CCPA rights and opt-out
California-specific rights, opt-out flow, and how we handle requests.
Last updated May 12, 2026
Who this applies to
California residents have specific rights under the California Consumer Privacy Act (CCPA), expanded by the California Privacy Rights Act (CPRA). We honour the same rights for residents of states with similar laws (Virginia, Colorado, Connecticut, Utah, etc.) — easier than tracking per-state nuance, and you're never disadvantaged.
The rights
Right to know
What personal information do we collect, why, with whom we share, and (on request) the specific personal information we hold about you.
- High-level disclosure is at our privacy policy:
/legal/privacy. - Specific-data disclosure is the same flow as a GDPR Article 15 request — see Data export. Self-serve.
Right to delete
Same as GDPR Article 17. Settings → My account → Delete account. See GDPR for what gets deleted and what gets anonymised.
Right to correct
Update your profile at Settings → My account.
Right to opt-out of sale or sharing
We do NOT sell personal information in the CCPA sense. We do NOT "share" personal information for cross-context behavioural advertising. There's nothing to opt out of from the sale-or-share angle, but the option is at Settings → Privacy → Do Not Sell or Share My Personal Information anyway for the avoidance of doubt.
When toggled, we:
- Treat any future legitimate-interest analytics as opt-out.
- Suppress any third-party tags on the marketing site for your sessions (we do not run third-party ad tags inside the dashboard regardless).
Right to limit use of sensitive personal information
We treat the following as sensitive PI:
- Your precise location (when supplied).
- Your account credentials.
We do not use sensitive PI beyond what's necessary to provide the service. There's no behavioural-advertising or profiling use we'd need to limit.
Right to opt out of profiling for significant decisions
We do not profile you for significant decisions. The compliance scanner doesn't profile users; the customer-success dashboard flags accounts for human review.
Right to non-discrimination
We never charge differently, refuse service, or reduce service quality based on you exercising any privacy right.
The Global Privacy Control signal
We honour the Sec-GPC: 1 request header as an opt-out signal. If your browser sends it, we treat the session as if you'd toggled "Do Not Sell or Share My Personal Information" — no manual action needed.
Authorized agent requests
You can authorize someone (a lawyer, a privacy-rights service) to make a request on your behalf. To process the request:
- We need written permission from you.
- We need to verify your identity (we may contact you directly).
- The agent must demonstrate they're who they claim.
Email privacy@aidomination.app with the agent's contact info and signed permission.
How requests are verified
For self-serve flows (export, delete, opt-out toggle): verified by being signed in.
For email-based requests: we may ask for additional identity verification (e.g. confirm via your registered email, or by adding a verification value to a specified page on your site).
We never ask for credit-card numbers, government IDs, or SSNs to verify identity. If anyone claiming to be us asks for those, it's not us.
Response timelines
| Request | Target |
|---|---|
| Right to know — self-serve | Immediate |
| Right to know — bespoke | 45 days (extendable to 90) |
| Right to delete — self-serve | Immediate |
| Right to correct | Immediate |
| Right to opt-out | Immediate (15 days for sale/share opt-out per regulation) |
Financial incentives
We do not offer financial incentives in exchange for personal information. Your tier and features are determined by your plan, not by your privacy choices.
See also
- GDPR — the broader rights framework.
- Data export — the mechanism that satisfies right-to-know.
- Cookie policy summary.
Was this article helpful?