Allies Comply / Documentation / Business owner guide
Business owner guide

Running your Comply dashboard

Everything you need to handle data requests confidently. No legal background required.

Overview

What Comply does for you

Allies Comply sits between your users and your data. When someone wants to see or delete their personal information, they submit a request through a form on your website. Comply verifies the request is real, scans your connected databases to find that person's data, and brings everything to your dashboard so you can review and respond.

You stay in control. Comply surfaces the data and proposes what to do with it, but you decide. Nothing is deleted or shared without your approval, unless you turn on auto-accept.

Once you accept a request, Comply handles the execution: it deletes or anonymizes the data in your database, sends the requester a confirmation email, and logs everything for your records.

Dashboard

Your dashboard at a glance

The Requests page lists every data request your business has received. Each one has a status that tells you where it stands.

Pending

Waiting for the user to verify their email

The request came in but the user has not clicked the verification link yet. No action needed from you.

Needs attention

The user verified their email. Your response is needed.

Comply has scanned your database. Open the request to review what was found and accept or deny.

Completed

Done. The request has been fulfilled.

You accepted, the data was handled, and the user was notified. Nothing left to do.

Denied

You declined this request.

The user was sent a decline notice. Make sure you had a valid legal reason. See the compliance guide for valid denial grounds.

Workflow

Reviewing a data request

When a request reaches "Needs attention," open it to see the full picture. Here is what you will find.

Request details

At the top you will see who submitted it: their name, email, the type of request (view or delete), and when they submitted it. This is what Comply verified.

Data found

If you have connected a database, Comply lists every record it found for that person. For each record, you will see the table it lives in, a summary of what it contains, and a proposed action.

The proposed actions are:

  • Delete row: Remove the entire database record.
  • Anonymize fields: Blank out or replace the personal data in that row, but keep the row itself (useful for order histories, audit logs, etc.).
  • Leave alone: Comply found this record but is not proposing to change it, because it is flagged as protected or contains no personal data that belongs to the requester.

You can change the proposed action for any record before you accept. You can also exclude individual records entirely if you have a reason not to process them.

Accepting or denying

Once you have reviewed the records, click Accept or Deny at the bottom of the page.

Accept: Comply executes all the proposed actions in one go. If anything fails, the whole operation rolls back so you are never left with partial deletions. The requester gets an email confirming the request was fulfilled.

Deny: The requester gets a decline notice. You should only deny when you have a valid legal reason. See the compliance guide for the full list.

After acceptance

What happens after you accept

For delete requests

Comply runs all the deletions and anonymizations in a single database transaction. If one step fails, everything rolls back and you are notified. If it succeeds, the user receives a confirmation email saying their data has been deleted.

For view requests

Comply compiles the data it found into a secure, tokenized page. A unique link is emailed to the requester. The link lets them see their data without you having to send it manually. The link expires after a set period.

What gets logged

Every action is logged in your dashboard. You can see which records were modified, when, and what the outcome was. This is your compliance record, so keep it.

Auto-accept: If you enable auto-accept in Settings, Comply skips the manual review step entirely. As soon as a user verifies their email, Comply automatically accepts and executes the request. This is handy for low-risk businesses but think carefully before enabling it, since you give up the chance to review individual records.
Database connection

Connecting your database

Without a database connection, Comply can still receive and route requests, but it cannot automatically find or delete data. You would need to handle data lookup and deletion manually.

Connecting a database unlocks the most valuable part of Comply: automatic scanning, record discovery, and one-click execution. Once connected, every verified request automatically triggers a scan of your data before landing in your dashboard.

Comply supports PostgreSQL and MySQL. Your database credentials are encrypted before storage, and Comply only reads the minimum data needed to find records and execute your approved actions.

To connect, go to Integrations in your dashboard and follow the setup form. You will need your database host, port, name, and a user with the right permissions. Your developer can help with this. See the developer guide for the exact permissions required.

Scan results

Understanding scan results

When you connect a database, Comply runs a schema scan. It looks at every table and column and classifies each one. Here is what those classifications mean.

The four categories

  • Personal data: Comply is confident this column contains information that identifies or relates to a person. Examples: email address, full name, phone number, IP address.
  • May contain personal data: Comply is not certain, but the column looks like it could contain personal information. It will flag these for your review.
  • Needs review: Comply could not classify this column automatically. You should check it manually and tell Comply how to treat it.
  • No personal data: Comply is confident this column has nothing to do with personal information. These are skipped during request scans.

Protected from deletion

You can mark any table as "protected from deletion." A protected table is never modified by Comply, even if it contains personal data.

Use this for tables you are legally required to keep, like financial transaction records, audit logs, or anything mandated by a regulator. Personal data in protected tables will still show up when you review a request, but the proposed action will always be "Leave alone."

Important: If you protect a table that contains personal data and a user submits a deletion request, you need to explain this in your response. The compliance guide covers how to handle this correctly.

Confidence threshold

In Settings, you can adjust how aggressively Comply flags uncertain data. Conservative means only high-confidence columns are targeted. Aggressive means any column that might contain personal data gets included. Start conservative and adjust if you find Comply missing things.

Settings

Settings explained

Notification email

The email address where Comply sends alerts when a new request comes in, when a request is verified, and when other important things happen. Set this to whoever on your team handles compliance.

Auto-accept

When this is on, Comply accepts and processes verified requests automatically, without waiting for your manual approval. Good for straightforward businesses where you trust the scan results. Turn it off if you want to review each request before anything is executed.

Data targeting sensitivity (confidence threshold)

A slider from conservative to aggressive. At conservative, only data Comply is highly confident about gets targeted. At aggressive, everything that might be personal data gets flagged for review. The right setting depends on how much uncertainty you are comfortable with.

Legal

Your legal responsibilities

Comply handles a lot, but some things are still your responsibility. Here is the plain-English version.

Response timelines

Under GDPR, you have 30 days to respond to a data request. Under CCPA, you have 45 days. The clock starts when the user submits the request. Comply tracks when each request came in, so you can see exactly where you stand.

"Respond" means sending a substantive reply: fulfilling the request, denying it for a valid reason, or telling the user you need more time (and why). Ignoring the request is not a valid option.

Valid reasons to deny

You can deny a request if you have a legal obligation to retain the data, if you cannot verify the requester's identity, or if the request is excessive or repetitive. These are narrow exceptions, not a general opt-out. See the compliance guide for a full breakdown.

What Comply handles vs. what you own

Comply handles data in your connected databases. But you likely have personal data in other places: email inboxes, spreadsheets, third-party tools, paper records, and so on. Comply cannot reach those. When a request comes in, you are responsible for checking all your data sources, not just the ones Comply can see.

Comply will prompt you to confirm that you have checked your other data sources before you accept a request. Take that seriously.

Anonymous and tracking data

If you use cookies, analytics tools, or device fingerprinting, that data is often not linked to an email address. Comply cannot automatically connect that to a specific person's request. You need to manually check those systems when you receive a deletion request. The compliance guide has more on this.

FAQ

Frequently asked questions

What if a user submits a request but never verifies their email?

The request stays in Pending status indefinitely. You do not need to act on it. Comply will not scan for data or notify you until the user verifies. If the user never verifies, the request effectively lapses.

Can a user submit multiple requests?

Yes. Each request goes through the same flow: submission, verification, scan, your review. There is no block on repeat requests from the same person. If you receive requests you believe are excessive or in bad faith, you can deny them with an explanation.

What if Comply finds no data for a user?

The request will show an empty data found section. You can still accept or deny it. Accepting tells the user that no data was found and none was deleted. This is a valid and complete response.

What happens if a deletion fails partway through?

Comply uses database transactions. If any step fails, everything rolls back to the state it was in before. No partial deletions. You will be notified of the failure and can investigate before trying again.

Does Comply store the personal data it finds during a scan?

No. Comply reads the data to show it to you in the dashboard and to execute your approved actions. It does not copy or store personal data from your database. Once the request is resolved, the scan results are cleared.

Can I undo an accepted request after execution?

No. Once a deletion is executed, it is permanent. Anonymization is also irreversible. This is intentional: reversibility would undermine the user's legal right to erasure. Review carefully before accepting, especially for delete requests.

What does Allies Comply do with my database credentials?

Your credentials are encrypted using AES-256-GCM before being stored. Allies staff cannot see them in plaintext. The credentials are only used to run scans and execute your approved actions. See the developer guide for the technical details.

Do I need a lawyer to use Comply?

Comply is designed to handle the operational side of compliance without requiring legal expertise day-to-day. But for edge cases, unusual denials, or if your business handles sensitive categories of data, talking to a lawyer is always a good idea. Comply does not provide legal advice.

Related: Compliance reference | Developer guide | All docs