Government & Public Authority Data Request Policy
Effective: March 4, 2026 · Last reviewed: March 4, 2026
Policy owner: Data Protection Officer / Company Principal
1. Purpose
This policy establishes the procedures and requirements that NeuralMarketer (“Company”) follows when receiving requests for user personal data or personal information from government agencies, law enforcement, courts, or other public authorities (“Public Authority Requests”). This policy applies to all employees, contractors, and agents of the Company.
2. Scope
This policy covers all requests for user data from any public authority, including but not limited to:
- Subpoenas (civil and criminal)
- Court orders
- Search warrants
- National security letters
- Regulatory inquiries or demands
- International legal assistance requests
- Administrative summonses
- Informal law enforcement requests
This policy applies to all Platform Data, including data obtained from third-party platforms such as Meta, Google, and other integrated services.
3. Legal Review Requirement
All Public Authority Requests must undergo legal review before any data is disclosed.
3.1 Receipt of Request
Upon receiving a Public Authority Request, the receiving employee or contractor must:
- Not disclose any data until the review process is complete.
- Forward the request immediately (within 24 hours) to the Company Principal or designated legal reviewer.
- Preserve all relevant data subject to the request in its current state to prevent accidental deletion or modification.
3.2 Legal Review Process
The legal reviewer (Company Principal or retained outside counsel) shall evaluate each request for the following:
- Jurisdiction: Whether the requesting authority has proper jurisdiction.
- Legal basis: Whether the request cites a valid and applicable legal authority (e.g., specific statute, court order, warrant).
- Proper form: Whether the request complies with applicable procedural requirements (e.g., signed by a judge, served properly, includes required specificity).
- Scope: Whether the request is appropriately scoped and not overly broad.
- Applicable exemptions: Whether any legal privileges, immunities, or exemptions apply (e.g., attorney-client privilege, First Amendment protections, stored communications protections under the Electronic Communications Privacy Act).
- Platform obligations:Whether disclosure would violate the Company’s obligations under third-party platform terms (e.g., Meta Platform Terms, Google API Terms of Service).
3.3 Timeline
Legal review shall be completed within a commercially reasonable timeframe, and no later than the deadline specified in the request. If the deadline is unreasonably short, the Company shall request an extension from the requesting authority.
4. Challenging Unlawful or Improper Requests
4.1 Grounds for Challenge
The Company will challenge or push back on a Public Authority Request when:
- The request lacks a valid legal basis or proper authorization.
- The request is overly broad, vague, or disproportionate in scope.
- The request appears to violate applicable law, including constitutional protections.
- Compliance would require the Company to violate its obligations to users or third-party platform providers.
- The request does not meet jurisdictional requirements.
- The request seeks data protected by legally recognized privileges.
4.2 Challenge Procedures
When a request is deemed deficient or unlawful, the Company shall:
- Notify the requesting authority in writing of the specific deficiencies or objections.
- Request modification of the scope or form of the request to cure the deficiency.
- File a motion to quash or modify the request with the appropriate court, if the requesting authority does not voluntarily narrow or withdraw the request.
- Engage outside counselwhen necessary to represent the Company’s position.
4.3 User Notification
Unless legally prohibited (e.g., by a gag order, sealed court order, or national security letter), the Company will make reasonable efforts to notify the affected user(s) of the request prior to disclosure, so that the user may seek their own legal counsel or challenge the request independently.
5. Data Minimization
5.1 Minimum Necessary Disclosure
The Company shall disclose only the minimum amount of data strictly necessary to comply with a legally valid request. Specifically:
- Only data explicitly identified in the request will be disclosed. The Company will not voluntarily provide additional data beyond the scope of the request.
- If a request is overly broad, the Company will work with the requesting authority to narrow the scope before producing any data.
- Data fields not specified in the request will be redacted or excluded from the production.
- Where possible, data will be anonymized or aggregated before disclosure if doing so satisfies the request.
5.2 Third-Party Platform Data
For data obtained from third-party platforms (including Meta Platform Data), the Company will apply additional scrutiny to ensure:
- Only the specific Platform Data identified in the request is disclosed.
- Disclosure is consistent with the Company’s obligations under the applicable platform’s terms and policies.
- The platform provider is notified if required by the platform’s terms.
6. Documentation & Record-Keeping
6.1 Request Log
The Company shall maintain a Government Data Request Log that records the following for each Public Authority Request received:
| Field | Description |
|---|---|
| Date Received | Date the request was received by the Company |
| Requesting Authority | Name and jurisdiction of the requesting agency or authority |
| Type of Request | Subpoena, court order, warrant, informal request, etc. |
| Legal Basis Cited | Statute, rule, or legal authority cited in the request |
| Data Requested | Description of the data or records sought |
| Users Affected | Number and identifiers of affected users (if known) |
| Legal Review Date | Date legal review was completed |
| Legal Reviewer | Name of person or counsel who conducted the review |
| Legal Assessment | Summary of the legality determination (valid / deficient / challenged) |
| Action Taken | Complied (full or partial), challenged, rejected, or pending |
| Data Disclosed | Description of data actually produced, if any |
| Date of Disclosure | Date data was provided to the requesting authority |
| Challenge Filed | Whether a challenge or objection was filed (yes/no), and outcome |
| User Notified | Whether affected user(s) were notified (yes/no/prohibited) |
| Notes | Any additional context, communications, or follow-up actions |
6.2 Retention
The Government Data Request Log and all associated documentation (copies of requests, legal assessments, correspondence, court filings, and records of data produced) shall be retained for a minimum of five (5) years from the date of final resolution of the request.
6.3 Confidentiality
The Government Data Request Log and associated records are confidential Company records. Access is limited to the Company Principal, designated legal reviewer, and outside counsel.
7. Emergency Requests
In rare circumstances where a Public Authority Request involves an imminent threat to life or serious physical harm, the Company may expedite the legal review process and disclose data on an emergency basis. Even in emergency situations:
- A legal review must still be conducted, even if abbreviated.
- Only the minimum data necessary to address the emergency shall be disclosed.
- The emergency disclosure must be documented in the Government Data Request Log.
- A full legal review shall be conducted after the emergency disclosure.
8. Transparency
The Company is committed to transparency regarding Public Authority Requests. Subject to legal restrictions:
- The Company may publish periodic transparency reports summarizing the number and types of requests received.
- The Company will update its Privacy Policy if required to reflect material changes in government data access practices.
9. Training
All employees and contractors who may receive or handle Public Authority Requests shall be trained on this policy upon onboarding and at least annually thereafter. Training shall cover:
- How to identify a Public Authority Request.
- The requirement not to disclose data before legal review.
- How to properly escalate requests to the legal reviewer.
- Data preservation obligations.
10. Policy Review
This policy shall be reviewed and updated at least annually, or more frequently if required by changes in applicable law, regulatory guidance, or the Company’s business operations.
11. Contact
Questions about this policy should be directed to:
NeuralMarketer
Email: contact@neuralmarketer.com
This policy is an internal operational document of NeuralMarketer and does not create any rights or obligations enforceable by third parties.