Data Subject Rights Procedure

How to exercise your rights to access, correct, delete, export, restrict, or object to TheAccessible.org's processing of your personal data.

Version
1.0
Published
April 21, 2026
Next review
April 21, 2027
Approved by
Larry Anglin

1. What this page is

This procedure explains how to exercise the rights described in section 9 of our Privacy Policy. It applies to anyone whose personal data we hold, regardless of jurisdiction — we follow the same process for GDPR, UK GDPR, CCPA/CPRA, and similar laws.

2. The rights you have

Subject to applicable law:

  • Access — a copy of the personal information we hold about you.
  • Correct — ask us to fix inaccurate information.
  • Delete — ask us to delete your information ("right to be forgotten").
  • Export / portability — receive your information in a portable, machine-readable format.
  • Restrict — limit certain processing.
  • Object — object to processing that relies on our legitimate interests.
  • Withdraw consent — where we rely on consent.
  • Opt out of sale or sharing — although we do not currently sell or share personal information under CCPA/CPRA.

3. How to submit a request

Email: privacy@theaccessible.org. Subject line: "Data Subject Request".

Include:

  1. The right you are exercising (access, deletion, correction, etc.).
  2. Enough information to identify the account or records — the email address associated with your account is usually sufficient; for some requests we may need additional detail.
  3. A way to verify your identity (see §4).
  4. For authorized-agent requests (§8): proof of authorization.

You may also submit requests from within the Service where we provide self-serve controls (for example, account deletion from profile settings per our Data Retention Policy).

4. Identity verification

We will ask you to verify your identity before acting on a request. The level of verification is proportionate to the sensitivity of the data:

  • Low-risk requests (e.g., "confirm you have my email") — respond from the email address on file.
  • Access, export, or deletion — confirm from the email on file and answer a small number of account-related questions.
  • High-risk requests — additional verification may be required. We will tell you what we need before acting.

If we cannot verify your identity, we will not act on the request. We will explain what additional information would allow us to proceed.

5. What happens after you submit

  1. Acknowledgement — within 5 business days we confirm we received the request and what we need from you.
  2. Substantive response — within 30 calendar days of a complete, verified request. Complex or high-volume requests may be extended once by up to 60 additional days; we will tell you in writing if that applies and why.
  3. Format — unless you ask for something different, we respond by email in plain text plus a machine-readable attachment (JSON or CSV) for access/export requests.

6. Fees

Responses are free. If a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee for the administrative cost, or decline — but only in line with applicable law, and we will explain our reasoning.

7. When we may decline or partially respond

We may decline, or respond partially, in situations including:

  • We cannot verify your identity.
  • The request is manifestly unfounded or excessive.
  • Compliance would reveal another person's personal data or trade secrets.
  • A specific legal or tax retention obligation prevents deletion (see the Data Retention Policy §5).
  • The data has already been anonymized and cannot be re-identified.

When we decline, we tell you why and how to appeal or complain — see §10.

8. Authorized agents

You can authorize an agent to make a request on your behalf. We need:

  • Written authorization signed by you.
  • Proof of the agent's identity.
  • Enough information to verify that you are the data subject.

For CCPA/CPRA, we follow the state's specific authorized-agent requirements.

9. Children

The Service is not directed to children under 13 (see Privacy Policy §13). If you believe we hold data about a child, a parent or legal guardian can submit a deletion request through this procedure; we will expedite it and waive identity verification beyond what is necessary to confirm guardianship.

10. If you are not satisfied

You may escalate to a supervisory authority:

  • EEA — the data-protection authority in your member state.
  • UK — the Information Commissioner's Office (ICO).
  • California — the California Privacy Protection Agency (CPPA) or the Office of the Attorney General.
  • Other jurisdictions — your national or regional equivalent.

We would appreciate the chance to address your concern first. Contact us at privacy@theaccessible.org and we will respond promptly.

11. Record-keeping

We keep a log of requests (who, when, what was done) for accountability and to comply with our own audit obligations. These records are minimized and are themselves subject to retention limits described in the Data Retention Policy.

12. Changes

We will update this procedure as our process or the law changes. The effective date appears at the top of this page. Prior versions remain available from the version history link below.

13. Contact

  • Email: privacy@theaccessible.org
  • Postal: [DRAFT — registered business address before publish, same address as the Privacy Policy §15.]