GDPR requires companies to answer authenticated privacy inquiries within 30 days. For many websites, proving control of the user’s email account is sufficient to authenticate, e.g. for a password reset. GDPR inquiries sent from this address can thus hardly be considered as unauthenticated. With IamOut, we provided a generator for legally correct inquiry emails and followed up with free (for the user) legal support.

User experience

  1. Choose a company from a list and provide the email address they signed-up with at that company
  2. Choose the desired action:
    • retrieve information about stored data or
    • delete all data or
    • revoke permission to use the data for marketing purposes
  3. Receive a mailto-link by email, i.e., a link that generates the appropriate email to the service provider within the user’s email program
  4. Optionally request the system to remind them with another email, after the legal deadline for a reply by the company has expired

Three screens of the app, showing a list of companies to select from, the described list of actions, and a confirmation message. The screenshot is in German.

Value

Users receive legally checked emails, addressed to the appropriate receiver for each service. Generating the emails at the client side allows to send them from the user’s email address which implicitly authenticates them.

The reminder email offered free legal enforcement by our lawyers in case the companies did not respond.

Current state

The MVP ran for about one year and was stopped in 2022 in favor of other projects.