What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@asana.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacy@asana.com with your full name, account email address, and a description of the data you wish to access, correct, or delete. Specify whether you are an individual or organizational account user.', 'deadline_days': None, 'deadline_hours': None} {'method': 'EMAIL', 'recipient': 'privacy@asana.com', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': 'Email privacy@asana.com to request a copy of your personal data. Include your account email address and specify the type of data you wish to receive.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': 'State Attorneys General enforce state-level privacy rights including CCPA in California. If data subject requests are not fulfilled within statutory timeframes, a complaint may be filed with the relevant State AG.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Individual Privacy Rights and Contact Mechanism clause as low severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Individual Privacy Rights and Contact Mechanism — Asana

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity Asana recorded 2 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for Asana Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Asana provides an email address where you can ask to see, correct, or delete your personal data.

ⓘ

This analysis describes what Asana's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Knowing the specific contact mechanism for exercising privacy rights is practically important. Without a clear process, consumers may not be able to act on their rights under GDPR or CCPA.

⚠

Interpretive note: The exact verbatim language of the rights mechanism is not reproduced in the hub page; the specific scope of rights and response timeframes is detailed in Asana's linked Privacy Policy.

Consumer impact (what this means for users)

Consumers can contact privacy@asana.com to exercise data access, correction, or deletion rights. The practical effectiveness of this mechanism for workspace data depends on whether the user is an individual or organizational account holder, since workspace data is controlled by the deploying organization.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Email privacy@asana.com with your full name, account email address, and a description of the data you wish to access, correct, or delete. Specify whether you are an individual or organizational account user.
Export Your Data

Email privacy@asana.com to request a copy of your personal data. Include your account email address and specify the type of data you wish to receive.

How other platforms handle this

ADP Medium

If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...

TransUnion Medium

Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...

Waze Medium

If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete your personal data, the right to object to or restrict processing, and the right to data portability. You may also ...

See all platforms with this clause type →

Monitoring

Asana has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Users can submit data access, correction, or deletion requests by contacting privacy@asana.com.

— Excerpt from Asana's Asana Privacy Statement

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: GDPR Articles 15 through 22 establish data subject rights including access, rectification, erasure, and portability. CCPA grants California consumers rights to know, delete, and correct personal information. Both frameworks impose response timeframes on controllers. Where Asana acts as a processor, it must assist the controller in responding to data subject requests under GDPR Article 28(3)(e). (2) GOVERNANCE EXPOSURE: Low to Medium. Providing a single email address as the primary rights-request mechanism is common industry practice. The adequacy of this mechanism depends on whether Asana has documented internal workflows for triaging requests by controller-processor classification, verifying identity, and meeting statutory response deadlines. (3) JURISDICTION FLAGS: EU/EEA users are entitled to a response within 30 days under GDPR, extendable to 90 days for complex requests. California residents under CCPA have a 45-day response window. Organizations operating in multiple jurisdictions should confirm Asana's response SLAs align with the most stringent applicable requirement. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether Asana's DPA specifies obligations to assist with data subject requests and within what timeframes. B2B contracts should address how Asana routes requests received from organizational employees to the appropriate controller. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should test the data subject request process and document response times. Internal employee privacy notices should direct staff to the appropriate channel depending on whether their request relates to workspace data (controlled by the employer) or account and marketing data (controlled by Asana).

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

State AG

State Attorneys General enforce state-level privacy rights including CCPA in California. If data subject requests are not fulfilled within statutory timeframes, a complaint may be filed with the relevant State AG.
File a complaint →

Applicable regulations

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

Universal Opt-Out Mechanism Expansion 2026

VPPA

United States Federal

Provision details

Document information

Document

Asana Privacy Statement

Entity

Asana

Document last updated

May 5, 2026

Tracking information

First tracked

May 11, 2026

Last verified

May 11, 2026

Record ID

CA-P-009989

Document ID

CA-D-00558

Evidence Provenance

Source URL

https://asana.com/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

24821b5c3b093e6990d3d19ddc8b949d79479238b91c586976ac72d2e994bf1c

Analysis generated

May 11, 2026 00:53 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Asana
Document: Asana Privacy Statement
Record ID: CA-P-009989
Captured: 2026-05-11 00:53:56 UTC
SHA-256: 24821b5c3b093e69…
URL: https://conductatlas.com/platform/asana/asana-privacy-statement/individual-privacy-rights-and-contact-mechanism/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Low

Other risks in this policy

Controller-Processor Distinction for Workspace Data medium
EU-U.S. Data Privacy Framework Participation medium
Security Certifications and Standards low
California Resident Privacy Rights (CCPA) medium
Cookie and Tracking Technology Use medium
Data Processing Agreement for Enterprise Customers high

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Asana's Individual Privacy Rights and Contact Mechanism clause do?

Knowing the specific contact mechanism for exercising privacy rights is practically important. Without a clear process, consumers may not be able to act on their rights under GDPR or CCPA.

How does this clause affect you?

Is ConductAtlas affiliated with Asana?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Asana.