DSR / Opt-Out Response Playbook¶
How we handle data subject requests (DSRs) across the 7 regimes we support. Requests arrive via the Opt-Out portal at huskydata.io/company/opt-out → n8n webhook → Telegram notify.
Scope — regimes supported¶
| Regime | Jurisdiction | Legal basis for response |
|---|---|---|
| GDPR | EU / UK | Articles 15-22 |
| CCPA / CPRA | California, USA | Cal. Civ. Code §1798.100 et seq. |
| PDPA | Singapore | Personal Data Protection Act 2012 |
| PDPA | Thailand | Personal Data Protection Act B.E. 2562 |
| DPDP | India | Digital Personal Data Protection Act 2023 |
| Privacy Act | Australia | Australian Privacy Principles (APPs) |
| "Generic / other" | Anywhere | Goodwill / best-effort response |
Response SLAs¶
Drive by strictest applicable regime; 30 days is our standard commitment.
| Regime | Required response time | Our commitment |
|---|---|---|
| GDPR | 30 days (extendable to 90 with notice) | 30 days |
| CCPA | 45 days (extendable to 90 with notice) | 30 days |
| PDPA-SG | 30 days | 30 days |
| PDPA-TH | 30 days | 30 days |
| DPDP | "As soon as possible" (rule TBD) | 30 days |
| Privacy Act AU | 30 days | 30 days |
Request types supported (per portal)¶
- Access — "what data do you have on this MAID?"
- Deletion / erasure — remove from all segments
- Do not sell / opt-out of sale — CCPA-specific but honored universally
- Correction / rectification — limited applicability; MAID data isn't verifiable to a person
- Data portability — export machine-readable
- Consent withdrawal — DPDP / PDPA specific
- Complaint / other
Incoming request workflow¶
Opt-Out portal submission
↓
n8n webhook (n8n.huskydata.io)
↓
Telegram notification to @BenjaminWong (id: 188021034)
↓
Triage within 24h
↓
Response within 30 days
Triage checklist (within 24h of Telegram ping)¶
- Open n8n execution log — confirm request persisted
- Acknowledge receipt via email (use templates below)
- Classify regime + request type
- Log in DSR tracker (currently: the n8n Data Table; see ADR-0002)
- If MAID provided: queue for deletion/suppression in next segment refresh
- If MAID not provided + identity not verifiable: request MAID via email reply, else reply with limitation explanation
MAID suppression (deletion / do-not-sell)¶
Technical process (outline — full runbook in engineering docs):
- Receive MAID(s) from requester
- Validate format (GAID: IDFA 8-4-4-4-12 UUID, Android: lowercase hex)
- Add to internal suppression list
- Propagate to all segment exports in next refresh cycle (monthly)
- Confirm to requester once propagation completes
Commitment communicated externally: "within 30 days." Actual technical latency: up to one refresh cycle (currently monthly).
Response templates¶
Access request acknowledgement¶
Subject: Husky Data — Your data access request
Dear [name],
We acknowledge receipt of your data access request dated [date]. We are processing it under [regime] and will respond within 30 days (by [date + 30]).
To process your request, we may need the specific Mobile Advertising ID (MAID / GAID / IDFA) associated with the devices you're inquiring about. If you have not already provided this, please reply with the MAID(s) and the approximate timeframe of use.
Husky Data is a business-to-business audience data provider and does not process names, email addresses, phone numbers, or other directly identifiable personal information. Our records are indexed by MAID only.
Regards,
[signer]
Husky Data
Deletion / do-not-sell confirmation¶
Subject: Husky Data — Your opt-out request has been processed
Dear [name],
We confirm that the MAID(s) you provided on [date] have been added to our suppression list. Going forward, these identifiers will be excluded from all Husky Data audience segments and syndication to our distribution partner Eyeota (part of Dun & Bradstreet Audience Solutions).
Please note that data previously syndicated prior to your request may persist in our partners' systems according to their own refresh cycles. If you wish to request removal from those partners directly, their DSR portals are:
- Eyeota (Dun & Bradstreet): [link]
- (etc., as applicable)
If you believe any segment still contains your identifier 45+ days after this confirmation, please reply to this email.
Regards,
[signer]
Husky Data
Limitation response (MAID not provided / not verifiable)¶
Subject: Husky Data — Your data request
Dear [name],
Thank you for your request dated [date]. Husky Data operates as a business-to-business provider of anonymous mobile audience data. Our records are indexed solely by Mobile Advertising ID (MAID) — we do not hold names, email addresses, phone numbers, or other directly identifiable information.
As such, we can only process requests tied to specific MAIDs. If you are able to provide the MAID(s) associated with your devices, we will process your request within 30 days of receipt.
To locate your device MAID:
- iOS: Settings → Privacy & Security → Tracking (IDFA shown if enabled)
- Android: Settings → Google → Ads (advertising ID shown)
If you prefer a universal opt-out, you may also reset your advertising ID at the device level, which will prevent new signal attribution going forward.
Regards,
[signer]
Husky Data
Edge cases¶
- Request from a country not in our 7-regime scope — respond with goodwill best-effort; treat as generic, honor deletion requests, don't over-commit to legally binding SLAs outside our formal scope
- Request referencing a specific segment name — still process as deletion; our system doesn't support "remove from segment X but keep in segment Y" at MAID level
- Bulk / automated requests — validate source; respond individually for manual submissions; flag for engineering if bot-driven
- Procurement-side request (a customer asking on behalf of their end users) — ask for confirmation that the customer has authority to request; respond per customer's direction
- Regulator-initiated inquiry — escalate to CEO immediately; do not respond without legal review
What we do NOT do¶
- ✗ Share internal segment membership or modeling details (proprietary)
- ✗ Confirm or deny whether a specific person (by name) is in our data (we don't have names)
- ✗ Apologize for "holding personal data" (we don't hold PII — be precise)
- ✗ Commit to removal from partner systems we don't control (redirect to their DSR channels)
Metrics (quarterly review)¶
- DSR volume by regime
- DSR volume by request type
- Response time p50 / p95
- Any requests breaching 30-day SLA (should be 0)
- Any repeat requesters (signal of process friction)
Related¶
- ADR-0002: Self-host n8n on Zeabur
- Opt-Out portal: huskydata.io/company/opt-out
- Glossary: MAID, DSR, PDPA, DPDP, CCPA, GDPR