Privacy Center
The Mabble Helix Privacy Center is a hosted, multi-tenant set of surfaces that lets operators fulfill their obligations to data subjects under HIPAA, GDPR, CCPA/CPRA, and similar frameworks without building the intake and publication infrastructure themselves.
What the Privacy Center provides
1. DSAR Public Intake Form
A branded, zero-cookie HTML form mounted at each tenant's custom domain. End consumers can file a data subject access request (DSAR) without creating an account. Supported request types:
| Form value | Legal request type |
|---|---|
access | Right of access (GDPR Art.15; HIPAA §164.524; CCPA) |
erasure | Right to erasure / deletion (GDPR Art.17; CCPA) |
amend | Right to rectification / amendment (GDPR Art.16; HIPAA §164.526) |
portability | Right to data portability (GDPR Art.20; CCPA) |
restrict | Right to restriction of processing (GDPR Art.18) |
The form validates the submission server-side and returns a ticket reference number. A confirmation email is sent to the consumer.
2. Hosted Privacy Notice
A versioned, ETag-cached HTML page at a stable URL on the tenant's domain. Tenants publish new versions from the operator console; each published version is assigned an integer version number and archived permanently.
- Current notice:
GET /public/v1/privacy/notice(5-minute CDN cache, ETag-busted on publish) - Historical version:
GET /public/v1/privacy/notice/v<N>(immutable, 1-year CDN cache)
3. Operator Workflow (Console)
Tenant admins handle DSARs from the console:
- View incoming requests, filter by status, jurisdiction, and request type.
- Assign requests, log fulfillment actions, and close tickets.
- Publish and manage privacy notice versions.
- Configure per-tenant SLA thresholds and jurisdiction settings.
Security posture
All public Privacy Center endpoints:
- Set no cookies.
- Require no authentication from the consumer.
- Resolve tenant identity exclusively from the request
Hostheader (no fallback, no query-param override). - Return
X-Content-Type-Options: nosniffandX-Frame-Options: DENY(DSAR form) orSAMEORIGIN(privacy notice, to allow tenant-side embedding).
Tenant configuration
Operators configure their Privacy Center from the console under Settings > Privacy Center:
| Setting | Description |
|---|---|
display_name | Human-readable tenant name shown on the DSAR form |
primary_jurisdiction | Default jurisdiction pre-selected on the form (us, eu, uk, ca, au, in, br) |
| Custom domain | Your branded domain hostname that Helix resolves to your tenant |