search
Ctrlk
Go to websiteSupportStatusLoginSign up

Data Subject Rights

Taloflow supports all data subject rights under GDPR Articles 15–22. The table below summarizes each right, its technical implementation, and how to exercise it.

hashtag
Rights Summary

Right
GDPR Article
Implementation
How to Exercise

Right to Access

Art. 15

Users can view and export their profile and evaluation data via the platform

Log in and use the export functionality; contact [email protected] for a full data export

Right to Rectification

Art. 16

Users can update profile information directly in the platform

Update via account settings; changes propagate to Auth0 and the database

Right to Erasure

Art. 17

Account deletion triggers cascading removal across Auth0, database, cache, and S3

Contact [email protected] with a deletion request

Right to Data Portability

Art. 20

Evaluation data is exportable in machine-readable formats (PDF, Excel)

Use Export to PDF or Export to Excel in the platform

Right to Restrict Processing

Art. 18

Account suspension halts processing while retaining data

Contact [email protected]

Right to Object

Art. 21

Users can opt out of non-essential processing (session/audit tracking)

Contact [email protected]

Right Not to Be Subject to Automated Decision-Making

Art. 22

No automated decisions with legal effect are made about users

Not applicable — Taloflow is a decision-support tool; all decisions are human-made

hashtag
Erasure: Technical Detail

When an account deletion request is processed, the following steps are executed in order:

  1. Auth0 account deleted — removes identity and authentication data

  2. Database cascade — removes user references across entity, group_detail, policy_history, tag_history, user_session, and audit_event tables

  3. Cache invalidation — Redis cache entries become unreadable after encryption key deletion (encryption-based erasure)

  4. S3 data removal — evaluation documents associated solely with the deleted user are removed; shared evaluation data is anonymized (member_id references removed)

  5. Backup handling — deleted data ages out of backup retention windows (maximum 1 year)

circle-info

Cache erasure is enforced cryptographically: because Redis entries are encrypted with a per-user key, deleting the key renders the cached data permanently unreadable without requiring explicit cache purges.

hashtag
Data Retention

Data Type
Retention Period
Deletion Trigger

User account data

Duration of account + 30 days

User deletion request or account closure

Auth0 cached profiles (Redis)

TTL-based (configurable)

Cache expiry or key rotation

Evaluation data

Duration of workspace membership

User request or workspace deletion

Session logs

90 days

Automated purge

Audit events

1 year

Automated purge

Database backups

Daily: 30d / Weekly: 90d / Monthly: 1y

Automated rotation

Application logs

90 days online, 1 year archive

Automated rotation

circle-exclamation

Data present in backups at the time of a deletion request will age out within the applicable backup retention window. Taloflow does not restore deleted data from backups absent a legal hold.

hashtag
Contact

For any data subject rights requests, email [email protected]. Requests are acknowledged within 72 hours and fulfilled within the 30-day window required by GDPR Art. 12.

PreviousData PrivacyNextPersonal Data Inventory

Was this helpful?