Data Retention Policy
How long we keep your data and why
Last updated: January 2, 2026
Overview
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. This policy outlines our data retention periods and the rationale behind them.
When data is no longer needed, it is securely deleted or anonymized in accordance with our data destruction procedures.
Retention Periods by Data Category
| Data Category | Retention Period | Justification | Deletion Method |
|---|---|---|---|
| Account Information Email, name, password hash |
Duration of account + 14 days | Required for service delivery; 14-day grace period for deletion requests | Permanent deletion |
| Security Scan Jobs Job metadata, configuration |
1 year after completion | Service history and troubleshooting | Permanent deletion with cascade |
| Scan Output Files Reports, logs, results |
30 days after job completion | User download period | Secure file deletion |
| Download Tokens One-time access tokens |
24 hours (or until used) | Security - limit exposure window | Permanent deletion |
| Data Exports GDPR export files |
7 days after generation | Security - limit exposure of personal data | Secure file deletion |
| Login Attempts Success/failure records |
90 days | Security monitoring and fraud prevention | Permanent deletion |
| User Sessions Active session tokens |
24 hours idle or 30 days max | Security - session management | Permanent deletion |
| Audit Logs Security and access events |
7 years | Legal/regulatory compliance (SOC 2, ISO 27001) | Permanent deletion |
| Consent Records GDPR consent history |
Duration of account + 7 years | Legal requirement to demonstrate consent | Anonymization on account deletion |
| Purchase Records Transaction history |
7 years after transaction | Tax and accounting requirements | Anonymization |
| Container Logs Docker execution logs |
2 hours (orphaned containers) | Operational cleanup | Container removal |
Automated Enforcement
Our data retention policy is enforced automatically through scheduled background jobs:
- Hourly: Expired download tokens, expired sessions
- Every 15 minutes: Orphaned containers
- Daily: Expired data exports, pending account deletions
- Weekly: Old login attempts, old jobs, old audit logs
These automated processes ensure consistent enforcement of retention policies without manual intervention.
Legal Holds
In certain circumstances, we may need to preserve data beyond the normal retention period:
- Active legal proceedings or investigations
- Regulatory audits or examinations
- Preservation requests from law enforcement
When a legal hold is in place, affected data will be preserved until the hold is released, after which normal retention policies will resume.
Your Rights
Under GDPR and other privacy regulations, you have the right to:
- Access: Request a copy of your personal data
- Erasure: Request deletion of your account and associated data
- Portability: Receive your data in a machine-readable format
You can exercise these rights through your Privacy Dashboard or by contacting our Data Protection Officer.
Data Destruction
When data reaches the end of its retention period, it is destroyed using appropriate methods:
- Database records: Permanent deletion from PostgreSQL with VACUUM
- Files: Secure deletion from filesystem
- Backups: Removed during backup rotation (within 30 days)
- Anonymization: For data required for legal purposes, personal identifiers are removed while preserving aggregate information
Policy Updates
We may update this data retention policy from time to time. Significant changes will be communicated to users via email or through our platform. The "Last updated" date at the top of this page indicates when the policy was last revised.
Contact
If you have questions about our data retention practices, please contact:
Data Protection Officer
Email: dpo@secure7.com
Secure7 Innovations Sp. z o.o.
ul. Erazma Ciołka 17/304
01-445 Warszawa, Poland