Transcend prefers to look up Personal Data by email. If that's not possible, we may be able to use mobile identifiers (IDFA, GPADVID), and even phone numbers (e.g. messages are searched by phone number in Twilio's API).

Action routes (access, erasure, opt-out) should be keyed by identifiers that the mutual customer will reliably possess. For example, Optimizely allows data subject requests by the Optimizely-assigned optimizely_end_user_id (which clients might be able to figure out for their users) or by email (every data subject request with Transcend is associated with a verified email).