TrackyrBILTAI
Start hunting

// Guide

Handling DSAR and Right-to-Deletion Requests

Last verified · 2026-06-24

The short answer

A data subject access request (DSAR) is a person asking what data you hold about them, or asking you to delete it. GDPR and CCPA set response timelines (commonly around 30-45 days) and require you to locate, return, or erase the data. To handle them, you need provenance on every record and a fast deletion path. This isn't legal advice — consult counsel. Trackyr offers a public DSAR route.

What a DSAR actually requires

When someone files a DSAR, you have to find every record tied to them, confirm what you hold, and either return it or delete it within the statutory window. You can't do any of that if you don't know where your data came from.

This is educational, not legal advice. Timelines and obligations vary by jurisdiction and request type. Consult a privacy attorney to confirm your specific duties.

Know the timelines

GDPR generally expects a response within about a month; CCPA/CPRA sets its own windows for access and deletion. Missing the deadline is itself a violation, so treat DSARs as time-sensitive operations, not back-burner tickets.

Provenance makes it possible

The only way to answer 'what do you have on me and where did it come from' is to have recorded provenance from the start. Trackyr attaches engine-and-source provenance to every contact, so a DSAR becomes a lookup instead of a forensic investigation.

Operationalize deletion

  1. Provide a clear public intake route for requests.
  2. Verify the requester's identity before acting.
  3. Locate all records via provenance and identifiers.
  4. Delete or return within the statutory timeline.
  5. Add the contact to suppression so it doesn't re-enter.

Close the loop with suppression

Deletion without suppression is incomplete: the same contact can flow back in from a future pull. Pair every deletion with a suppression entry so the request actually sticks. Trackyr's sub-minute suppression handles that propagation.

More on this topic: Compliance

// Common questions

Answered.

How long do I have to respond to a DSAR?+

It depends on the law and request type, but commonly around 30-45 days. Treat it as time-sensitive and confirm your exact obligations with counsel.

What do I need to handle DSARs well?+

Provenance on every record, a public intake route, identity verification, and a deletion path that's paired with suppression so the contact doesn't return.

Does Trackyr support deletion requests?+

Yes. Trackyr exposes a public DSAR route and uses sub-minute suppression so a deletion propagates across pulls quickly.

Trackyr

Put it into practice.

Verified creator + B2B contacts, one shared pool, paid only for what you use.

Start hunting →