Major AI providers process enormous amounts of personal data, and privacy laws give you concrete rights over that data — but exercising them means writing a clear, correctly framed request. The AI Data Rights Request Template generates that letter for you, tailored to the provider, the specific right, and the law that applies.
How it works
Choose the AI provider (OpenAI, Anthropic, Google, Microsoft, Meta, or another), the right you want to exercise, and whether EU GDPR, UK GDPR, or California’s CCPA/CPRA applies to you. Add your name, the email on your account, and any extra detail such as the field you want corrected.
The tool assembles a complete letter: a clear subject line, an identity statement, the legally framed request body for the right you selected, the correct statutory response deadline, and a request for written confirmation. The opt-out-of-training option, for example, explicitly asks the provider to exclude your past and future interactions from any training or fine-tuning dataset and to confirm the date the exclusion takes effect.
Tips and notes
Send the letter to the provider’s current published privacy contact — the suggested address in the generated letter is a starting point, but companies change channels, and some require you to use an in-product privacy dashboard or web form. Including your account email up front speeds up identity verification.
Keep a dated copy of what you sent. If a provider misses the deadline or refuses without citing a valid exemption, that record is what you would attach to a complaint to a supervisory authority such as the ICO or your EU data protection authority. This is a template, not legal advice — for anything contentious, talk to a data protection professional. The whole letter is built in your browser, so none of your details leave the page.
Understanding what each right actually gets you
Access — sometimes called a Data Subject Access Request (DSAR) — requires the provider to give you a copy of the personal data they hold about you. For AI providers, this typically includes account information, usage logs, and in some cases conversation history. It will generally not include the model weights — those are not personal data about you.
Erasure — the “right to be forgotten” — requires the provider to delete your personal data. Most providers will erase your account data and conversation history, but they may argue that data already incorporated into model training cannot be individually removed without retraining the model. This is a live legal question in several jurisdictions. The generated letter asks them to confirm exactly what has been deleted and what has not.
Opt-out of training — this is distinct from erasure. You are asking that your data not be used to train or fine-tune current or future models. Under GDPR, this is supported by the right to object to processing for this purpose. Many major providers now offer this as an account setting, but a written request creates a documented record of when you exercised the right and what confirmation you received.
Portability — requires the provider to give you your data in a machine-readable format (typically JSON or CSV) so you can transfer it to another service. This is most useful for account data and conversation history, and less relevant for AI providers who don’t store structured personal records in the way a bank or social network does.
Rectification — requires inaccurate personal data to be corrected. This is most practically relevant for factual errors in your account record (wrong name, wrong email) rather than for anything the model may have “learned” about you.
What to do if the provider does not respond
Under GDPR and UK GDPR the provider has one month to respond, extendable by two further months for complex requests. Under CCPA the limit is 45 days, extendable by another 45. If the provider does not respond within the deadline, the next step is a complaint to the relevant supervisory authority: the ICO in the UK, your national data protection authority in the EU, or the California Privacy Protection Agency under CCPA. Your dated copy of the request letter and any proof of delivery are the evidence you attach.