Egret — Privacy Rights & Data Request Management

Part of the Circuit Forge LLC "AI for the tasks you hate most" suite.

Status: Backlog — not yet started. Peregrine must prove the model first.

What it does

Egret manages your privacy rights across companies worldwide: submitting Data Subject Access Requests (DSARs), Right to Erasure requests, data portability requests, opt-out-of-sale notices, and escalating to regulatory bodies when companies stonewall or miss their legal deadlines.

The name is intentional: egret sounds like egress — data flowing out of companies' systems and back under your control. Egrets are patient, methodical, and precise. White, clean. That's the goal.

Legal frameworks supported

Regulation	Region	Key rights
GDPR	EU / EEA	Access, erasure, portability, rectification, restrict processing
CCPA / CPRA	California, USA	Know, delete, opt-out of sale/sharing, correct, limit sensitive use
PIPEDA	Canada	Access, correction, withdrawal of consent
LGPD	Brazil	Access, deletion, portability, correction, anonymization
PDPA	Thailand / Singapore	Access, correction, deletion, portability
UK GDPR	United Kingdom	Post-Brexit GDPR equivalent
State privacy laws	USA (VA, CO, CT, TX, OR, MT, +)	Access, deletion, opt-out (varies by state)
APPI	Japan	Disclosure, correction, use limitation

Why it's hard

Privacy rights exist on paper but are designed to be abandoned:

Companies have no incentive to make DSAR submission easy — most bury the form or require accounts
Legal deadlines are short but enforcement is weak for individuals (30 days GDPR, 45 days CCPA)
Responses are often partial, evasive, or in formats designed to be unreadable
Escalation paths (DPAs, state AGs, FTC) require formal complaints with specific formats
Identity verification requirements vary and are sometimes used as gatekeeping

Core pipeline

Inventory data exposures (companies with your data + what category)
→ Generate tailored DSAR / erasure / opt-out letter per company
→ Submit via verified channel (email / web form / certified mail)
→ Track deadline (GDPR: 30 days; CCPA: 45 days; grace periods)
→ Monitor for response → Review compliance of response
→ If non-compliant / no response: draft DPA / state AG complaint
→ Track escalation status

Key differentiators vs. other products

Multi-jurisdiction: the correct legal framing, citation, and deadline vary by company location AND your location
Identity verification workflow: guide user through what to submit (and what NOT to overshare)
Partial response detection: AI reviews company response for completeness vs. legal requirements
Escalation chain: ICO → CNIL → Datatilsynet → state AG → FTC → small claims, based on jurisdiction and response

Response handling

When a company responds, Egret:

Parses the response (email / PDF / portal export)
Checks against your original request — what was addressed, what was dodged
Flags if the response doesn't meet legal minimums
Drafts a follow-up or escalation letter as needed

Company database

A structured, community-maintained database of:

DSAR submission endpoints (email, web form URL, or postal address) per company
Average response time (crowdsourced)
Compliance rating (historically responsive / stonewalls / partial)
Required identity verification documents

MIT-licensed, like the job board scrapers in Peregrine — the community maintains it because company policies change constantly.

Product code (license key)

CFG-EGRT-XXXX-XXXX-XXXX

Tech notes

Shared circuitforge-core scaffold
Jurisdiction detection: user location + company HQ → applicable law
Letter template library: per-regulation, per-right, per-escalation-level
Email sync: monitor company responses, flag when deadline approaches
Response analysis: LLM review of company responses against legal checklists
Vision module: scan physical mail responses, PDF exports from companies
⚠️ Sensitive data handling: DSAR responses may include PII — local-only processing, never routed through cloud LLM without explicit consent

4.1 KiB Raw Blame History