Data Requests Policy
Last updated: 15 October 2025
1. Introduction
This Data Requests Policy outlines how Mysa Digital ("we", "our", or "us") manages requests from individuals seeking access to or deletion of their personal data under the UK General Data Protection Regulation (UK GDPR).
This policy applies to all data collected and processed via mysa-digital.com, pondera.live, and any related services or applications (collectively, "our platforms").
2. Submitting a Request
Individuals may submit a data access or data deletion request by contacting us directly at:
Email: privacy@mysa-digital.com
Requests must be sent from the email address associated with the user's account. This ensures that we can verify identity and protect user data from unauthorised access.
We do not accept requests submitted through third parties, except where legally authorised (e.g. a verified representative acting with written consent).
3. Types of Requests Covered
This policy applies to the following types of requests:
- Access Request: To obtain a copy of the personal data held about you.
- Deletion Request: To permanently remove your personal data from our systems and associated services.
We do not currently process requests for data correction, portability, or restriction under this policy.
4. Identity Verification
To prevent unauthorised disclosure or deletion of data, we use a two-step verification process:
- Primary verification: The request must originate from the email address registered to the user account.
- Secondary verification (if required): We may request confirmation of a recent account detail, such as the date of last login, recent invoice ID, or registered organisation name.
In cases where identity cannot be confirmed through these checks, we reserve the right to request a valid photo ID before proceeding.
5. Response Timeframes
We will acknowledge receipt of a valid data request within five (5) working days and respond in full within thirty (30) calendar days of verification, in accordance with the UK GDPR.
Where requests are unusually complex or numerous, we may extend this period by an additional thirty (30) days, in which case we will notify you of the extension and provide a reason for the delay.
6. Data Access Requests
If you request access to your personal data, we will provide:
- Confirmation of whether we hold your personal data;
- A copy of such data in a structured, commonly used electronic format;
- An outline of the categories of data processed and the purposes for which they are used.
We may refuse access if the request is manifestly unfounded, excessive, or repetitive. In such cases, we will provide an explanation of the decision.
7. Data Deletion Requests
Upon a verified deletion request, we will:
- Remove your personal data from our MySQL databases and internal systems;
- Request the deletion of your data from integrated third-party processors, including Stripe, SendGrid, and Mailchimp;
- Confirm to you in writing once deletion has been completed across all systems.
All deletions are permanent and cannot be reversed. Data will typically be removed within 30 days of verification, unless a longer retention period is required by law (e.g. accounting records or fraud prevention).
8. Limitations
We may not be able to fulfil a deletion request if:
- We are required to retain certain information to comply with legal obligations;
- Data is necessary for the establishment, exercise, or defence of legal claims;
- Retention is required for legitimate business interests permitted by law.
In such cases, only the minimum necessary data will be retained, and you will be informed of the reason.
9. Confirmation of Completion
Upon completion of an access or deletion request, you will receive a confirmation email summarising the action taken and the scope of the data involved.
10. Contact Information
If you have any questions or concerns about this policy or your data rights, please contact:
Email: privacy@mysa-digital.com
Address: Mysa Digital, 48 Providence, CM0 8JU, United Kingdom