GDPR Data Subject Rights

Your Rights Overview

Under the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights.

Right of Access (Art. 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the processing.

How to exercise: Visit your {{link:/account|Account Settings}} to view and export your data, or submit an API request to GET /api/v1/me/data-export.

Right to Rectification (Art. 16)

You have the right to obtain the rectification of inaccurate personal data and to have incomplete data completed.

How to exercise: Update your profile information directly via Clerk (our authentication provider) in your {{link:/account|Account Settings}}.

Right to Erasure (Art. 17)

You have the right to request the deletion of your personal data ("right to be forgotten") when the data is no longer necessary for its original purpose, you withdraw consent, or the data has been unlawfully processed.

How to exercise: Use the "Delete Account" option in your {{link:/account|Account Settings}}, or submit an API request to DELETE /api/v1/me. Deletion follows our cascading deletion order: Stripe data, KV data, Upstash data, R2 storage, and finally Clerk account.

Right to Restriction of Processing (Art. 18)

You have the right to restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or the processing is unlawful.

How to exercise: Contact us at [email protected] with your request.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit it to another controller.

How to exercise: Use the data export feature in your {{link:/account|Account Settings}} to download a JSON export of your data.

Right to Object (Art. 21)

You have the right to object to the processing of your personal data based on legitimate interests (Art. 6(1)(f)), including profiling based on those provisions.

How to exercise: Contact us at [email protected]. We will cease processing unless we demonstrate compelling legitimate grounds.

Automated Decision-Making (Art. 22)

AgentBrush does not make automated decisions with legal or similarly significant effects on you. Content moderation (pre-flight checks) operates on prompts, not on users, and does not affect your legal rights.

Response Timeline

We will respond to all data subject requests within 30 days of receipt. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

We may request identity verification before processing your request to prevent unauthorized access to personal data.

Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.