Egret — Privacy Rights & Data Request Management

Part of the Circuit Forge LLC "AI for the tasks you hate most" suite.

Status: Backlog — not yet started. Peregrine must prove the model first.

What it does

Egret manages your privacy rights across companies worldwide: submitting Data Subject Access Requests (DSARs), Right to Erasure requests, data portability requests, opt-out-of-sale notices, and escalating to regulatory bodies when companies stonewall or miss their legal deadlines.

The name is intentional: egret sounds like egress — data flowing out of companies' systems and back under your control. Egrets are patient, methodical, and precise. White, clean. That's the goal.

Legal frameworks supported

Regulation	Region	Key rights
GDPR	EU / EEA	Access, erasure, portability, rectification, restrict processing
CCPA / CPRA	California, USA	Know, delete, opt-out of sale/sharing, correct, limit sensitive use
PIPEDA	Canada	Access, correction, withdrawal of consent
LGPD	Brazil	Access, deletion, portability, correction, anonymization
PDPA	Thailand / Singapore	Access, correction, deletion, portability
UK GDPR	United Kingdom	Post-Brexit GDPR equivalent
State privacy laws	USA (VA, CO, CT, TX, OR, MT, +)	Access, deletion, opt-out (varies by state)
APPI	Japan	Disclosure, correction, use limitation

Why it's hard

Privacy rights exist on paper but are designed to be abandoned:

• Companies have no incentive to make DSAR submission easy — most bury the form or require accounts
• Legal deadlines are short but enforcement is weak for individuals (30 days GDPR, 45 days CCPA)
• Responses are often partial, evasive, or in formats designed to be unreadable
• Escalation paths (DPAs, state AGs, FTC) require formal complaints with specific formats
• Identity verification requirements vary and are sometimes used as gatekeeping

Core pipeline

Inventory data exposures (companies with your data + what category)
→ Generate tailored DSAR / erasure / opt-out letter per company
→ Submit via verified channel (email / web form / certified mail)
→ Track deadline (GDPR: 30 days; CCPA: 45 days; grace periods)
→ Monitor for response → Review compliance of response
→ If non-compliant / no response: draft DPA / state AG complaint
→ Track escalation status

Key differentiators vs. other products

• Multi-jurisdiction: the correct legal framing, citation, and deadline vary by company location AND your location
• Identity verification workflow: guide user through what to submit (and what NOT to overshare)
• Partial response detection: AI reviews company response for completeness vs. legal requirements
• Escalation chain: ICO → CNIL → Datatilsynet → state AG → FTC → small claims, based on jurisdiction and response

Response handling

When a company responds, Egret:

1. Parses the response (email / PDF / portal export)
2. Checks against your original request — what was addressed, what was dodged
3. Flags if the response doesn't meet legal minimums
4. Drafts a follow-up or escalation letter as needed

Company database

A structured, community-maintained database of:

• DSAR submission endpoints (email, web form URL, or postal address) per company
• Average response time (crowdsourced)
• Compliance rating (historically responsive / stonewalls / partial)
• Required identity verification documents

MIT-licensed, like the job board scrapers in Peregrine — the community maintains it because company policies change constantly.

Product code (license key)

CFG-EGRT-XXXX-XXXX-XXXX

Tech notes

• Shared circuitforge-core scaffold
• Jurisdiction detection: user location + company HQ → applicable law
• Letter template library: per-regulation, per-right, per-escalation-level
• Email sync: monitor company responses, flag when deadline approaches
• Response analysis: LLM review of company responses against legal checklists
• Vision module: scan physical mail responses, PDF exports from companies
• ⚠️ Sensitive data handling: DSAR responses may include PII — local-only processing, never routed through cloud LLM without explicit consent