Data subject rights

Last updated: 2026-04-11 • ← Privacy

Backbuild supports the data subject rights granted by GDPR, UK GDPR, the Swiss FADP, and equivalent rights under the CCPA. Because Gable Digital Solutions, Inc. (operating the Backbuild platform) is a data processor for customer-uploaded data, so requests are typically submitted by the customer on behalf of their end users. Backbuild assists customers in responding to their own data subject requests.

Rights under GDPR Articles 15-22

• Right of access (Art. 15): data subjects can request a copy of their personal data. A machine-readable export is available through /v1/users/:id/data-export, which customers can invoke on behalf of their users.
• Right to rectification (Art. 16): inaccurate or incomplete personal data can be corrected through the administrative interface or through the API.
• Right to erasure (Art. 17): personal data can be deleted through api.user_delete_with_cascade, which removes a user and their associated records across all distributed database shards. Audit log retention and legal holds are respected as applicable.
• Right to restrict processing (Art. 18): processing can be restricted on a per-user basis at the customer's request during a dispute about accuracy or lawfulness.
• Right to data portability (Art. 20): the data export endpoint returns data in a structured, commonly used, machine-readable JSON format.
• Right to object (Art. 21): data subjects can object to processing based on legitimate interests. Backbuild will assess the objection and stop processing unless compelling legitimate grounds override the objection.
• Rights related to automated decision-making (Art. 22): Backbuild does not subject data subjects to solely automated decisions that produce legal or similarly significant effects without human review.

CCPA equivalent rights

• Right to know: what personal information is collected, the sources, purposes, and categories of third parties with whom it is shared.
• Right to delete: personal information collected from the consumer, subject to statutory exceptions.
• Right to correct: inaccurate personal information.
• Right to opt out of sale or sharing: Backbuild does not sell personal information and does not share it for cross-context behavioral advertising.
• Right to non-discrimination: exercising rights does not affect the level or quality of service.

How to exercise a right

Data subjects can exercise their rights through the following channels:

• Through the customer: if you are an end user of a customer's application, submit your request to that customer. Backbuild will assist the customer in fulfilling it.
• In-app settings: where the platform exposes self-service controls (such as profile management and data export), they can be used directly.
• Email: requests can be sent to privacy@backbuild.ai.

Identity verification

Before fulfilling a request, Backbuild verifies the identity of the requester through an appropriate mechanism. Where the request is made through a customer, the customer is responsible for verifying the identity of their end users. Where the request is made directly to Gable Digital Solutions, Inc., identity is verified through the account's registered communication channels.

Response time

Backbuild responds to valid data subject requests within 30 days of receipt. Where a request is complex or where multiple requests are received, the response period may be extended by up to 60 additional days (for a total of 90 days) as permitted by GDPR Article 12(3). The requester will be informed of any extension and the reasons for it.