Data Retention Policy

UK GDPR Art. 5(1)(e) storage limitation · Document version 1.0 · Last updated: 11 May 2026

Headline: You stay in control. Disconnect a Gmail account, delete email data, or delete your entire account from Settings → Privacy & Data at any time. Confirmed deletions complete in production within 30 days, and we never restore deleted accounts.

1. Retention schedule

Data category	Default retention	Trigger for deletion
User account (email, name, hashed password)	Lifetime of the account	User deletes account → cascade delete within 24 hours; 30-day backup window then purged.
Imported emails (subject, body, headers)	Up to 24 months rolling, sliding window	Disconnect Gmail OR “Delete email data” OR delete account — whichever comes first.
AI-derived analytics (commitments, emotions, memory, trust edges, etc.)	Deleted with the source email on the same cascade	Source email deletion / user-initiated wipe.
OAuth refresh tokens (encrypted)	Until disconnect or 60 days of inactivity, whichever is sooner	Disconnect Gmail, account deletion, or token revocation by Google.
Operational logs & security telemetry	30 days rolling	Auto-purged. No PII in log bodies.
Database backups	30 days encrypted	Auto-purged. Deleted records are not restored from backup.
Billing & tax records (when paid plans launch)	6 years per HMRC requirements	Statutory retention.
DSAR / privacy correspondence	3 years	Statute-of-limitation horizon; held under restricted access.

2. How deletion works in practice

Self-service delete — Settings → Privacy & Data. Three options: export, wipe email data, or delete account. Triple-confirmation required for account deletion.
Cascade — deleting an EmailAccount cascades to every Email, ThreadSummary, MemoryEntry, Commitment, EmotionalScore, ContactProfile, TrustEdge, InvisibleWorkMetric, DecisionDrift, KnowledgeNode, RegulatoryExposure, DataProtectionAlert and EmailSimulation row.
Backups — the 30-day rolling encrypted backup window is the maximum residency. Backups are write-only and are not restored on individual user request.
Verification — on request to [email protected] we will provide written confirmation that deletion has been completed.

3. Right to be forgotten (Art. 17)

Where deletion is technically blocked by an overriding obligation (e.g. tax retention, fraud investigation), we will restrict processing under Art. 18, tell the data subject why, and delete the data as soon as the obligation expires.

4. Review

This policy is reviewed every 12 months and after any product change that affects what data is retained.