Compliance & Legal

How to handle a data subject access request (dsar) as DTC Brand Founders

Compliance & LegalFor DTC Brand Founders3 apps12 steps~24 min to set up

A customer emails saying they want all their data deleted — order history, email list, everything. You know GDPR and CCPA apply to your DTC store because you ship to California and have EU customers from that one influencer campaign. But your customer data is split across Shopify (orders, addresses), Klaviyo (email flows, segments), Meta Ads (custom audiences), and Gmail (support threads). There's no process. You manually forward the email to yourself, make a note in a Google Sheet, then forget about it for two weeks until legal exposure starts nagging you. The 30-day CCPA clock and 30-day GDPR clock don't care that you're also running a restock drop.

Build this on Starch → See the apps used

Compliance & LegalFor DTC Brand Founders3 apps12 steps~24 min to set up

Outcome

What you'll set up

A structured DSAR intake log that captures every deletion or data-access request the moment it hits your inbox, with timestamps and deadlines calculated automatically

An automated triage workflow that identifies which systems hold the requester's data — Shopify orders, Klaviyo subscriber records, Gmail threads — and drafts your acknowledgment reply within minutes

A task-based checklist that tracks each DSAR through completion, flags overdue requests before the legal deadline, and gives you a defensible paper trail if you're ever audited

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Task Manager Knowledge Management

Data sources & config

Starch syncs your Gmail data on a schedule so the Email Triage app catches DSAR requests as they land. Connect Shopify from Starch's integration catalog; the agent queries it live to look up order and customer records when verifying a requester's identity. Meta Ads Manager and Klaviyo are reachable from Starch's integration catalog for live queries, and Starch automates the Meta data deletion submission through your browser — no API needed. The Knowledge Management app connects to Notion on a scheduled sync to keep your internal deletion SOPs in sync.

Prompts to copy

Monitor my Gmail inbox for any email containing 'data request', 'delete my data', 'CCPA', 'GDPR', 'right to erasure', or 'access my information'. When one arrives, extract the sender's name and email, log it to my DSAR tracker with today's date and a deadline 30 days out, draft an acknowledgment reply confirming receipt and our timeline, and create a P1 task reminding me to complete the request by that deadline.

Build me a DSAR knowledge base that documents our step-by-step deletion process for each system we use: how to delete a Shopify customer record, how to suppress a Klaviyo contact, how to remove someone from Gmail threads, and how to submit a data deletion request to Meta through the Business Manager portal. Make it searchable so I or a team member can pull up the exact steps in under a minute.

Show me all open DSAR tasks with their deadlines sorted by urgency, flag any that are within 7 days of expiring, and give me a weekly summary every Monday morning of how many requests we received, completed, and have pending.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Start the Email Triage app (live in the App Store) and tell Starch to watch your Gmail inbox for DSAR-related keywords: 'delete my data,' 'right to erasure,' 'CCPA request,' 'GDPR request,' 'access my information,' and variations. Starch syncs your Gmail data on a schedule and flags matches immediately.

2 When a match is detected, Starch extracts the requester's full name and email address, logs the intake with today's timestamp, and calculates the response deadline (30 days for CCPA, 30 days for GDPR Article 17) — automatically, without you touching a spreadsheet.

3 Starch drafts an acknowledgment email for you to review and send with one click: it confirms receipt, names the deadline you'll respond by, and includes your business name. You're not writing this from scratch at 11pm.

4 A P1 task is created in Task Manager with the requester's name, email, intake date, and hard deadline. You see it in your priority queue alongside everything else; it won't get buried.

5 Connect Shopify from Starch's integration catalog. When working a DSAR, ask Starch: 'Find all orders and customer records associated with [email address] in Shopify' — the agent queries it live and returns every order ID, shipping address, and purchase history tied to that contact.

6 Query Klaviyo from Starch's integration catalog the same way: 'Find all subscriber records, segments, and campaign activity for [email address] in Klaviyo.' This tells you exactly which lists and flows they're in before you suppress or delete them.

7 For Meta custom audiences, Starch automates the data deletion request through your browser — no Meta API required. Starch navigates Business Manager to the data deletion request portal and submits on your behalf, then logs confirmation back to your DSAR record.

8 Search your Gmail threads via the Email Triage app for any support conversations with that email address so you know what communication history exists and can document your handling decision.

9 Open the Knowledge Management app — which you've built with your step-by-step deletion SOPs for each platform — to confirm you've hit every required step. Ask Starch: 'What's our deletion checklist for a Shopify + Klaviyo + Meta customer?' and it returns the exact documented steps.

10 Once deletion is confirmed across all systems, mark the Task Manager item complete. Starch logs the completion date, giving you a timestamped record: intake date, acknowledgment sent, actions taken, completion date.

11 Pull a monthly DSAR summary by asking Starch: 'How many data requests did we receive in the last 30 days, what's the average time to completion, and are any still open?' — gives you the audit-ready overview without manually counting rows in a sheet.

12 If you're hit with a data access request (not deletion — the customer wants a copy of their data), Starch can compile the Shopify order history and Klaviyo activity into a structured summary you send to the requester, meeting the 'right to access' requirement without a custom export.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 DSAR — EU customer, deletion + access request

Sample numbers from a real run

Time to log and acknowledge request	4
Time to locate data across Shopify + Klaviyo + Meta (manual)	45
Time to locate data across Shopify + Klaviyo + Meta (Starch)	8
Days until deadline (GDPR Article 17)	30
Days to completion with Starch workflow	6

On April 3, a customer who bought twice from your store emails: 'I'm exercising my right to erasure under GDPR. Please delete all my personal data and confirm in writing.' Starch catches it in Gmail within the next sync cycle, logs the intake at 2:14pm with a May 3 deadline, and drafts an acknowledgment reply that you approve and send in 90 seconds. A P1 task drops into Task Manager: 'DSAR — anna.mueller@email.de — deadline May 3.' The next morning, you open Starch and query Shopify live: two orders ($87 and $134), one shipping address in Hamburg, one saved payment method. You query Klaviyo: she's in your 'repeat buyer' segment and received 14 campaign emails. Starch automates the Meta data deletion submission through your browser — no digging through Business Manager menus. You suppress her in Klaviyo, delete the Shopify customer record, and check your Knowledge Management SOP to confirm you haven't missed a system. Total active time: about 25 minutes across two days. Task marked complete April 9 — 24 days before the deadline. The timestamped log is your paper trail if the EU supervisory authority ever asks.

Measurement

How you'll know it's working

DSAR response rate within legal deadline (30 days) — the one metric that matters for regulatory exposure

Average time from intake to completion — if it's taking more than a week, you have a process problem

Number of open DSARs at any given time — should be visible at a glance, not hidden in a spreadsheet

Data systems touched per request — tracks how many platforms (Shopify, Klaviyo, Meta, Gmail) each deletion actually requires, useful for scoping future compliance work

Acknowledgment response time — GDPR expects you to confirm receipt; tracking this shows you're operating in good faith

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Sheets + Gmail labels

Free and flexible, but you're manually logging every request, calculating deadlines by hand, and there's no alert when a deadline is 7 days out — the whole system falls apart the week you're running a sale.

OneTrust or TrustArc

Purpose-built privacy compliance platforms with audit trails and automated workflows, but they're priced for enterprise legal teams — expect $15,000+ per year — and won't connect to your Shopify or Klaviyo data without significant setup.

Zendesk with a DSAR tag

Works as an intake tracker if you're already using Zendesk for support, but it doesn't query your Shopify or Klaviyo data, can't automate Meta deletions, and you still need to build the process manually around it.

Notion database + manual checklist

Gives you a structured log and SOP docs, but nothing is automated — every request still requires you to manually find the customer across platforms and track deadlines yourself.

On Starch RECOMMENDED

One platform — founder inbox, task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Do I actually have to comply with GDPR if my DTC store is based in the US?

If you ship to the EU or collect email addresses from EU residents — including through Meta ad campaigns targeting European countries — GDPR applies to you. CCPA applies if you sell to California residents and meet certain thresholds. Most DTC brands with any meaningful scale hit at least one of these. Starch doesn't give legal advice, but the workflow here assumes you need to take these requests seriously.

Does Starch actually delete customer data from Shopify and Klaviyo, or just find it?

Starch queries Shopify and Klaviyo to locate the relevant records and surfaces exactly what exists. The deletion actions themselves — removing a Shopify customer, suppressing a Klaviyo contact — you confirm and execute. For Meta, Starch automates the browser-based submission through your browser. This is intentional: a human should be in the loop on irreversible data deletions.

What if the DSAR comes through Instagram DMs or a contact form, not email?

The Email Triage app watches Gmail. If your contact form submissions go to Gmail, they're covered. Instagram DMs are browser-reachable — you can build an automation that checks your Instagram inbox through browser automation and flags messages containing deletion-related keywords, then logs them the same way. Tell Starch what you want and it builds the surface.

Is Starch SOC 2 certified? My legal counsel is asking.

Not yet — Starch is not SOC 2 Type II certified today. That's worth knowing if your legal team has a hard certification requirement. It's on the roadmap. For most early-stage DTC operators, the operational risk of having no DSAR process at all is much higher than the certification gap.

Can I handle both deletion requests and data access requests (where the customer wants a copy of their data)?

Yes. For access requests, you ask Starch to compile everything it finds — Shopify order history, Klaviyo campaign activity — into a structured summary you can send to the requester. It's the same data lookup, different output. The Knowledge Management SOP can document both flows so whoever handles it (you or a team member) follows the right steps.

What if we get a high volume of DSARs after a PR incident or data breach?

The intake and triage automation scales — every request that hits your Gmail gets logged and acknowledged automatically regardless of volume. The bottleneck becomes the actual deletion work across platforms, which still requires human confirmation. That's a genuine limit of this setup: it's built for the 2–10 requests per month pattern, not a 500-request spike. At that point you'd want dedicated privacy tooling.