Data Subject Rights
Last updated: 2026-05-14 · These terms are reviewed by Astra periodically and effective on the Last updated date above.
This page is a practical walk-through for exercising the rights described in the Privacy Policy § 7. We use plain language here; the legal foundation is in the Privacy Policy.
1. Rights at a glance
Depending on where you live you may have rights to:
| Right | What it means | Available to |
|---|---|---|
| Access | Get a copy of your data | EU, UK, CA, BR, JP, KR (PIPA), most |
| Rectification | Correct inaccurate data | Same |
| Erasure ("right to be forgotten") | Delete your account + data | EU, UK, CA (CCPA right to delete), most |
| Portability | Get a machine-readable export | EU, UK, BR, CA (CPRA right to portability) |
| Restriction | Pause processing during a dispute | EU, UK |
| Objection | Opt out of legitimate-interest processing or direct marketing | EU, UK |
| Withdraw consent | Stop AI training, marketing, or birth-data processing | Universal |
| Opt-out of sale / sharing | CCPA-style; we don't sell so always honoured | CA, CT, CO, UT, VA, others |
| Limit use of sensitive PI | CPRA-specific | CA |
| Non-discrimination | We won't penalise you for exercising rights | CA, EU |
| Lodge a complaint | With your supervisory authority | EU, UK, CA (CPPA) |
| Data-protection rights for the deceased | Per local law | Varies (e.g. France LIL Art. 84) |
2. How to file a request
2.1 Self-service (fastest)
Most rights can be exercised directly:
- Access / portability — Settings → Privacy → Export my data produces a ZIP within minutes.
- Rectification — most fields editable in Settings → Profile.
- Erasure — Settings → Account → Delete account.
- Withdraw consent — toggles in Settings → Privacy:
- AI training on my data
- Marketing email
- Birth-data processing (this also pauses chart features)
- Analytics cookies
- Opt-out of CCPA sale/sharing — we don't sell or share for cross-context behavioural advertising, so the opt-out is the default. If we ever change this, the option will appear here and in the footer.
2.2 Email
Email hello@astraplatform.ai with the subject:
Data rights request: [Access | Rectification | Erasure | Portability | Restriction | Objection | Withdraw consent | Opt-out | Limit sensitive PI | Complaint]
Include:
- The email address of the account in question.
- The right you want to exercise.
- For erasure / restriction, the reason (we do not require a reason for valid GDPR / CCPA rights but it helps speed things up).
2.3 Postal
If you prefer postal mail:
Sunstone Venture Capital LLC dba Sunheir Culture Attn: Privacy / Data Rights Request [Sunstone Venture Capital LLC, address — fill in] United States
3. Identity verification
To protect you from impersonation, we may ask for one or more of:
- Sign-in confirmation from the account's email
- A code sent to the account's verified phone
- A response to security questions
- For high-risk requests, government-ID verification via Stripe Identity
We never share the data of one person with another person, and we will refuse a request we cannot verify.
4. Response timelines
| Regime | Initial response | Decision |
|---|---|---|
| GDPR / UK GDPR | Acknowledgement within 30 days | Decision within 30 days; extendable to 90 with notice |
| CCPA / CPRA | Acknowledgement within 10 business days | Decision within 45 days; extendable to 90 with notice |
| LGPD (Brazil) | Confirmation immediate | Up to 15 days |
| PIPEDA (Canada) | Within 30 days | Within 30 days |
| Japan APPI / Korea PIPA | Per local minimums | Per local minimums |
5. Fees
We do not charge a fee for the first reasonable request in a 12-month period. Manifestly unfounded, excessive, or repetitive requests may incur a reasonable administrative fee or be refused (per GDPR Art. 12(5)).
6. If we decline a request
We may refuse on documented grounds, including:
- Identity could not be verified.
- The request would expose another person's data.
- Legal retention obligations override (e.g. financial records kept for 7 years).
- The right is not available under your jurisdiction.
We tell you the specific ground and your right to appeal or complain to your supervisory authority.
7. Lodging a complaint
You may complain to:
- EU/EEA: the supervisory authority in your member state of residence, work, or alleged infringement (full list: https://edpb.europa.eu/about-edpb/about-edpb/members_en).
- UK: Information Commissioner's Office (https://ico.org.uk).
- California: California Privacy Protection Agency (https://cppa.ca.gov).
- Canada: Office of the Privacy Commissioner (https://www.priv.gc.ca).
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
- Japan: Personal Information Protection Commission (PPC).
- Korea: Personal Information Protection Commission (KOPIPC).
8. Authorised agents
You may designate an authorised agent to make a request on your behalf. We will require documentation of the agent's authorisation (signed letter, power of attorney, or a CCPA-compliant authorised- agent form) and verification of your identity, before action.
9. Deceased persons
For requests on behalf of a deceased account-holder, we follow applicable law (France LIL Art. 84, some US states' digital- fiduciary acts). Email hello@astraplatform.ai with proof of death and your authority.
10. Contact
- Data rights: hello@astraplatform.ai
- Postal: Sunstone Venture Capital LLC dba Sunheir Culture, [Sunstone Venture Capital LLC, address — fill in], USA
This document is reviewed by Astra periodically.
Related
Questions about this document?
Email us — we reply within 24h (12h for Pro & creators).