Compliance & Legal

How to handle a data subject access request (dsar) as CPG Founders

Compliance & LegalFor CPG Founders3 apps12 steps~24 min to set up

A consumer on your email list or a wholesale buyer submits a data deletion or access request. You have no idea where their data actually lives — it's scattered across your Shopify customer records, your email marketing platform, Gmail threads, and whatever CRM you've cobbled together. There's no DSAR log, no response deadline tracker, no standard reply. You're manually hunting through systems you barely remember connecting, trying to respond within 30–45 days (CCPA) or 30 days (GDPR) before you're technically in violation. For a two-person CPG team that's also managing a co-packer delivery, this is a full afternoon of reactive work every time it happens.

Build this on Starch → See the apps used

Compliance & LegalFor CPG Founders3 apps12 steps~24 min to set up

Outcome

What you'll set up

A central DSAR intake log that captures every request, auto-calculates the response deadline, and tracks request status from receipt to closure

An email triage workflow that flags incoming DSARs in your Gmail and drafts a compliant acknowledgment reply within minutes of receipt

A task-based fulfillment checklist that walks you through every data source you need to check — Shopify, email lists, CRM, Gmail threads — so nothing is missed and you have an audit trail

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Task Manager Knowledge Management

Data sources & config

Starch connects directly to Gmail as a scheduled-sync provider, so the Email Triage app monitors your inbox and surfaces flagged messages on a schedule. Shopify and Klaviyo are connected from Starch's integration catalog and queried live when your fulfillment checklist runs. The Knowledge Management app uses Notion as a scheduled-sync provider to keep your DSAR policy page and request log synced. Task Manager runs independently with no external connection required — it's your internal deadline tracker.

Prompts to copy

Monitor my Gmail for any incoming data subject access requests or data deletion requests. When one arrives, flag it as P1 priority, summarize what the person is asking for, and draft a compliant acknowledgment email confirming we received the request and will respond within 30 days.

When I receive a new DSAR, create a task list with the following subtasks and deadlines: (1) send acknowledgment — due today, (2) search Shopify for this email address and export their order history — due in 7 days, (3) search Klaviyo for this contact's subscription status and email history — due in 7 days, (4) check Gmail for any direct correspondence with this person — due in 10 days, (5) compile findings and draft response or deletion confirmation — due in 25 days, (6) send final response — due in 29 days. Set the parent task due date to 29 days from today.

Build me a DSAR intake wiki page that documents: what a DSAR is, our legal obligations under CCPA and GDPR, the list of every system where we hold customer data (Shopify, Klaviyo, Gmail, our CRM), who on the team owns DSAR responses, and our standard response templates for access requests and deletion requests. Keep a log table at the bottom that tracks each request received, the requestor email, the date received, the deadline, and the date closed.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect your Gmail in Starch as a scheduled-sync provider. The Email Triage app (pre-built starter: Founder Inbox) begins monitoring your inbox for keywords like 'data request,' 'delete my data,' 'what data do you have,' and 'privacy request' and surfaces these as P1 priority items.

2 For each flagged email, the Email Triage app summarizes the request in one sentence and drafts an acknowledgment reply confirming receipt and your 30-day response window. You review and send with one click — this step takes under two minutes.

3 The moment you send the acknowledgment, tell Starch's Task Manager to create a new DSAR fulfillment task with the requestor's email, today's date, and a 29-day deadline. Starch generates the full subtask checklist automatically from the prompt you've already saved.

4 Work the subtask list: connect Shopify from Starch's integration catalog and ask Starch to query all records associated with the requestor's email address — orders, addresses, account data. Export the results to a draft response document.

5 Connect your email marketing platform (Klaviyo, Mailchimp, or whichever you use) from Starch's integration catalog and query the contact record for that email. Capture subscription status, segments, purchase history tags, and any suppression status.

6 Search your Gmail sync for any direct correspondence with that email address. The scheduled sync means Starch already has this data — just query it and export the thread list.

7 If you use a CRM (HubSpot, Capsule, or another tool connected from Starch's integration catalog), query the contact record and pull any notes, deal history, or logged calls associated with the requestor.

8 Compile all findings into a single response document. For access requests, this becomes the data export you send. For deletion requests, this becomes your deletion checklist — one row per system, one checkbox per deletion confirmed.

9 Execute deletions in each system. For any platform without a direct API delete function, Starch can automate the deletion workflow through your browser — no API needed — so you're not manually clicking through admin panels.

10 Draft the final response email in Starch's Email Triage app. The draft includes a summary of what data you found, what action you took, and confirmation of compliance. Review and send.

11 Log the completed request in your Knowledge Management DSAR intake page: requestor email, date received, date closed, action taken, and a one-line summary. This is your audit trail if you're ever asked to demonstrate compliance.

12 Mark the parent task complete in Task Manager. Starch tracks your weekly completion rate — if DSARs are piling up, you'll see the pattern before it becomes a compliance risk.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

February 2026 DSAR — Wholesale Buyer Deletion Request

Sample numbers from a real run

Requestor identified in Gmail	0
Shopify order records found (3 orders, 2022–2024)	3
Klaviyo contact record — subscribed, 2 segments	1
Gmail threads found with this contact	4
CRM (Capsule) opportunity record	1
Systems where deletion was confirmed	5
Days to close (CCPA limit: 45, GDPR limit: 30)	18

On February 3rd, a former wholesale buyer emails your brand Gmail asking you to delete all their personal data under CCPA. Starch's Email Triage app flags it as P1 within the next sync window, summarizes it as 'deletion request from a wholesale buyer, cites CCPA,' and drafts an acknowledgment reply. You send it in 90 seconds. Starch's Task Manager creates a 12-step fulfillment checklist with a February 28th hard deadline. Over the next week, you query Shopify (three orders between 2022 and 2024), Klaviyo (one contact record, two audience segments), Gmail (four direct email threads), and Capsule CRM (one opportunity record with notes). For the Klaviyo deletion, Starch automates the suppression and contact deletion through your browser — no API delete endpoint needed. You compile a deletion confirmation letter, send it on February 21st — 18 days after receipt — and log the closure in your Notion-backed DSAR intake wiki. You have a timestamped audit trail for all five systems. Total founder time spent: about 90 minutes across three sessions, mostly review work rather than hunting.

Measurement

How you'll know it's working

DSAR response time (days from receipt to final response) — target under 30 days for GDPR, 45 for CCPA

Number of open DSARs with fewer than 7 days remaining on their deadline

Systems confirmed cleared per deletion request (target: 100% of systems in your data inventory)

Acknowledgment sent within 48 hours of receipt (yes/no per request)

Audit trail completeness — does every closed request have a log entry with action taken and date closed

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Manual Gmail + Google Sheets log

Works for one or two requests a year, but there's no automatic flagging, no deadline math, and no subtask generation — you'll miss a request or a deadline the moment you're heads-down on a production run.

OneTrust or TrustArc

Purpose-built compliance platforms with strong audit trails, but they're priced for legal and compliance teams at mid-market companies — typically $10,000+ per year and require dedicated configuration time your team doesn't have.

Zapier + Airtable DSAR tracker

You can build a functional intake log with Zapier triggers and an Airtable base, but you're writing the automation logic yourself, maintaining it when APIs change, and still doing the data-gathering manually across each system.

Your outside counsel handling DSARs ad hoc

Defensible, but at $300–500/hour for a compliance attorney to walk through this with you every time, it's expensive for a workflow that just needs a good checklist and a deadline tracker.

On Starch RECOMMENDED

One platform — founder inbox, task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Does Starch actually delete my customers' data from Shopify and Klaviyo, or does it just tell me to?

Starch can query your Shopify and Klaviyo records to find what data exists, which is the most time-consuming part of a DSAR. For deletion, Starch can automate the deletion steps through your browser — clicking through admin panels, confirming suppression, etc. — without needing a formal delete API. You review and approve before anything is deleted. Starch does not delete data autonomously.

We're a small CPG brand. Do CCPA and GDPR actually apply to us?

CCPA applies to for-profit businesses that meet any one of three thresholds: annual gross revenue over $25M, buying/selling/receiving data of 100,000+ California consumers per year, or deriving 50%+ of annual revenue from selling personal information. Many growing CPG brands hit the second threshold faster than they expect — especially if you're running email marketing to a California customer list. GDPR applies if you have any EU customers. If you sell on Amazon or your Shopify store ships internationally, you likely do. Better to have a DSAR process now than to build one in response to a complaint.

What counts as personal data for a CPG brand?

More than most founders assume. Name, email, shipping address, and order history are the obvious ones. But also: email open/click history in your marketing platform, any browsing or purchase behavior tracked by your Shopify pixel, customer service correspondence, and any notes you've logged in a CRM. If you've connected a loyalty program, that data counts too. The DSAR fulfillment checklist Starch builds for you covers every system you've told Starch you use — which is why the Knowledge Management data inventory step matters.

Is Starch SOC 2 certified? I want to make sure my customer data is handled securely.

Starch is not currently SOC 2 Type II certified. If your procurement process or a retail partner requires SOC 2, that's worth knowing upfront. For most early-stage CPG brands doing DSARs for individual consumers, the practical risk is more about having a documented, timely process than about the platform's certification status — but we'd rather you have the full picture.

Can I use Starch if my customer data lives in a platform that's not in your list?

Probably yes. Starch connects to 3,000+ apps through its integration catalog, plus any website through browser automation. If your platform has a web admin interface you log into, Starch can automate data lookups and deletion steps through your browser — no API needed. The only limitation is that live-queried apps aren't stored in Starch, so you're querying them in real time rather than searching a local copy of their data.

How long does it take to set this up?

The Email Triage app is a pre-built starter — connecting your Gmail and configuring the DSAR keyword filter takes about 15 minutes. Building the Task Manager checklist template and the Knowledge Management intake log requires a few natural-language prompts to Starch; most founders have a working version in under an hour. The main ongoing work is the actual data-gathering per request, which this setup reduces from an afternoon to about 90 minutes of guided review.