Lumi Tutor All legal

Data Subject Request (DSAR) Templates and Process

Effective date: [EFFECTIVE_DATE]

This document gives users a clear path to exercise their rights under GDPR, UK GDPR, CCPA/CPRA, and COPPA, and gives our team a documented process for handling those requests. It contains:

  1. Request templates that parents and (where applicable) children can use
  2. Our internal handling process so requests are responded to within statutory timelines
  3. Verification standards to prevent fraudulent requests

How to submit a request

Send an email to [PRIVACY_EMAIL] with the subject line:

Data Subject Request — [TYPE]

Where [TYPE] is one of: Access, Deletion, Correction, Portability, Restriction, Objection, Withdraw Consent.

You may also write to us at [COMPANY_POSTAL_ADDRESS] or use the in-product request form at [DSAR_URL] (when available).

We respond within 30 days of receiving a verified request and may extend by up to 60 additional days for complex requests (we will tell you in writing if we do).

There is no fee to make a request. We may charge a reasonable fee only for manifestly unfounded or excessive repeat requests, and we will explain why before charging.

1. Access request

Use this if you want a copy of the personal data we hold about you or your child.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Access Hello, I am exercising my right of access under [GDPR Art. 15 / UK GDPR Art. 15 / CCPA / COPPA / [APPLICABLE_LAW]]. - My account email: ____________________________ - I am requesting data about: [ ] My own parent account [ ] Child profile(s): ______________ - Format preferred: [ ] JSON [ ] CSV [ ] PDF - Time period: [ ] All [ ] From _________ to _________ Please confirm receipt and respond within 30 days. Signed: ____________________________ Date: ____________________________

2. Deletion request

Use this if you want us to delete your account, a child profile, or specific records.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Deletion Hello, I am exercising my right to erasure under [GDPR Art. 17 / UK GDPR / CCPA / COPPA]. - My account email: ____________________________ - I want to delete: [ ] My entire parent account and all related data [ ] Child profile(s): ______________ [ ] Specific records: ______________________________ - Reason (optional): ______________________________ I understand that deletion is permanent and irreversible. I understand the service will become unusable for the deleted profiles. Signed: ____________________________ Date: ____________________________

Note: We retain limited records required by law (e.g., billing records for tax purposes) after deletion. The full schedule is in the Privacy Policy.

3. Correction request

Use this to fix inaccurate data.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Correction Hello, I want to correct the following data on my account or in my child's profile: - Field: ________________________ - Current (incorrect) value: ________________________ - Correct value: ________________________ Signed: ____________________________ Date: ____________________________

You can usually do this yourself in account settings — this template is for when you can't.

4. Portability request

Use this if you want a machine-readable export to take with you.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Portability Hello, I am exercising my right to data portability under [GDPR Art. 20 / UK GDPR]. Please provide an export of: - [ ] My parent account data - [ ] Child profile(s): ____________________________ Preferred format: [ ] JSON [ ] CSV Signed: ____________________________ Date: ____________________________

5. Restriction of processing

Use this to pause processing while you contest accuracy, lawfulness, or while you decide whether to object.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Restriction Hello, I am requesting restriction of processing under [GDPR Art. 18 / UK GDPR] for the following data: - Account / profile: ____________________________ - Specific data: ____________________________ - Reason: [ ] Contesting accuracy [ ] Processing unlawful [ ] Deciding whether to object [ ] Other: ____________ Signed: ____________________________ Date: ____________________________

6. Objection

Use this to object to processing based on legitimate interests, or for direct marketing.

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Objection Hello, I object to the following processing under [GDPR Art. 21]: - [ ] Direct marketing (always honoured) - [ ] Processing based on legitimate interests for: ____________________________ Reason (if not direct marketing): ____________________________ Signed: ____________________________ Date: ____________________________

7. Withdraw consent

Use this to withdraw consent given previously (e.g., parental consent under COPPA / Art. 8 GDPR).

To: [PRIVACY_EMAIL] Subject: Data Subject Request — Withdraw Consent Hello, I withdraw my consent for: - [ ] All processing related to my child profile(s): ____________________________ - [ ] Marketing emails - [ ] Specific processing: ____________________________ I understand this does not affect the lawfulness of processing before withdrawal. Signed: ____________________________ Date: ____________________________

CCPA-specific requests

If you are a California resident, you may use any of the templates above. You may additionally submit:

  • Request to know what categories of personal information we collect — see the Privacy Policy.
  • Request to opt out of sale/sharing — we do not sell or share personal information as defined by California law. If this ever changes we will publish a "Do Not Sell or Share My Personal Information" link.
  • Request to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Service.

You may use an authorised agent. The agent must provide a signed permission and we may verify with you directly.

Verification

Because we serve children, we verify identity carefully before acting on requests. The standard is commercially reasonable verification appropriate to the sensitivity of the data:

Request typeDefault verification
Access to own account dataConfirm via the account email
Access to child profile dataConfirm via the parent account email + (for high-risk records) one additional factor
DeletionSame as access
CorrectionSame as access
PortabilitySame as access
Withdraw COPPA consentConfirm via the parent account email; for callbacks we may also verify by phone

We will not act on requests from third parties unless they provide signed authorisation from the data subject (or the parent for children's data).

Internal handling process

The team handles DSARs using this standard operating procedure:

  1. Intake (Day 0): request lands in [DSAR_INBOX]. Auto-acknowledgement sent within 24 hours.
  2. Verify (Day 0–3): verify identity via the standard above. Log evidence in [DSAR_TRACKER].
  3. Classify (Day 1–3): identify request type, scope, and whether any exemptions apply (e.g., another person's privacy, ongoing litigation).
  4. Fulfil (Day 3–25):
  • Access / portability: run the export script for the user/child IDs. Strip data that would identify other users. Encrypt and share via [SECURE_FILE_TRANSFER].
  • Deletion: run the deletion script. Confirm cascade-delete of related Sessions, SafetyEvents, Missions, Progress. Confirm backup tombstoning so the next backup cycle clears the data.
  • Correction: apply the change. Confirm via email.
  • Restriction / objection / withdraw consent: flag the account/profile; if it requires service interruption, communicate first.
  1. Respond (by Day 30): send the response with confirmation of what was done. For denied requests, explain the legal basis and the user's right to complain to a supervisory authority.
  2. Close (Day 30): mark closed in [DSAR_TRACKER]. Retain the record for [DSAR_RECORD_RETENTION, e.g., 3 years].

Roles

  • DSAR Lead: [DSAR_LEAD_NAME, EMAIL] — owns the intake and the SLA
  • Engineering on-call: runs the export/deletion scripts
  • DPO: [DPO_NAME, EMAIL] — escalation point for complex requests, complaints, regulator contact

Tooling

  • Export script: scripts/dsar/export.ts (parameter: parentId or childId)
  • Deletion script: scripts/dsar/delete.ts (parameter: parentId or childId, requires two-person approval for parent deletion)
  • Logs: every script run writes to audit_log with operator, timestamp, target, and result

These scripts are part of the operations toolkit. They are not committed to the public repo. Documenting them here in the legal pack ensures the obligations and the runbook stay in sync.