Filing a Data Subject Request (DSAR)
This guide is for end consumers — individuals who want to exercise their privacy rights with a company (the "operator") whose product is powered by Mabble Helix.
You do not need an account. The form is accessible to anyone.
How to find the form
Your operator's privacy request form is at:
https://<operator-domain>/public/v1/privacy/dsar
The operator's domain is typically the same domain where you interact with their product (e.g., secure.example.com or privacy.company.io). If you cannot find the URL, contact the operator directly and ask for their "Privacy Center" or "data request form."
What information you need to provide
| Field | Required | Notes |
|---|---|---|
| Full name | Yes | Up to 200 characters. Used to identify your record. |
| Email address | Yes | Where your confirmation and follow-up will be sent. Your email is stored as a one-way hash — Helix never stores your plaintext email in the request record. |
| Request type | Yes | See table below. |
| Jurisdiction | Yes | Select the jurisdiction that governs your rights (see below). |
| Additional details | Optional | Up to 2000 characters. Helps the operator understand exactly what you need. |
Request types
| Request type | What you are asking for |
|---|---|
| Access | A copy of the personal data the operator holds about you (GDPR Art.15, HIPAA §164.524, CCPA). |
| Erasure | Deletion of your personal data ("right to be forgotten") — subject to legal retention obligations (GDPR Art.17, CCPA). |
| Amendment | Correction of inaccurate data the operator holds about you (GDPR Art.16, HIPAA §164.526). |
| Portability | Export of your data in a structured, machine-readable format (GDPR Art.20, CCPA). |
| Restriction | Limit how the operator processes your data while a dispute or review is in progress (GDPR Art.18). |
Jurisdiction
Select the jurisdiction that applies to your situation:
| Code | Applies to |
|---|---|
us | United States (CCPA/CPRA, HIPAA, state privacy laws) |
eu | European Union (GDPR) |
uk | United Kingdom (UK GDPR / DPA 2018) |
ca | Canada (PIPEDA / Law 25) |
au | Australia (Privacy Act 1988) |
in | India (DPDP Act 2023) |
br | Brazil (LGPD) |
Your jurisdiction affects the SLA deadline the operator must meet.
What happens after you submit
- Immediate: The form confirms your submission and displays a short ticket reference (e.g.,
a3f9c2b1). The full UUID is included in the confirmation email. - Confirmation email: Sent to your provided address within a few minutes. Keep the ticket reference.
- Operator review: The operator's compliance team reviews your request. They may contact you at your email to verify your identity before releasing data.
- Resolution: The operator fulfills or closes the request and you receive a follow-up at your email.
SLA expectations by jurisdiction
These are the maximum statutory response windows. Operators may respond sooner.
| Jurisdiction | Statutory window |
|---|---|
| EU (GDPR) | 30 days from receipt; extendable once to 90 days with notice |
| UK (UK GDPR) | 30 days |
| US — California (CCPA) | 45 days; extendable once to 90 days with notice |
| US — HIPAA §164.524 | 30 days; extendable once to 60 days with notice |
| Canada (PIPEDA) | 30 days |
| Australia | 30 days |
| Brazil (LGPD) | 15 days for access; operator must confirm receipt immediately |
| India (DPDP) | Timeline set by forthcoming rules; operators should treat as 30 days |
Privacy of this form
- No cookies are set when you load or submit this form.
- No third-party scripts are loaded.
- Your email address is stored as a one-way cryptographic hash in Helix's database — it is used only to deduplicate requests and send your confirmation; the operator's team does not see your plaintext email from Helix's system (they may already hold it in their own systems).
- The form is served with
Cache-Control: no-store, meaning browsers do not cache it.
Can I check the status of my request?
Status lookup via the public form is not available in Phase 1. Your confirmation email contains the full ticket UUID. If you need a status update, contact the operator directly and reference your ticket ID.
Accessibility
The DSAR form is HTML-only (no JavaScript required), works in all major browsers, and is compatible with screen readers.