicable)
- Verification: We may ask for additional information to verify your identity
3.3 Request Form
Complete our online form: [GDPR Rights Request Form - to be created]
4. Verification Process
4.1 Identity Verification
To prevent unauthorized disclosure of personal data, we verify your identity before fulfilling requests:
- Logged-in users: Automatic verification via authenticated session
- Email requests: We send a verification link to your registered email address
- High-risk requests (e.g., data deletion): May require additional verification (answering security questions, providing government-issued ID)
4.2 Authorized Agent (California)
California residents may use an authorized agent to submit requests. The agent must provide:
- Proof of authorization (power of attorney or written permission)
- Proof of identity (yours and the agent's)
5. Response Timeframes
5.1 GDPR Requests (EU/EEA/UK)
- Standard: Within 1 month (30 days) of receiving request
- Complex requests: May extend by 2 additional months (total 3 months) with explanation
- Urgent requests (e.g., rectification of harmful inaccuracies): Expedited handling
5.2 CCPA Requests (California)
- Standard: Within 45 days of receiving verifiable request
- Extension: May extend by additional 45 days (total 90 days) if needed, with notice
5.3 Acknowledgment
We acknowledge all requests within 48 hours and provide a reference number for tracking.
6. Fees
6.1 Free of Charge
We do not charge fees for most data subject requests.
6.2 Exceptions
We may charge a reasonable fee if:
- Requests are manifestly unfounded or excessive (e.g., 10+ requests in a month)
- You request multiple copies of the same data
If a fee applies, we will notify you of the amount before processing your request. You may then withdraw your request.
7. Refusal to Act
7.1 When We May Refuse
We may refuse requests if:
- We cannot verify your identity after reasonable attempts
- Request is manifestly unfounded or excessive
- Legal obligations require us to retain the data
- Data is needed for establishment, exercise, or defense of legal claims
- Request conflicts with freedom of expression or scientific/historical research
7.2 Explanation
If we refuse a request, we will explain:
- Reasons for refusal
- Your right to complain to a supervisory authority
- Your right to judicial remedy
8. Frequently Asked Questions
Q: How long does data export take?
A: Self-service exports complete within minutes for most accounts. Large accounts (1GB+) may take up to 24 hours. Email requests are processed within 30 days.
Q: Will deleting my account delete all my data?
A: Yes. Account deletion triggers:
- Immediate soft delete (30-day recovery period)
- Hard delete from production databases after 30 days
- Deletion from backups after 90 days
Exception: We retain anonymized, aggregated analytics data that cannot be linked back to you.
Q: Can I request data for another user?
A: No, for privacy reasons. Each user must request their own data. Exception: Parents/guardians may request data for children under 16, or authorized agents may request on behalf of principals (with proof of authorization).
Q: How do I opt out of marketing emails?
A: Click "Unsubscribe" at the bottom of any marketing email, or go to Dashboard → Settings → Notifications → Unsubscribe from all marketing.
Q: Can I transfer my data to a competitor?
A: Yes. Use the data portability right to export your data in JSON format, then import it into another service (if they support it).
Q: What if I disagree with your response to my request?
A: You can:
- Reply to our email to discuss further
- Lodge a complaint with your supervisory authority (see Section 1.9)
- Seek judicial remedy in the courts of your EU Member State
9. Contact Information
Semly Pro Data Protection
Privacy requests: privacy@semlypro.com
Data Protection Officer: dpo@semlypro.com
Address: Amsterdam, Netherlands
Response time: Within 48 hours (acknowledgment), 30 days (full response)
Related legal documents:
Privacy Policy | Data Processing Agreement | Terms of Service