1pm
Start free trial
← All help articles

Data subject rights

account-and-billing
Data subject rights

If you've handed personal data to 1pm — either as a planner running events or as a crew member whose details a planner uploaded — you have a set of rights over that data under the Australian Privacy Act, the EU and UK GDPR, and equivalent laws in other jurisdictions. This article explains what those rights are, the self-serve paths that already exist in the product, and how to email us when self-serve isn't enough.

What you can ask for

Access. You can ask for a copy of the personal data 1pm holds about you. For planners, that's the events you've built, the crew records you've created, the uploads you've stored, your billing history. For crew members, that's the contact details and any submissions a planner has gathered through 1pm.

Correction. If something we hold about you is wrong, you can ask us to fix it. Most fields on a planner account are editable in-app. Crew details that a planner uploaded are corrected by the planner, not by us directly.

Deletion. You can ask us to delete your personal data. For planners this means deleting the account; for crew it means asking the planner to remove your record, or asking us to do it on the planner's behalf if you can't reach them.

Restriction. In limited circumstances (for example, while you're disputing the accuracy of data we hold), you can ask us to stop actively processing your data while we work it out.

Objection. If we're relying on legitimate interests as the lawful basis for processing — for example, operational telemetry or anti-abuse rate limiting — you can object and we'll either justify the continued processing or stop it.

Portability. You can get a copy of your data in a structured, machine-readable format you can take to another service. For planners we provide this as a ZIP with JSON inside.

Not being subject to automated decisions. 1pm doesn't make automated decisions with legal or similarly significant effects about you. There's no profiling, no algorithmic credit-scoring, no automated denial of service. This right isn't really exercisable against us because the thing it protects against isn't happening.

Withdraw consent for marketing. If you've opted in to marketing or product-update emails, you can opt out at any time using the unsubscribe link in every such email. Withdrawing consent doesn't affect any processing we do under contract or legitimate interests — only the marketing flows.

What you can do without emailing us

Most of the rights above can be exercised directly inside the product without needing to ask anyone for help.

Export your account data. Account → Export my data → Download my data. ZIP of everything we hold for you as a planner. See the Exporting your account data article for what's in it.

Delete your account. Account → Delete my account. Deletion is permanent. The data is removed from active systems immediately and from backups within 35 days as backup snapshots roll over.

Correct your details. Account → Profile lets you change your display name, contact details, and login email.

Update crew records. Crew → pick the row → edit. Planners are the controllers of their crew data, so this is where corrections live.

Update event details. Open the event → click the pencil → edit. Same for timeline items, uploads, attachments, requests.

Unsubscribe from marketing. Every marketing email has an unsubscribe link in the footer. One click. We also honor unsubscribes recorded against our email-delivery provider, so once you've unsubscribed in either place you're out for good.

What needs an email to us

A few requests genuinely do need a person to read them and act, because they cross boundaries the product doesn't.

Access requests for data the export doesn't cover. The export covers planner-facing data. If you want logs of admin or support access to your account, breach records, or anything in our internal audit trail, email hello@1pm.app and we'll prepare a response.

Crew requests where the planner is unreachable. Normally, if you're a crew member who wants your data removed, the cleanest path is to ask the planner who invited you. If they're unresponsive or you can't identify them, email hello@1pm.app with as much detail as you can — your name, the event name, the planner's organisation, the rough date — and we'll either action it directly or follow up with the planner ourselves.

Objection or restriction requests. The right exists in law but doesn't have a self-serve UI inside 1pm because they're rare and need human judgment. Email us with what you want stopped and why.

Standard Contractual Clauses, DPA copies, audit cooperation. Subscribers operating under the GDPR can request a counter-signed copy of the processor terms (Article 28 GDPR; clause 4.3 of our Terms of Use) or a copy of the Standard Contractual Clauses we rely on for international transfers. Same email address.

Complaints. If you think we've handled your data badly, tell us first — we'd rather hear from you and fix it than have you go straight to a regulator. But your right to complain to a regulator is not conditional on contacting us first.

How long it takes

GDPR-style requests have a one-month statutory deadline. We aim to respond within 7 days for straightforward requests and acknowledge longer ones immediately. The 30-day deadline applies to the substantive response, not the acknowledgement.

The Australian Privacy Act requires a "reasonable time" — in practice we treat 30 days as the operating limit there too.

How we verify it's you

For account-related requests from a signed-in session, your authenticated session is the verification.

For requests by email that aren't from a signed-in session — for example, a deletion request from someone who's locked out, or a crew member without a 1pm login — we may ask for additional verification before we act, particularly for destructive requests. The level of verification scales with the destructiveness of what you're asking for. We won't ask for a passport scan to confirm a marketing-opt-out, but we won't delete a paying account on the word of an unverified email either.

Where to escalate if we get it wrong

If you're in Australia, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

If you're in the EU, your local supervisory authority — the list is at edpb.europa.eu.

If you're in the UK, the Information Commissioner's Office at ico.org.uk.

You don't have to talk to us first, but it's usually faster to.