Compliance · Article 11.7
Data-subject requests: how to exercise your GDPR rights as a Clozo user
Articles 15–22 GDPR give you concrete rights against any controller. For data Clozo holds about you (the freelancer), use the self-service tools at `/settings/privacy`. For requests your *clients* send to *you*, Clozo acts as processor — you respond as controller, with manual support from us when needed.
GDPR gives data subjects six concrete rights they can exercise against any controller. As a Clozo user you wear two hats: data subject (for the data Clozo holds about you) and data controller (for the data Clozo processes about your clients on your behalf). This article covers the user-side self-service flow that ships in production today, and explains how the processor-side support workflow operates for your clients' requests.
Step by step
If the request is for YOUR data (you are the data subject):
Open
/settings/privacy. Click Export your data (Art. 15 + 20), Erase your account (Art. 17 — two-stage with 7-day grace), or toggle consent flags (Art. 21).If the request is from YOUR CLIENT (you are the controller):
Receive the request via email. Your one-month deadline starts now.
Verify identity.
Compare requesting email/details against the client record. Don't disclose personal data to a stranger.
Open
/clients/{id}to see what Clozo holds about them.Name, email, country, billing details, linked proposals and invoices. This is your source of truth for composing the response.
Compose and email the response within one month.
Cite the GDPR article. For erasure, explain the Art. 17(3)(b) tax-retention carve-out for invoiced data.
Need processor-side help?
Email
privacy@useclozo.comwith the request details. We'll provide the data export needed to fulfil your obligation as controller.
Why this works this way
The six rights (each title is the GDPR article number):
- Art. 15 — Right of access: confirm whether their personal data is processed and, if so, get a copy plus information about purposes, categories, recipients, retention, and source. - Art. 16 — Right to rectification: correct inaccurate data without undue delay. - Art. 17 — Right to erasure ("right to be forgotten"): delete data when the lawful basis no longer applies, subject to carve-outs (legal obligation, freedom of expression, public interest). - Art. 18 — Right to restriction of processing: pause processing while accuracy is contested, processing is unlawful but the subject doesn't want erasure, etc. - Art. 20 — Right to data portability: receive personal data in a structured, commonly-used, machine-readable format and transmit it to another controller. - Art. 21 — Right to object: object to processing based on legitimate interest (Art. 6(1)(f)) or direct marketing.
Response deadline (Art. 12(3)): one month from receipt. Extendable by two further months "where necessary, taking into account the complexity and number of the requests" — must notify the subject of the extension within the first month with reasons.
Form of response (Art. 12(1)): concise, transparent, intelligible, easily accessible, plain language. Free of charge unless requests are "manifestly unfounded or excessive" (Art. 12(5)).
Hat 1 — You as data subject (Clozo holds your data).
This is the in-product self-service flow. Open /settings/privacy in Clozo. The user-side endpoints (per BACKEND.md §3 GDPR self-service) are:
- Export your data — GET /api/v1/me/export (Art. 15 + 20). JSON bundle covering account, proposals, clients, payments, signatures, audit. Download link sent by email; valid 7 days.
- Erase your account — POST /api/v1/me/erasure-request → POST /api/v1/me/erasure-confirm (or POST /api/v1/me/erasure-cancel to back out within the grace window) (Art. 17). Two-stage confirmation flow with 7-day grace. After grace, a daily Celery beat task apply_pending_erasures runs at 02:00 UTC: it pseudonymises personal data on the User row (per [A-023] — retains vat_number + company_name because EU VAT Directive Art. 226(10) + Art. 244 require these on retained invoices), deactivates (does not delete) the Stripe Connect account so AEAT requerimientos in years 6–10 can still be answered via stripe_account_id (per [A-022]), and writes an email_hmac lookup key so a former user can be matched to their row years after anonymisation. Tax-relevant data (invoices, receipts, signed agreements) is retained per article 11.4.
- Manage consent — GET /api/v1/me/consent and POST /api/v1/me/consent (Art. 7 + Art. 21). Toggle off consent.advertising and consent.marketing in Privacy. Effect: Google Ads + GA4 server-side senders gate on these flags and stop uploading.
- Restrict processing (Art. 18) → email privacy@useclozo.com with details. Self-service is on the roadmap.
For rectification (Art. 16), edit the field directly in /settings/profile or /settings/company. Most rectifications are settings changes, not formal requests.
Hat 2 — You as controller (Clozo processes your clients' data on your behalf).
When your client sends you a DSR request, you are responsible for fulfilling it as the controller of their data. Clozo's role is processor under the Standard Contractual Clauses (Module 2: Controller-to-Processor) embedded in the Clozo Terms — we hold the data on your instructions, but the response to a DSR is your obligation as controller.
There is no in-product /clients/{id} "Privacy Actions" panel today. Client-side DSRs are handled out-of-band:
1. Receive the email. Log the date, the requesting subject, and the right invoked. Your response deadline is one month from receipt (Art. 12(3)).
2. Verify identity. Compare the requesting email/details against the data on the client record. Don't disclose personal data to anyone whose identity you can't reasonably confirm.
3. Compose the response using the data Clozo already exposes to you. The client record (/clients/{id}) shows everything you hold about them in Clozo — name, email, country, billing details, the proposals and invoices linked to them. For Art. 15 / Art. 20, you can copy this into a written response or attach the relevant invoice PDFs.
4. For erasure requests (Art. 17), keep tax-relevant data. Issued invoices and signed agreements are immutable under EU VAT Directive Art. 244 + GoBD §147 AO + national parallels. Art. 17(3)(b) GDPR explicitly permits retention for legal obligation. You can edit unsent drafts and remove the client from new mailings, but the invoice content (line items, amounts, dates) stays. Note: per [A-023], automatic Client-row pseudonymisation will follow as the cascade saga rolls out post-launch (3-PR sequencing per [A-021]); until then, manual editing of unsent drafts is the available control.
5. Email the subject within one month. Confirm what you did, cite the GDPR article, and reference the legal basis if you partially refused (e.g., retained tax-relevant data under Art. 17(3)(b)).
6. Need help extracting specific records? Email privacy@useclozo.com and we'll provide the data export needed to fulfil your obligation. We do not respond to your client directly — you remain the controller.
Troubleshooting
Keep reading
Compliance
GDPR: what Clozo stores about you, why, and for how long
Clozo runs 13 distinct processing activities under GDPR Art. 30. Each one has a documented purpose, a lawful basis under Art. 6(1), a recipient list, and a retention window. This article is the user-facing summary of our Records of Processing Activities.
Compliance
10-year retention: GoBD §147 AO and its EU equivalents
Tax-relevant documents — invoices, receipts, signed agreements, payment records — must be available to a tax-office inspector for ten years. Clozo enforces this server-side across every EU jurisdiction.
Working with Clients
Adding a client: the four fields that matter
Name, email, country, and the B2B/B2C flag — those four fields turn an empty client record into one Clozo can build legally correct invoices from.