Under the EU GDPR (Articles 15–22) you have the right to access, rectify, erase, port, and object to processing of your personal data.
If you have a CloakAPI account you don't need to email anyone — both rights are built into the product:
POST /api/v1/receipts/verify.Both requests are confirmed out-of-band (a verification token sent to your registered email) before anything runs, so no one can export or erase your data without control of your inbox.
You can also email dpo@cloakapi.io with the subject line DSAR — the right route if you are not a registered user (for example an outreach contact). Include enough detail to verify your identity (we ask the minimum necessary; usually the email address we contacted you on).
We respond within the 30-day statutory window; requests approaching that deadline are flagged automatically so they are never silently missed. If a request is genuinely complex we may extend by a further 60 days and tell you why.
The full, category-by-category map of everything CloakAPI holds — what it is, why, where, and for how long — is published as our data map & record of processing. In summary:
We are not a data processor for your AI prompt or response content — on the standard client-side paths that content is tokenised before it reaches us and we never hold it in the clear. The data map documents the two narrow, transient exceptions (opt-in gateway-managed multi-turn maps, 30-day TTL; and tokenised buffered responses, purged hourly).
Full erasure (Article 17): registered users run it self-service (above) and receive a signed deletion receipt. For outreach contacts we delete your data and add your email to the suppression list so you never receive outreach from us again — the suppression list itself is a lawful-basis Article 6(1)(f) record and is retained.
You may complain to your national Data Protection Authority. We are based in Norway; the lead authority for cross-border complaints is the Norwegian Datatilsynet.