Buronia
English ▾

← GDPR & data protection

Your data rights (GDPR Art. 15–22)

You have eight specific, enforceable rights over the personal data Buronia holds about you. This page lists each, the timeline you should expect, and the exact way to exercise it.

Effective 2026-04-30.

1. Right of access (Art. 15)

You can ask for a copy of every piece of personal data we hold about you, the purposes we process it for, who it's shared with, how long we keep it, and where it came from. We respond within 30 days, free of charge for the first request in any 12-month window. The reply is a single JSON file plus a plain-text summary so you can read it without tooling.

How: email dpo@buronia.com with the subject line "Article 15 access request" and the email address you used to sign in.

2. Right to rectification (Art. 16)

If anything we hold about you is wrong (a misspelled name, an out-of-date address, a draft that misstates your income), you can require us to correct it. For most fields, signing in and editing the draft is the fastest route. For account-level fields (email, name) email the DPO.

3. Right to erasure / "right to be forgotten" (Art. 17)

You can ask us to delete your account and every draft attached to it. We complete erasure within 30 days and confirm in writing. The legal exceptions where we may keep data are listed in Data retention — primarily payment records we are required to keep for accounting law.

How: email dpo@buronia.com with subject "Erasure request" and the email you signed up with. We acknowledge within 72 hours.

4. Right to restriction of processing (Art. 18)

If you contest the accuracy of data, or you've objected to processing and we're verifying our grounds, you can require us to pause processing while the dispute is open. During restriction, we still store your data, but we will not act on it.

5. Right to data portability (Art. 20)

You can receive your data in a structured, machine-readable format (JSON) and, where technically feasible, have us send it directly to another controller. Today this covers your account, your answers, and your draft text. Stripe-side payment data is portable through Stripe directly.

6. Right to object (Art. 21)

You can object to any processing we do under "legitimate-interest" basis (Art. 6(1)(f)). The only such processing on Buronia is short-lived security/abuse logging. An objection stops that logging for your account.

7. Right not to be subject to automated decision-making (Art. 22)

Buronia does not make legal decisions about you. Buronia drafts a document; a human (you) reviews and submits it; the actual benefit decision is made by the public authority. See Automated decision-making for the full breakdown of where AI is in the loop.

8. Right to withdraw consent (Art. 7(3))

Where we relied on your consent (e.g. processing disability status under Art. 9(2)(a)), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. The mechanism is the same as erasure for that specific data class — email the DPO.

Response timelines

  • 72 hours — initial acknowledgement.
  • 30 days — substantive response (Art. 12(3)).
  • +60 days — extension only if the request is exceptionally complex; we will tell you within the first 30 days if we need an extension and why.

If you're not satisfied

You always retain the right to lodge a complaint with your national supervisory authority. We list every authority's direct link on the Lodging a complaint page.

Contact our Data Protection Officer

Victor Chengdpo@buronia.com. The DPO answers all rights requests directly. We do not charge a fee unless your request is "manifestly unfounded or excessive" (Art. 12(5)) — in seven years no Buronia request has ever met that bar.