What’s the price to use the app?
Nothing. It’s absolutely free of charge. The companies can choose to use the WeAreDavid Service Desk as a paid services for higher performance.
Is the app secure?
Making sure that you can use the app with confidence is extremely important to us. We invest
heavily in this area.
We follow OWASP recommendations. The recommendations are considered industry best practice
when making services secure. On top of this, we rely on only trusted providers to host the
platform. We host our services in the cloud using Microsoft Azure, ensuring wide availability
and services that ensure data integrity.
On every level of your user journey – from signing up to sending requests – we ensure that
the data transportation is encrypted.
What if I can’t find the company I’m looking for in the app?
If you’re looking for a company that isn’t already in the app, you can simply notify us. We’ll
then be sure to add it.
Can I send a request to a company if I’m not sure it has my data?
Of course. As we say, when it comes to personal data: better safe than sorry.
In order for us to provide you with our software tool, you need to accept our terms and
conditions. This is to make sure you agree to some basic obligations such as proper use, breach
and our right to modify the service. We’ve done our best to make sure they are both balanced and
easy to decipher – and you can always reach out to us if you have any questions.
terms and conditions.
Nope. We believe that your data belongs to you, and we want to give you back control, not take it
away. Cookies are therefore banned at david – unless they are made of dough and chocolate.
Can the company reply to my data request using a channel other than the app?
Yes. Companies aren’t obliged to use the david app when replying to your request. However,
they’re obliged to reply to you. And the best way you can start taking back control of your own
data is by using the david app.
When can I expect the company to get back to me?
The law is super clear. The company must reply to your data request without undue delay and
within 30 days.
Can companies refuse to erase my personal data?
As a rule of thumb, you have the right to be erased. However, in some cases, companies can
legally refuse to comply with a request to be erased. They can do this if the personal data is
processed for the following reasons:
To exercise the right of freedom of expression and information.
To comply with a legal obligation for the performance of a public interest task or
exercise of official authority.
For public health purposes in the public interest.
For archiving purposes in the public interest, scientific research, historical research,
statistical purposes or the exercise or defence of legal claims.
What do I do if I haven’t heard back from the company within the 30-day
We recommend that you could give the company the benefit of the doubt and and follow up with
them. However, you’re also entitled to notify the data protection authorities and let them know
that you can’t get hold of your own data – which rightfully belongs to you.
What information does the app have on me?
The information you provided when signing up including age and gender.
How often can I request information from companies?
There are no clear, fixed rules but use your common sense, and avoid spamming companies.
According to the regulations, where requests from a data subject are manifestly unfounded or
excessive, in particular because of their repetitive character, the company may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the
information or communication or taking the action requested; or
(b) refuse to act on the request.
It’s the company that bears the burden of demonstrating the manifestly unfounded or excessive
character of the request.
What do I do if I can’t find the answer to my question here?
Just send us an email at firstname.lastname@example.org and we’ll sort it out. We’re here to help!
What happens if I want to delete my WeAreDavid account?
We would be sad to lose you as our customer, but we’ll also make it very easy for you to go.
Currently, our iOS app allows you to completely delete your account by going to the profile page
and pressing “delete account”. The android version does not yet support account deletion, so we
ask users to contact the support at email@example.com and then we’ll help with the
deletion. Please keep in mind that accounts cannot be restored. Once deleted they are gone,
along with the requests and corresponding data.
Do we need a tool for handling data requests?
If you can comply with the data protection regulation without an IT tool to support you, you’re
fully entitled to do so. However, if you think that handling data requests is something of a
challenge and important for your business, the answer could very well be yes.
We’re a fairly small company. Is WeAreDavid still for us?
Small or big – it doesn’t matter. We’ve built a platform that can be used by any company of any
size. You can always use our free plan and see if WeAreDavid is the right fit for you and your
Is WeAreDavid the proxy holder of the requester?
The enquiries you receive from people using the david app are direct enquiries to your company.
This means that WeAreDavid is not a proxy holder, and WeAreDavid will not enter into the
dialogue you have with your customers.
How do we get further information to identify the requester?
It’s your obligation to confirm the identity of a data requester. If you’re not sure of the
identify of a data requester, you could confirm it by asking questions relating to the
information on the data subject that you have registered in your systems. This way, you can
ensure that the data subject is, in fact, who he or she claims to be. We recommend using the
WeAreDavid service desk for this to ensure the process is easy, safe and compliant. You can use
the service desk free of charge.
Where can we find the requester’s contact information?
The name and email of the data subject is available in the sent email with the request. Be aware
though that we do not check the identity of the data subject as the process of creating an
account and sending the email request is done without our active participation.
Does WeAreDavid use two-step email authentication?
No, not yet. But we’re working on it. For now, you just have to take the same steps to secure the
true identity of the data subject as you would have to from any other source.
Can we reply to the requester outside the WeAreDavid platform?
Yes. It’s your choice if you want to use the WeAreDavid service desk or another communication
channel for replying to a data request. However, your customer might find it useful if you’re
replying in the same channel that they contacted you. We always recommend communicating in a way
that keeps your company compliant and refrains from using unsecured communication channels like
Please be aware that it is the obligation of the data controller to “facilitate the exercise of
data subject rights under Articles 15 to 22” (cf. art. 12(2) of the GDPR). This means that the
company must make an active effort to verify the identity of the data subject and make sure the
data subject is able to use his or her right to the fullest extent within the GDPR.
What is the price to use the WeAreDavid service desk?
Any company can use the WeAreDavid service desk free of charge. We also offer paid subscriptions
which include multiple agent accounts, access to API, an unlimited number of tickets and
personal support. Find out more here.
Is WeAreDavid legally authorized to help manage requests?
Yes. WeAreDavid offers a service to both the data subject and the company. As such, WeAreDavid is
authorized to manage requests on behalf of the data subject when the data subject chooses to use
I’m not sure the request we received is legitimate. What do we do?
If you’re not sure of the identify of a data requester, you should confirm the identity of the
data subject by asking questions relating to the information on the data subject the request
might pertain to. This way you can make sure that the data subject is, in fact, who he or she
claims to be.
Can we ask for a copy of personal ID?
Only if the company 1) is in doubt as to the true identity of the data subject and 2) has
exhausted all other options for verifying the identity such as asking the data subject questions
to provide more information in order for the company to ascertain the identity of the data
subject. In other words, companies cannot adopt a way of handling requests by replying to all
requests with a demand for personal ID.
Are we obliged to respond to requests?
Yes. Companies which control personal data are considered “controllers”, and Article 12(4) GDPR
explicitly states: “If the controller does not take action on the request of the data subject,
the controller shall inform the data subject without delay and at the latest within one month of
receipt of the request of the reasons for not taking action and on the possibility of lodging a
complaint with a supervisory authority and seeking a judicial remedy.” So the regulation is
It will never be enough to process a request lawfully by just referring the data subject to the
exercise of data subjects’ rights, it will usually not be lawful to simply ask the data subject
to contact the company directly.
If the data requester is a non-EU resident, do we then have to process it?
Depending on the applicable data protection regulation, you might not be required o respond to
this request. It’s up to your company to decide if and how you respond to the request – and if
you want to treat non-EU residents differently to EU residents.
Can we use WeAreDavid to ask for consent?
No. You can't use WeAreDavid to collect consent. Only if you have a valid consent will it be
possible to ask the data subject to update their information. However, you may want to use the
WeAreDavid service desk to inform the data subject, that you're using the collected data for new
What happens if we refuse or are unable to answer the requester?
If the requester is an EU resident and you refuse and/or you’re unable to provide an answer to
the data request, then you’re legally obliged to inform the requester of his or her option to
lodge a complaint with a supervisory authority and seek a judicial remedy directly.
Is WeAreDavid secure?
Making sure that WeAreDavid is secure is extremely important to us. So we follow OWASP
recommendations that are considered as industry best practice when it comes to making services
secure. On top of this, we rely on only trusted providers to host the platform. We host our
services in the cloud using Microsoft Azure, ensuring wide availability and services that ensure
terms and conditions.
What information does WeAreDavid store on our company?
Based on your registration with us, we store your profile name, your email address and your
service desk role. We store your login password in a tokenized format, meaning that it’s not
readable to us. Based on requests that you handle through WeAreDavid, we store any information
submitted as answers from you in an encrypted form. The communication you have with the
requester is stored, and only the company and the requester have access to this communication.
As everything is encrypted, no one – besides you – can access any of your data in a readable
We want to prevent our company from being shown in the app. Can we do that?
You can ask us to delete the logo of your company in the app. However, we don’t delete any
companies from the app, nor do we delete the email address used to send requests. We want to
make it easier for businesses to make it right while helping people get access to what
rightfully belongs to them: their own data.
Do the authorities recognize the approach of WeAreDavid?
In specific cases, we’ve seen that supervisory authorities will, in fact, send a letter to a
company that has not responded to a request by a data subject. This basically means that if no
reply is received from the company, the next step for the data subject is to lodge a complaint
with the relevant supervisory authority, whereupon the supervisory authority will ask the
company to reply to the request.