Unfortunately, DataGrail is a US-based company using Google Tag Manager to provide personal information about its website users to Facebook, Microsoft, Google, and other advertising companies. Per the Privacy Policy, the company seems to believe that pseudo-anonymization is sufficient to be allowed to keep and use personal data for any purpose, which it is not: per GDPR, data minimisation is necessary, but doesn't exempt you from properly fulfilling deletion requests. I can't find out how they actually use personal information collected from users: the best I can find is:

> If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at privacy@datagrail.io.

Informing me of my "right to obtain" certain information without actually providing it is not okay; and the rather selective descriptions of the rights of the data subject feel like a GDPR Article 12 violation. (For example, it partially discusses Article 15(1), but omits Article 15(2).) Having investigated the Privacy Request Form (https://preferences.datagrail.io/form/access), it's requesting I identify myself in order to learn how my personal information's being used. I can't remember the exact reference, but I'm pretty sure this is explicitly forbidden by GDPR: something about not gathering or storing information with "it's needed to satisfy GDPR's bureaucratic requirements" as justification. (Yes, I know I can email instead: that's not the point.)

I could go on, but… it doesn't really matter how good a company's services are (and those services do look pretty good!) if I can't trust the company to begin with. DataGrail appears typical for the industry, rather than exemplary (as I had hoped it would be).

I had realized, "l'esprit de l'escalier," that your ask wasn't in earnest and you were just looking to raise issues.

Sorry to have bothered you, but I assure you that your Access or Deletion request will be processed when you submit it. I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).

Are you suggesting that we should "provide the information from your GDPR access request without you actually asking for us to do so, without any commercially reasonable verification?"

Note I won't be responding further: you're not in earnest. But I do assure you that any requests will be properly processed.

Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked. Just for your awareness.

I genuinely expected that you worked for some niche company I'd never heard of. I wasn't looking specifically to raise issues: this is how I engage with this topic in earnest (example: https://meta.stackexchange.com/a/370343/308065). My persnickety behaviour has been appreciated by at least one Stack Exchange employee; and I assumed from https://www.datagrail.io/solutions/datagrail-vs-onetrust/ that your company would appreciate such criticism as well.

I did tell you that I was going to have a look, so I don't think my request was deceptive.

> I assure you that your Access or Deletion request will be processed when you submit it.

No no, I never assumed otherwise! (the complaint about pseudonymisation notwithstanding.) And it's entirely reasonable that those require submitting a form.

My complaint was that, as a visitor to the company's website, my personal information is shipped off to third-parties and used in ways that I am not informed about, and I have to specifically request to be informed via email (or the form) despite having no business relationship with the company, when I'm entitled to be informed before any such data collection takes place. "Contact us, and we'll tell you all about how all your personal information is used" is a wonderful service to provide, but it really really shouldn't be the only way to find that information out.

(Technically, my complaint was more general than this, but it did not extend to expecting the company to magically know when I want the data indexed as associated with me deleted, without me informing them.)

> I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).

The difference is that the form requires that I provide my "First Name" and "Last Name", when these are not relevant to the request. GDPR requires that you don't require this, and an emailed request likewise does not require this. (When I told Stack Exchange about their instance of this issue, they thanked me for pointing it out, and then they fixed it, very promptly. They're using OneTrust, so assuming DataGrail is feature-complete with respect to OneTrust, and that DataGrail are using their own software, it shouldn't be hard for DataGrail to fix it too.)

> Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked.

I noticed, and that's appreciated! However, that's not relevant to GDPR, whose obligations apply regardless of whether GPC or DNT is sent. The use of these scripts must be opt-in (unless the rare exceptions apply where you can use a basis other than consent), otherwise you're not complying with GDPR.

Again, not saying the company's atypically bad. The issues I've raised are fairly common in the industry. If forced to pick one of these services, I might go with DataGrail, because the selection of services the company offers is (in my estimation) very good. (Most smaller providers do not offer anything like that, and most larger providers are much less trustworthy.) I would certainly choose DataGrail over OneTrust.

However, my programming ability is such that it'd be easier to roll my own than audit the services of a company who I have reason to believe will make mistakes. I don't have reason to believe that the mistake-making is limited to whoever maintains the company's website (probably the marketing department), because I'd expect responsible higher-ups to tell a non-compliant marketing department to cut it out. I'm sure this means little, except that I am not your company's target market – nor the target market of most of the B2B privacy-tech industry.