Legal Guide

GDPR and Your Subscription Data Rights

As an EU or UK resident, you have powerful rights over your subscription data. Learn how to access, export, and delete your personal information from any service.

Who Does GDPR Cover?

EU residents, EEA countries, and UK citizens. Your location matters, not the company's.

US company serving EU customers? They must comply with GDPR for EU users.

Your 6 Core Rights

Right to Access

You can request a copy of all personal data a company holds about you. This includes your subscription history, payment details, usage data, and any profiling information.

How to exercise: Email privacy@[company].com with subject 'Subject Access Request'

Right to Data Portability

You can receive your data in a structured, machine-readable format (usually CSV or JSON) and transfer it to another service.

How to exercise: Request export in settings or email support. Must be provided within 30 days.

Right to Erasure ('Right to be Forgotten')

You can request complete deletion of your personal data. Companies must comply unless they have legal grounds to retain (like tax records).

How to exercise: Email privacy@[company].com or use account deletion in settings. Should complete within 30 days.

Right to Rectification

You can correct inaccurate personal data. Wrong billing address or name spelling? They must fix it.

How to exercise: Usually in account settings, or email support with correction details.

Right to Restrict Processing

You can request that a company stop using your data while keeping it stored. Useful during disputes.

How to exercise: Email privacy@[company].com explaining which processing to restrict and why.

Right to Object

You can object to your data being used for marketing, profiling, or sold to third parties.

How to exercise: Look for 'opt out' or email privacy team. Must be honored within 30 days.

What Data Do Subscription Services Collect?

Name, email, address, phone number
Payment card details (usually tokenized, not stored directly)
Billing and transaction history
Subscription preferences and settings
Usage patterns (what you watch, read, when you log in)
Device information and IP addresses
Cookies and tracking data
Sometimes: Location data, social connections

Sample Data Request Email

To: privacy@[company].com

Subject: Subject Access Request (GDPR Article 15)

Dear [Company] Privacy Team,

I am writing to request access to all personal data you hold about me under GDPR Article 15.

Account email: [your@email.com]

Please provide:

1. All personal data you process

2. Purposes of processing

3. Third parties you share data with

4. Data retention periods

I request this in a structured, electronic format (CSV/JSON).

Please respond within 30 days as required by GDPR.

Sincerely,
[Your Name]

SaveSub's GDPR Compliance

We take data rights seriously:

  • One-click data export in Settings → Privacy
  • Account deletion completes within 30 days
  • EU data stays in EU servers (GDPR compliant hosting)
  • No data selling or marketing use
  • DPO contact: privacy@savesub.app

FAQs

Does GDPR apply to me?

Yes if you're in the EU, EEA (Norway, Iceland, Liechtenstein), or UK. These regulations protect residents regardless of where the company is based. A US company serving EU customers must comply with GDPR for those customers.

How long do companies have to respond to my request?

30 days by default. Can extend to 60 days for complex requests, but they must notify you of the extension. If they don't respond, you can complain to your national Data Protection Authority (ICO in UK, CNIL in France, etc.).

Can they charge me for accessing my data?

No for standard requests. They can only charge a 'reasonable fee' if requests are manifestly unfounded or excessive (like requesting the same data multiple times). First request is always free.

Do they have to delete everything when I ask?

Almost everything. They can retain data if: (1) required by law (tax records for 7 years), (2) needed for legal claims, (3) necessary for public interest. But they must delete anything not covered by these exceptions.

What if a company refuses my request?

They must explain why, citing the specific GDPR exemption. You can then: (1) complain to your Data Protection Authority, (2) seek judicial remedy (sue), (3) publicize the refusal (social media, press). Most companies comply to avoid reputational damage.

Take Control of Your Data

SaveSub respects your data rights with easy export, deletion, and transparent privacy practices. GDPR compliant by design.

Get Started →