Data requests

About this page

Under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the French Data Protection Act, you have the right to access, correct, delete, restrict, port, and object to the processing of personal data Apshan holds about you. This page describes how to exercise those rights.

Apshan handles every request without undue delay, free of charge, and within the timelines set by the GDPR. We commit to facilitating the exercise of your rights, not obstructing it.

Your rights under the GDPR

Right of access (Art. 15)

Obtain confirmation of whether Apshan processes personal data about you, and a copy of that data along with information about the purposes, categories, recipients, retention, and source.

Right to rectification (Art. 16)

Have inaccurate or incomplete personal data corrected.

Right to erasure (Art. 17)

Have your personal data deleted, including the "right to be forgotten," subject to the limited exceptions in Article 17(3).

Right to restriction (Art. 18)

Limit how Apshan processes your data while a question about its accuracy or lawfulness is being resolved.

Right to portability (Art. 20)

Receive the personal data you provided to Apshan in a structured, commonly-used, machine-readable format, and transmit it to another controller.

Right to object (Art. 21)

Object to processing based on legitimate interests, including profiling, and to direct marketing.

Right against automated decisions (Art. 22)

Not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Apshan does not perform such automated decision-making.

Right to withdraw consent (Art. 7)

Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

How to submit a request

Send your request to dsar@apshan.com with the subject line "Data request". Include:

• the right you wish to exercise (access, rectification, erasure, etc.);
• a clear description of the data or processing concerned;
• the email address associated with your Apshan account or interaction (if applicable);
• any additional context that will help us locate the right records.

We acknowledge receipt of every request within seventy-two (72) hours. You do not need to use a specific form, follow a specific format, or cite GDPR articles. Plain language is fine.

Identity verification

To prevent unauthorized disclosure of personal data, Apshan may ask for additional information to verify your identity, in line with GDPR Article 12(6) and Recital 64. Verification typically involves confirming the email address tied to your account or interaction; we ask for the minimum information necessary.

Apshan does not retain identity-verification data beyond what is needed to process your request. We will not use identity verification as a pretext to delay or refuse a legitimate request.

Response timeline

Apshan responds to data subject requests within one (1) month of receipt, per GDPR Article 12(3). Where the request is complex or where multiple requests have been received, the response period may be extended by an additional two (2) months. In that case we will inform you of the extension and the reasons for it within the initial one-month period.

Requests received electronically are answered electronically unless you ask otherwise. Information is provided in a commonly used, machine-readable format where applicable.

Cost

Data subject requests are free of charge (GDPR Article 12(5)). Where a request is manifestly unfounded or excessive, particularly because of its repetitive character, Apshan may either charge a reasonable fee reflecting administrative costs or refuse to act, and the burden of demonstrating the unfounded or excessive character lies with Apshan.

Where you request additional copies of personal data already provided, Apshan may charge a reasonable administrative fee in accordance with Article 15(3).

When we may not be able to act

Apshan may decline a request, in whole or in part, in limited circumstances:

• where the request is manifestly unfounded or excessive (Article 12(5)); the burden of proof lies with Apshan;
• where acting on the request would adversely affect the rights and freedoms of others (Article 15(4)), including third-party data contained in the requested set;
• where Apshan cannot identify you as a data subject in the records concerned (Article 11(2));
• where a specific legal obligation requires retention of the data (e.g., French commercial code requirements for billing records).

If Apshan declines a request, we explain the reason within the response timeline above and inform you of your right to lodge a complaint with the CNIL and to seek a judicial remedy.

Training data and AI

Apshan does not use Customer Data to train AI models. Rights against AI training datasets therefore do not arise in connection with Apshan's processing.

Where Apshan integrates with third-party AI clients of your choice (the LLM you connect through), the AI provider's processing of your queries is governed by their own privacy policy. To exercise rights against that provider, contact them directly. The current list of officially supported AI clients is documented at /mcp.

Lodge a complaint with the CNIL

If you are dissatisfied with how Apshan has handled your request, you have the right to lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL):

Online complaint

cnil.fr/fr/plaintes

Postal address

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Phone

+33 1 53 73 22 22

You also have the right to a judicial remedy under GDPR Article 79.

Where to learn more

Privacy

What Apshan collects, why, and how long we keep it: /privacy.

Trust

Compliance posture and AI Act stance: /trust.

Subprocessors

Named third parties that process data on Apshan's behalf: /subprocessors.

Security

Security controls and incident response: /security.

Contact

dsar@apshan.com
Apshan, 6 Rue d'Armaillé, 75017 Paris, France.