Owner: General Counsel (Privacy Officer)
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: GDPR Arts. 15–22; CCPA/CPRA; US state privacy laws. Implements the Data Management Policy and Privacy Notice.
The operational procedure for handling Data Subject Requests (DSRs / DSARs) — the rights granted to individuals under GDPR Articles 15-22, CCPA/CPRA (Cal. Civ. Code §§1798.100-130), and the comprehensive state privacy laws of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island, and Tennessee. This procedure implements the Data Management Policy and the public Privacy Notice.

Rights covered

Depending on the requester’s jurisdiction and the legal basis Neuroscale relies on, one or more of the following rights apply:
RightGDPRCCPA/CPRAState laws (CO/CT/VA/etc.)
Access / “know” (copy of personal data and processing details)Art. 15§1798.100, §1798.110Yes
Deletion / “right to be forgotten”Art. 17§1798.105Yes
Correction / rectificationArt. 16§1798.106Yes
Portability (machine-readable export)Art. 20§1798.130Most
Opt-out of sale or sharing§1798.120Yes
Opt-out of targeted advertising(CPRA)Yes
Opt-out of profiling / automated decision-making with legal or similarly significant effectsArt. 22(CPRA regs)CO, CT, others
Restriction of processingArt. 18
Object to processingArt. 21Limited
Withdraw consent (where consent is the legal basis)Art. 7(3)Yes
Non-discrimination for exercising rights§1798.125Yes
Appeal of denied requestYes (CO, CT, VA, others)

Receipt channels

Neuroscale accepts DSRs via any reasonable channel: A “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link are maintained on the public site footer per CPRA §1798.135.

Triage and routing

StepOwnerSLA
1. Receipt logged in the DSR trackerGeneral Counsel (Privacy Officer)Same business day
2. Initial classification (right requested, jurisdiction, role)General Counsel (Privacy Officer)2 business days
3. Identity verificationGeneral Counsel (Privacy Officer)5 business days
4. Engineering ticket opened in Linear (#privacy queue)General Counsel (Privacy Officer)After verification
5. Engineering executes (locate, export, correct, or delete)Engineering Lead / data ownerPer overall timeline
6. CISO confirms deletion is complete and verifiable (including backups) for delete requestsCISOBefore response
7. Response sent to requesterGeneral Counsel (Privacy Officer)Per timeline below
8. Record closed in tracker; evidence filedGeneral Counsel (Privacy Officer)At close
The DSR tracker lives in the DSR Tracker project in Linear.

Identity verification

Verification is proportionate to the sensitivity of the data and the risk of unauthorized disclosure (GDPR Art. 12(6); CCPA regs §7060-7062). Default rules:
  • Anonymous browser data only (cookies, opt-out signals, GPC) — do not require login or additional verification; honor by signal.
  • Account-holder data — require sign-in to the account plus MFA. No additional ID needed.
  • Customer-employee data submitted by an employee of a customer — verify via the customer’s SSO; route to the customer (Neuroscale is processor — see On-behalf-of-end-user requests).
  • Neuroscale employee or contractor data — require Rippling + MFA; coordinate with CHRO. See Employee Privacy Policy.
  • Sensitive data, deletion of high-risk records, or no available account — request a government-issued ID (matched to the data on file and then immediately destroyed) plus a signed declaration under penalty of perjury, per CCPA regs §7062(b).
  • Authorized agents — require (i) written, signed statement of authority from the data subject (or a power of attorney), and (ii) the agent’s own identity verification, and (iii) where the agent is a business, evidence of California Secretary of State registration if claiming under CCPA. Neuroscale may also contact the data subject directly to confirm.
If verification fails, Neuroscale will request additional information once. If still not verified, the request is closed as “unable to verify” with notice to the requester and a record retained.
Do not collect more identifying information than is necessary to verify. Any identity documents collected for verification are deleted within 30 days of verification (or sooner once verification is complete).

Timelines

GDPR / CCPA baseline:
RegimeInitial responseExtensionNotice required
GDPR / UK GDPR30 calendar days+60 days for complex requestsYes — within initial 30 days, with reasons
CCPA / CPRA45 calendar days+45 days when reasonably necessaryYes — within initial 45 days. No statutory appeal mechanism (complaints go to the CPPA / AG).
US comprehensive state privacy laws — per-state initial deadline and appeal window. Verify against the current statute at intake; new states are added to this table as laws take effect. Unless noted, the initial response deadline is 45 calendar days with a +45-day extension where reasonably necessary, the clock starts on receipt, and notice of any extension or denial is given within the initial period.
State (law)Initial responseExtensionAppeal window (after denial)
Virginia (VCDPA)45 days+4560 days
Colorado (CPA)45 days+4545 days
Connecticut (CTDPA)45 days+4560 days
Utah (UCPA)45 days+45No statutory appeal right
Texas (TDPSA)45 days+4560 days
Oregon (OCPA)45 days+4545 days
Montana (MCDPA)45 days+4560 days
Iowa (ICDPA)90 days+45No statutory appeal right
Delaware (DPDPA)45 days+4560 days
Indiana (INCDPA)45 days+4560 days
New Jersey (NJDPA)45 days+4545 days
New Hampshire (NHPA)45 days+4560 days
Kentucky (KCDPA)45 days+4560 days
Maryland (MODPA)45 days+4560 days
Minnesota (MCDPA)45 days+4545 days
Rhode Island (RIDTPPA)45 days+45No express appeal mechanism — treat as 45 days and route complaints to the AG
Tennessee (TIPA)45 days+4560 days
Appeal mechanics: the appeal must be reviewed and a written decision with reasons returned within the appeal window above; if the appeal is denied, the response must provide a method to contact the state Attorney General. Iowa’s 90-day initial deadline is the outlier — flag Iowa requests at classification (triage step 2) so the longer clock is set correctly. Clocks start on the date the request is received, not the date verification completes — except where state law specifies otherwise. If verification takes time, document it in the tracker.

Response content

Responses include:
  • The action taken (or refusal with grounds).
  • For access requests, the data in a portable, machine-readable format (typically JSON or CSV) covering the prior 12 months by default; longer where the requester asks and where it is feasible.
  • The categories of personal data, sources, business or commercial purposes, categories of recipients, and retention periods (CCPA §1798.110).
  • Statement of any rights the requester has not yet exercised (right to delete, right to opt-out, etc.).
  • The right to appeal (where applicable) and the procedure for doing so.

Refusal grounds

Neuroscale may refuse, charge a reasonable fee for, or limit a response when a request is manifestly unfounded or excessive (GDPR Art. 12(5)) — for example, repetitive requests — or when a statutory exemption applies, including:
  • Conflicts with legal obligations Neuroscale must comply with.
  • The data is necessary to detect security incidents or prosecute fraud (CCPA §1798.105(d)(2)).
  • Compliance with a legal claim, exercise of free expression, scientific research with appropriate safeguards, or other GDPR Art. 17(3) / CCPA §1798.105(d) exemptions.
  • Identity cannot be verified after a reasonable opportunity.
  • The request would require disclosure of trade secrets or another individual’s personal data that cannot be redacted.
A refusal is communicated in writing with the specific reasons and the requester’s right to appeal, complain to the supervisory authority (GDPR — the lead DPA; CCPA — the California Privacy Protection Agency or AG; state AGs), or seek judicial remedy.

Records and retention

The DSR tracker captures, for each request:
  • Date received, date verified, date closed.
  • Channel of receipt and jurisdiction.
  • Right(s) requested and outcome.
  • Verification method.
  • Materials sent to the requester (linked).
  • Internal tickets and approvers.
Records are retained for 6 years from closure (exceeds GDPR’s 3-year statute of limitations and most state-law audit windows). See Records Retention Schedule.

Profiling / ADMT opt-out handling

Opt-outs of profiling and automated decision-making (GDPR Art. 22; CPRA ADMT regulations, operative Jan 1, 2027; Colorado, Connecticut, and other state profiling opt-outs) are actioned as follows:
  1. Classify the request as a profiling/ADMT opt-out at triage step 2 (it is distinct from a sale/share or targeted-advertising opt-out and is logged as its own right in the tracker).
  2. Determine the role. Where the profiling occurs in a Customer’s workspace (Neuroscale = processor), route to the Customer per On-behalf-of-end-user requests — the Customer, as deployer/controller, owns the human-oversight and alternative-process decision. Where Neuroscale is the controller (e.g., Sourcing Database ranking/scoring under ROPA C-05), Neuroscale actions it directly.
  3. Apply the opt-out. The Engineering Lead sets the data subject’s profiling/ADMT exclusion flag in the relevant system so the individual is removed from automated ranking/scoring/evaluation, and any decision with a legal or similarly significant effect is routed to human review per the Employment-AI Bias-Audit and Disparate-Impact Testing Procedure (human-oversight controls).
  4. Confirm and record the exclusion to the requester, with the date applied, and retain the evidence in the DSR tracker.
For AEDT/employment-AI features, the deployer-side notice, opt-out, and alternative-selection-process obligations sit with the Customer; Neuroscale’s role is to make the exclusion technically effective and to maintain the human-oversight pathway.

On-behalf-of-end-user requests (processor role)

When Neuroscale processes personal data on behalf of a customer (Neuroscale = processor; customer = controller / business), and a request from the customer’s end user reaches Neuroscale directly, the procedure is:
  1. Acknowledge receipt to the requester within 10 business days.
  2. Confirm whether the data subject is the customer’s end user (vs. a Neuroscale account holder).
  3. Forward the request to the customer’s designated DPA contact and the customer’s privacy point of contact.
  4. Assist the customer in fulfilling the request as required by the Customer DPA (including SCCs Module Two/Three obligations) — typically by providing exports, executing deletions, or honoring opt-outs at the customer’s documented instruction.
  5. Do not act unilaterally on the data; do not respond substantively to the requester beyond directing them to the customer.
Customer-initiated requests (the customer asking Neuroscale to action a request on its end user’s behalf) follow the same workflow but are tracked under the customer’s account in the tracker.

Employee DSRs

Requests from Neuroscale employees, contractors, applicants, and former workers are routed through the CHRO’s office in coordination with the General Counsel (Privacy Officer). Verification is via Rippling + MFA where possible; otherwise government-issued ID. Special considerations:
  • Personnel files contain records subject to longer retention (FLSA, EEOC, ERISA) — the Records Retention Schedule and litigation-hold register override deletion. See Records Retention Schedule.
  • Performance and disciplinary records may be withheld under exemptions for management’s deliberative processes and records relating to ongoing investigations.
  • Health-related records collected under ADA, FMLA, or workers’ comp are kept separate and may be subject to separate access procedures under those statutes.
See the Employee Privacy Policy for the full scope of employee data Neuroscale collects and how it is used.

Roles and responsibilities

RoleResponsibility
General Counsel (Privacy Officer; also acting as voluntary DPO — see DPO independence note)Owns DSR program; first reviewer; sole approver of refusals and extensions; signs response. If Art. 37 mandatory DPO is later triggered, an independent DPO is retained.
CHRORoutes employee DSRs; verifies employment-data exemptions
CISOConfirms deletions are technically complete (including backups, logs, derived data); approves identity-verification exceptions for high-risk data
Engineering LeadTasks engineers to locate, export, correct, or delete data
Customer Success (today: CTO; see alias map)Coordinates customer-routed requests where Neuroscale is processor

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani