Unfortunately, DataGrail is a US-based company using Google Tag Manager to provide personal information about its website users to Facebook, Microsoft, Google, and other advertising companies. Per the Privacy Policy, the company seems to believe that pseudo-anonymization is sufficient to be allowed to keep and use personal data for any purpose, which it is not: per GDPR, data minimisation is necessary, but doesn't exempt you from properly fulfilling deletion requests. I can't find out how they actually use personal information collected from users: the best I can find is:

> If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at [email protected].

Informing me of my "right to obtain" certain information without actually providing it is not okay; and the rather selective descriptions of the rights of the data subject feel like a GDPR Article 12 violation. (For example, it partially discusses Article 15(1), but omits Article 15(2).) Having investigated the Privacy Request Form (https://preferences.datagrail.io/form/access), it's requesting I identify myself in order to learn how my personal information's being used. I can't remember the exact reference, but I'm pretty sure this is explicitly forbidden by GDPR: something about not gathering or storing information with "it's needed to satisfy GDPR's bureaucratic requirements" as justification. (Yes, I know I can email instead: that's not the point.)

I could go on, but… it doesn't really matter how good a company's services are (and those services do look pretty good!) if I can't trust the company to begin with. DataGrail appears typical for the industry, rather than exemplary (as I had hoped it would be).