Compliance & Legal

How to handle a data subject access request (dsar) as Small Customer Success Teams

Compliance & LegalFor Small Customer Success Teams3 apps10 steps~20 min to set up

A DSAR lands in your support inbox — someone wants everything your company holds on them. You're a three-person CS team. You don't have a privacy ops function, a legal coordinator, or a dedicated ticketing workflow for this. You scramble to figure out what data lives where: Intercom threads, HubSpot contact records, Gmail conversations, maybe a Zendesk ticket. You paste it all into a Google Doc manually, miss the 30-day deadline by four days, and spend two hours on something that should take twenty minutes. You're not ignoring compliance — you just don't have the infrastructure to handle it without dropping everything else.

Build this on Starch → See the apps used

Compliance & LegalFor Small Customer Success Teams3 apps10 steps~20 min to set up

Outcome

What you'll set up

An intake flow that captures DSAR requests from email or a form, logs them to a central tracker with requester identity, date received, and deadline auto-calculated at 30 days

An automated lookup that pulls every data record tied to a contact across HubSpot, Gmail, Intercom, and Zendesk into a single compiled report ready to send or review

A deadline monitor that flags any open DSAR within 5 days of its due date and sends your team a Slack alert so nothing goes stale while you're deep in QBR season

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Email Agent Task Manager Knowledge Management

Data sources & config

Starch syncs your Gmail data on a schedule to watch for DSAR intake emails and power the Email Agent triage. HubSpot is connected so the agent queries your contact and deal records live when compiling a data subject's profile. Intercom and Zendesk are connected from Starch's integration catalog; the agent queries them live when a DSAR lookup runs. Slack is connected from Starch's integration catalog for deadline alerts. Notion is connected if your runbook lives there; otherwise the Knowledge Management app stores it natively.

Prompts to copy

Monitor my Gmail inbox for any email containing 'data request', 'DSAR', 'access to my data', or 'right to be forgotten'. When one arrives, create a task titled 'DSAR – [sender name]' with a due date 28 days from today, tag it P1, and draft a reply acknowledging receipt within 3 business days.

Build me a DSAR tracker app. Each record should have: requester name, email, date received, 30-day deadline, status (received / in progress / fulfilled / denied), and a notes field. Pull from my task list any tasks tagged DSAR and auto-populate the tracker. Alert me in Slack when any DSAR is 5 days from its deadline.

Create a DSAR response runbook in my knowledge base covering: what counts as personal data at our company, which systems to check (HubSpot, Gmail, Intercom, Zendesk), how to compile and format the response package, and our legal contact for escalations. Flag the doc for review every 90 days.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail in Starch. Starch syncs your inbox on a schedule — the Email Agent will watch for DSAR-related keywords and surface them before they get buried under renewal threads.

2 Install the Email Agent app and set the DSAR intake rule: any email matching your keyword list gets flagged P1, a 28-day task is auto-created, and an acknowledgment draft is queued for your one-click review.

3 Build your DSAR tracker by typing into Starch: 'Create a table to track data subject access requests with requester info, date received, 30-day deadline, status, and a notes field. Populate it from my task list for anything tagged DSAR.' Starch builds the app surface.

4 Connect HubSpot from Starch's integration catalog. When a DSAR comes in, the agent queries HubSpot live for every contact record, deal, note, and activity tied to that email address.

5 Connect Intercom and Zendesk from Starch's integration catalog. Add them to your DSAR lookup so the agent also pulls conversation threads and ticket history for the requester.

6 Add a Slack alert: tell Starch 'Send a Slack message to #cs-team when any DSAR task is 5 days from its deadline and is not marked fulfilled.' Starch wires the automation.

7 Use the Knowledge Management app to write your DSAR runbook — what qualifies as personal data, the system checklist, your response format, and who signs off on the fulfillment email. This is the doc your team opens every time a request comes in.

8 When you're ready to fulfill a request, tell Starch: 'Pull all HubSpot records, Gmail threads, Intercom conversations, and Zendesk tickets for contact [email]. Compile them into a summary document with sections by data source.' Review the output, redact anything privileged, and send.

9 Mark the DSAR task fulfilled in the tracker. Status updates cascade — the Slack alert stops, the record is archived, and your audit trail is intact for when your customers' legal teams ask.

10 Set a quarterly automation: 'Every 90 days, remind me to review the DSAR runbook in my knowledge base and check whether any new data sources need to be added to the lookup checklist.'

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

March 2026 DSAR from former customer contact

Sample numbers from a real run

HubSpot contact record	1
Gmail threads found	14
Intercom conversations	6
Zendesk tickets	3
Days to fulfill	6
Hours of CS team time spent	1.5

On March 11, 2026, an email arrives from a former contact at a churned account: 'Please send me all personal data your company holds on me under GDPR Article 15.' The Email Agent catches it within the hour, creates a P1 task — 'DSAR – Jordan Mills' — with a deadline of April 8, and queues an acknowledgment draft. You send the acknowledgment in one click. Six days later, when you have a 90-minute window, you open Starch and type: 'Pull all data held on jordan.mills@[company].com from HubSpot, Gmail, Intercom, and Zendesk.' Starch queries each source live and returns a structured summary: 1 HubSpot contact record with 4 associated deals and 9 notes, 14 Gmail threads, 6 Intercom conversations, and 3 Zendesk tickets. You review, redact two internal notes that are purely about deal strategy and contain no personal data, and compile the package. Total active time: 90 minutes. The request is fulfilled 22 days inside the deadline. The DSAR tracker records it as closed, and the Slack alert that would have fired on April 3 never triggers.

Measurement

How you'll know it's working

DSAR fulfillment time (days from receipt to delivery, target under 28)

Percentage of DSARs acknowledged within 3 business days

Number of open DSARs within 5 days of deadline (target: zero)

Data sources covered per DSAR lookup (completeness check)

CS team hours spent per DSAR (target: under 2 hours active time)

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Manual Google Sheets tracker + copy-paste from each system

Free and already in place, but every lookup is manual — you're opening four tabs and copying records by hand, which takes 3-4 hours per request and breaks down when your volume hits even 2-3 DSARs per month.

OneTrust or TrustArc

Purpose-built for privacy compliance with audit trails and regulatory templates, but they're priced for privacy teams and enterprises — the implementation cost alone is more than a small CS team's quarterly tooling budget.

Zendesk + a custom DSAR ticket type

Works if every DSAR comes through Zendesk and all your data lives there, but it doesn't reach into HubSpot or Gmail for you, and the lookup compilation is still manual.

Your CSM doing it ad hoc from memory

No setup cost, but the process lives in one person's head, takes the longest, and is the first thing that slips during a quarterly renewal crunch.

On Starch RECOMMENDED

One platform — email agent, task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Does Starch store the personal data it pulls during a DSAR lookup?

When Starch queries Intercom, Zendesk, or HubSpot during a lookup, it uses a live query from the integration catalog — the data is surfaced for the session and compiled into your report, but it's not stored in Starch's database the way scheduled-sync data is. Gmail data is synced on a schedule and lives in Starch. Worth knowing when you're thinking about your data minimization posture.

Is Starch SOC 2 certified? Does that matter for DSAR handling?

Starch is not SOC 2 Type II certified today. If your customers are asking about your subprocessor list as part of their DSAR or privacy review, you'll want to be honest about that. For most small B2B CS teams handling internal DSAR workflow coordination — not storing sensitive personal data in Starch — this is a low-risk gap. But it's a real one worth flagging to your legal contact.

What if the data subject's records are spread across a tool Starch doesn't have a direct connection to?

If the tool has a web interface you can log into, Starch can automate it through your browser — no API needed. You'd tell Starch: 'Log into [tool], search for this email address, and pull all records.' That said, for tools that require export-only access or have no searchable UI, you'll still need to pull that data manually and add it to the compiled package.

Can we use this for CCPA requests, not just GDPR?

The workflow is the same — intake, lookup across systems, compile, fulfill, document. The compliance deadlines differ (CCPA gives 45 days for initial response vs. GDPR's 30), so you'd adjust the task due-date calculation when you set up the intake automation. Tell Starch the deadline logic you want and it builds accordingly.

We only get one or two DSARs a year. Is this overkill?

Probably not. The intake detection and tracker take an hour to set up. The runbook in your knowledge base means anyone on your three-person team can handle a request without asking the person who did it last time. At one DSAR per year, the payoff is avoiding a stressful manual scramble when it lands during your QBR sprint. At five per year, it pays for itself in avoided context-switching alone.