I genuinely expected that you worked for some niche company I'd never heard of. I wasn't looking specifically to raise issues: this is how I engage with this topic in earnest (example: https://meta.stackexchange.com/a/370343/308065). My persnickety behaviour has been appreciated by at least one Stack Exchange employee; and I assumed from https://www.datagrail.io/solutions/datagrail-vs-onetrust/ that your company would appreciate such criticism as well.

I did tell you that I was going to have a look, so I don't think my request was deceptive.

> I assure you that your Access or Deletion request will be processed when you submit it.

No no, I never assumed otherwise! (the complaint about pseudonymisation notwithstanding.) And it's entirely reasonable that those require submitting a form.

My complaint was that, as a visitor to the company's website, my personal information is shipped off to third-parties and used in ways that I am not informed about, and I have to specifically request to be informed via email (or the form) despite having no business relationship with the company, when I'm entitled to be informed before any such data collection takes place. "Contact us, and we'll tell you all about how all your personal information is used" is a wonderful service to provide, but it really really shouldn't be the only way to find that information out.

(Technically, my complaint was more general than this, but it did not extend to expecting the company to magically know when I want the data indexed as associated with me deleted, without me informing them.)

> I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).

The difference is that the form requires that I provide my "First Name" and "Last Name", when these are not relevant to the request. GDPR requires that you don't require this, and an emailed request likewise does not require this. (When I told Stack Exchange about their instance of this issue, they thanked me for pointing it out, and then they fixed it, very promptly. They're using OneTrust, so assuming DataGrail is feature-complete with respect to OneTrust, and that DataGrail are using their own software, it shouldn't be hard for DataGrail to fix it too.)

> Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked.

I noticed, and that's appreciated! However, that's not relevant to GDPR, whose obligations apply regardless of whether GPC or DNT is sent. The use of these scripts must be opt-in (unless the rare exceptions apply where you can use a basis other than consent), otherwise you're not complying with GDPR.

Again, not saying the company's atypically bad. The issues I've raised are fairly common in the industry. If forced to pick one of these services, I might go with DataGrail, because the selection of services the company offers is (in my estimation) very good. (Most smaller providers do not offer anything like that, and most larger providers are much less trustworthy.) I would certainly choose DataGrail over OneTrust.

However, my programming ability is such that it'd be easier to roll my own than audit the services of a company who I have reason to believe will make mistakes. I don't have reason to believe that the mistake-making is limited to whoever maintains the company's website (probably the marketing department), because I'd expect responsible higher-ups to tell a non-compliant marketing department to cut it out. I'm sure this means little, except that I am not your company's target market – nor the target market of most of the B2B privacy-tech industry.