GDPR Compliance
Data export, erasure, consent management, and privacy tools.
GDPR Compliance
Gatherly provides comprehensive tools to help you comply with the EU General Data Protection Regulation (GDPR).
Data Subject Rights
Right of Access (Article 15)
Export all data associated with a user:
- Go to Settings > Privacy
- Click Export My Data
- Download the JSON file
Export includes:
- Profile information
- Organization data
- Clients (for organization users)
- Intakes and documents metadata
- Signatures and certificates
- Audit logs
- Notification history
- Consent records
Right to Erasure (Article 17)
Request account deletion:
- Go to Settings > Privacy
- Click Delete My Account
- Confirm your decision
What happens:
- 30-day grace period for soft delete
- Cascade anonymization of audit logs and notifications
- Supabase Auth account deletion
- Signature certificates preserved for legal compliance
Client data erasure:
- Clients can request their data be deleted
- Documents on legal hold are skipped
- Anonymization replaces PII with placeholders
Right to Rectification (Article 16)
Update your personal data:
- Go to Settings > Profile
- Edit your information
- Save changes
All changes are tracked in the audit log with before/after values (sensitive fields are masked).
Right to Restrict Processing (Article 18)
Request processing restrictions:
- Go to Settings > Privacy
- Toggle Restrict Processing
When restricted:
- No marketing communications
- No analytics tracking
- No profiling activities
Right to Object (Article 21)
Object to specific processing activities:
- Go to Settings > Privacy
- Select objection types:
- Marketing
- Analytics
- Profiling
- Legitimate interest
Related notifications and processing are automatically disabled.
Right to Data Portability (Article 20)
Export data in machine-readable format:
- JSON export available
- Includes all personal data
- Document content available on request
Consent Management
Recording Consent
Gatherly records consent for:
- Terms of Service
- Privacy Policy
- Marketing communications
- Analytics cookies
- Essential cookies
- Data processing
- Third-party sharing
Each consent record includes:
- Timestamp
- Consent version
- IP address
- User agent
- Text hash for verification
Withdrawing Consent
To withdraw consent:
- Go to Settings > Privacy
- Find the consent type
- Toggle off or click Withdraw
Withdrawal is logged and takes effect immediately.
Privacy Preferences
Configure your privacy settings:
| Setting | Description |
|---|---|
| Marketing emails | Receive promotional content |
| Analytics | Allow usage analytics |
| Notification emails | Receive system notifications |
Breach Notification (Articles 33/34)
For administrators - report data breaches:
- Go to Settings > Privacy > Report Breach
- Enter breach details:
- Description
- Severity (low, medium, high, critical)
- Affected data types
- Estimated affected users
- Containment actions taken
System tracks:
- 72-hour notification deadline
- Authority notification status
- User notification status
- Incident ID for reference
Data Retention
Automatic cleanup of old data:
| Data Type | Default Retention |
|---|---|
| Audit logs | 2 years |
| Completed intakes | Per retention policy |
| Anonymized records | Permanent |
See Retention Policies for custom policies.
Privacy Dashboard (Administrators)
Platform administrators can view:
- Total and pending DSARs
- Breach notifications (open/resolved)
- Anonymized user count
- Consent withdrawal statistics
- Processing-restricted users
- Average DSAR response time
Compliance Features by Plan
| Feature | Starter | Professional | Business |
|---|---|---|---|
| Data export | ✓ | ✓ | ✓ |
| Account deletion | ✓ | ✓ | ✓ |
| Consent management | - | ✓ | ✓ |
| Processing restrictions | - | - | ✓ |
| Breach reporting | - | - | ✓ |
| Privacy dashboard | - | - | ✓ |