Legal · Data Subject Access Request (DSAR)

How to exercise your GDPR rights.

Under the EU GDPR (Articles 15–22) you have the right to access, rectify, erase, port, and object to processing of your personal data.

Effective 2026-05-22 · Controller: CloakAPI AS, Org no. 933 720 411 (Norway)

Self-service (registered users)

If you have a CloakAPI account you don't need to email anyone — both rights are built into the product:

Both requests are confirmed out-of-band (a verification token sent to your registered email) before anything runs, so no one can export or erase your data without control of your inbox.

By email

You can also email dpo@cloakapi.io with the subject line DSAR — the right route if you are not a registered user (for example an outreach contact). Include enough detail to verify your identity (we ask the minimum necessary; usually the email address we contacted you on).

Response timeline

We respond within the 30-day statutory window; requests approaching that deadline are flagged automatically so they are never silently missed. If a request is genuinely complex we may extend by a further 60 days and tell you why.

Categories of personal data we hold

The full, category-by-category map of everything CloakAPI holds — what it is, why, where, and for how long — is published as our data map & record of processing. In summary:

We are not a data processor for your AI prompt or response content — on the standard client-side paths that content is tokenised before it reaches us and we never hold it in the clear. The data map documents the two narrow, transient exceptions (opt-in gateway-managed multi-turn maps, 30-day TTL; and tokenised buffered responses, purged hourly).

Erasure

Full erasure (Article 17): registered users run it self-service (above) and receive a signed deletion receipt. For outreach contacts we delete your data and add your email to the suppression list so you never receive outreach from us again — the suppression list itself is a lawful-basis Article 6(1)(f) record and is retained.

Right to complain

You may complain to your national Data Protection Authority. We are based in Norway; the lead authority for cross-border complaints is the Norwegian Datatilsynet.

Related documents