Data Subject Requests (DSAR) Procedure
Version 2.0 - Effective 2026-07-08 - Change log Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
Under the EU GDPR and UK GDPR, individuals can exercise the rights of access, rectification, erasure, restriction, portability and objection, and can withdraw consent at any time.
Where to send a request (routing)
| Your data relates to | Controller | Send your request to |
|---|---|---|
| amaigo.com (our own site and widget) | Amaigo | [email protected] |
| A Whistle widget on a client's website | That client (for example the law firm) | The client, via their published privacy contact |
Where the client is the controller, Amaigo acts as processor: we do not answer the request ourselves, but we assist the controller within 5 business days of their instruction, well inside the controller's own statutory deadline. Requests sent to us in error are forwarded to the correct controller without undue delay.
Timelines
Both the EU GDPR and UK GDPR require a response without undue delay and within one month of receipt. This is extendable by up to two further months for complex or numerous requests, provided the individual is told of the extension, with reasons, within the first month.
How requests are fulfilled
- Verify the requester's identity proportionately: enough to be confident, no more. Typically confirmation via the contact details already held (for example replying from the email or phone number on the lead); formal ID documents are only requested where genuine doubt exists.
- Locate and act. The chat server exposes admin-token-protected endpoints, each scoped to the requesting controller's own data:
GET /api/lead/export: exports a lead's stored data (access and portability).DELETE /api/lead: erases a lead.
- Respond within the timelines above, in a concise, plain-language form.
- Record the request and the action taken in the audit log, as metadata only (no personal content is added to the log).
Erasure scope
Erasure removes the lead together with its linked bookings, and transcripts where the client has enabled transcript storage. Consent withdrawal is handled the same way for the data concerned.
Data we deliberately do not hold
Whistle stores no raw chat transcripts by default and writes no chat content to logs. Data that was deliberately never collected or retained cannot be produced in response to an access request; this is a privacy-by-design feature, not an omission. See the Privacy Policy and Data Retention Policy.
Complaints
If you are unhappy with how a request was handled you can complain to the ICO (UK) or to the competent supervisory authority in your EU member state, at any time and without contacting us first.
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.