LET'S TALK
← All work
PrivacyGDPRCCPALGPDDeep Prototype

DsarTrack — Privacy Rights Request Tracker

22 seeded privacy rights requests across GDPR Art 15/16/17/20, CCPA right-to-know / delete / opt-out, and LGPD. Per-request SLA clock with regulatory citation, identity verification status, sub-system fanout to Stripe / Snowflake / Sentry, and the workflow steps from intake to delivery.

DsarTrack — Privacy Rights Request Tracker preview
Open live →

What it is

The shape every privacy team needs after a DSAR shows up in the legal inbox. Each request gets the SLA clock per regulation (30 days GDPR, 45 days CCPA, 15 days LGPD), the identity-verification step, the per-system fanout, and the audit-ready trail.

What’s in it

  • 22 seeded requests across the realistic mix: GDPR Art 15 access requests, Art 17 erasure (with one rejected for BSA-retention legal hold), Art 20 portability with JSON export, CCPA right-to-know (45-day SLA), CCPA delete with sub-processor fanout, CCPA opt-out and GPC honor, LGPD requests, restriction-of-processing, objection to direct marketing.
  • Per-regulation SLA citations — GDPR Art 12(3) 30-day with 2-month complex extension; CCPA §1798.130(a)(2) 45-day with 45-day extension; LGPD Art 19 15-day.
  • Sub-system fanout tracker — for each request, the list of systems (Production DB, Stripe, Snowflake, Sentry, Mailchimp, Segment, Intercom) with per-system status (pending / done / failed), records-touched count, completed-at timestamp. One seeded request has a Sentry export failure — the kind of edge case that breaks SLAs.
  • Identity-verification gate — workflow can’t progress to collection without verified ID. SLA continues to run regardless.
  • Step tracker — Received → ID verified → Scope confirmed → Collecting → Reviewed → Export prepared → Delivered. Per-step status visible.
  • Rejection-with-reason flow — one seeded request shows the rejected pattern: legal-hold preservation per FinCEN BSA records-retention. GDPR Art 12(4) notification language captured.

Why this shape

Privacy-rights workflows are where regulatory exposure quietly accumulates. Every missed SLA is a complaint to the DPA. Every undocumented identity-verification step is an audit finding. DsarTrack puts the SLA, the verification, the fanout, and the citation in one shape that survives examination.

How it ships

Single HTML file, ~38KB. Zero dependencies. The regulation map, request-type catalog, SLA deadline math, sub-system fanout, and 22-request seed are 320 lines of vanilla JavaScript.

Open the tool →