BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home / Compliance / Data Subject Rights Procedures
GDPR

Data Subject Rights Procedures

Effective: March 8, 2026

1. Purpose

This document establishes the procedures for handling data subject rights requests under the General Data Protection Regulation (GDPR), Articles 15 through 22. It ensures that all requests are processed consistently, within statutory timeframes, and in compliance with applicable data protection law.

2. Contact and Response Timeframes

Data subject rights requests should be submitted to:

Data Protection Officer: Eric Beans
Email: privacy@h33.ai
Standard response time: 30 calendar days from receipt
Extended response time: Up to 90 calendar days for complex or voluminous requests (subject must be notified of extension within initial 30-day period with reasons for delay)

All requests are acknowledged within 5 business days of receipt. Identity verification is required before any data is disclosed or modified.

3. Rights and Procedures

GDPR Article 15 30 days

Right of Access

  • Data subject submits a request to privacy@h33.ai specifying the data they wish to access
  • Identity is verified via email confirmation to the registered account email address
  • A data export is generated within 30 calendar days containing: account information, authentication logs, API usage records, and billing history
  • FHE-encrypted data: The data subject is informed that biometric templates are stored exclusively as FHE ciphertexts. These ciphertexts are not reversible without the decryption secret key and cannot be provided in plaintext form. The existence and categories of encrypted data are disclosed.
  • Export format: JSON (machine-readable), provided via secure download link with 7-day expiry
  • If the request is manifestly unfounded or excessive (e.g., repetitive), H33 may charge a reasonable administrative fee or refuse the request, providing justification to the data subject
GDPR Article 16 5 business days

Right to Rectification

  • Data subject contacts privacy@h33.ai or the support team with the specific data requiring correction and the accurate replacement values
  • Identity is verified via email confirmation
  • Corrections are applied to all relevant systems within 5 business days
  • A confirmation email is sent to the data subject upon completion, detailing the fields that were corrected
  • Third parties to whom the data was disclosed are notified of the rectification where feasible
GDPR Article 17 30 days

Right to Erasure

  • Data subject requests deletion of their account and all associated personal data
  • Account is deactivated immediately upon identity verification
  • All personal data is permanently deleted from active systems within 30 calendar days
  • Exceptions: Data required for legal obligations is retained (financial transaction records for 7 years per tax and accounting regulations). Data subject is informed of any retained categories and the legal basis for retention.
  • FHE-encrypted data: Biometric ciphertexts are deleted and the associated decryption keys are cryptographically destroyed. Once keys are destroyed, ciphertexts are rendered permanently unrecoverable.
  • Backup deletion: Personal data is purged from backup systems within 90 days following the standard backup rotation cycle
  • Written confirmation of deletion is provided to the data subject
GDPR Article 18 5 business days

Right to Restrict Processing

  • Data subject requests restriction of processing (e.g., while accuracy is contested, or processing is unlawful but erasure is not desired)
  • Account is placed in restricted mode within 5 business days: no new processing occurs, but existing data is preserved
  • Restricted accounts are flagged in the system to prevent automated processing
  • Data subject is notified before any restriction is lifted
  • During restriction, data may only be stored or processed with the subject's consent, for legal claims, for protection of another person's rights, or for important public interest reasons
GDPR Article 20 30 days

Right to Data Portability

  • Data subject requests a portable copy of their personal data
  • Export is provided in JSON format (structured, commonly used, machine-readable)
  • Included: Account data, API usage history, billing records, authentication event logs
  • Not included: FHE-encrypted biometric templates (not interoperable with other controllers due to H33-specific encryption scheme and key material). Data subject is informed of this limitation and the technical reasons.
  • Data may be transmitted directly to another controller where technically feasible, upon written request specifying the receiving controller's secure endpoint
GDPR Article 21 30 days

Right to Object

  • Data subject objects to processing carried out on the basis of legitimate interest (Article 6(1)(f))
  • Applicable processing activities: Website Analytics, Fraud Intelligence (H33-Share)
  • Objection is reviewed by the DPO within 30 calendar days
  • If the objection is upheld: processing ceases immediately for the objecting data subject. Analytics data is anonymized or deleted. Fraud signal processing excludes the subject's data.
  • If the objection is not upheld: H33 provides the data subject with a written explanation of the compelling legitimate grounds that override the subject's interests, rights, and freedoms
  • Objections to direct marketing (if applicable) are honored immediately and unconditionally
GDPR Article 22

Automated Decision-Making

  • H33 does not make automated decisions that produce legal effects or similarly significant effects on individuals
  • FHE fraud scoring (H33-Share): Produces aggregate, encrypted fraud signals shared with participating financial institutions. These signals are inputs to the institution's own decision-making process. H33 does not make individual fraud determinations.
  • Biometric verification: Produces a binary match/no-match result for authentication purposes. This is a security measure, not a decision with legal effects. Users who fail biometric verification retain access to alternative authentication methods.
  • Banks and financial institutions receiving H33-Share signals are responsible for their own GDPR obligations regarding automated decision-making based on those signals

4. Request Tracking

All data subject rights requests are logged in H33's compliance management system with the following information:

  • Date received: Timestamp of initial request receipt
  • Request type: The specific right(s) exercised (access, rectification, erasure, etc.)
  • Status: Open, In Progress, Pending Verification, Completed, Denied (with reason)
  • Response date: Date the response was provided to the data subject
  • Outcome: Request fulfilled, partially fulfilled (with explanation), denied (with legal basis)
  • Assigned handler: Team member responsible for processing the request

Request logs are retained for 3 years for accountability purposes (GDPR Article 5(2)) and are available to supervisory authorities upon request.

5. Review

These procedures are reviewed annually to ensure continued compliance with GDPR and alignment with evolving regulatory guidance. The next scheduled review is March 2027.

Exercise your data rights

Submit a data subject rights request to privacy@h33.ai. Please include your registered email address and the specific right you wish to exercise.