Data Retention - Target Policy and Live Proof
Policy last audited: 2026-04-24
Under GDPR Article 5(1)(e) (storage limitation), personal data must not be kept longer than necessary. This page documents our target retention windows and clearly distinguishes between rules that are actively enforced by automated jobs and rules that are committed targets with enforcement in progress.
Retention Policy at a Glance
Derived from migration 025 (Data Privacy Control Center, 2026-04-22). Enforced rules run via PostgreSQL functions delete_expired_sessions() and styrby_expire_stale_exports scheduled via pg_cron at 03:00 CT daily. Target rules will be backed by automated jobs in a future release.
| Data Type | Retention Window | Mechanism | GDPR Basis | Status |
|---|---|---|---|---|
| Sessions | Per user setting: 7 / 30 / 90 / 365 days, or Never (default) | Soft-delete (deleted_at set) by nightly cron delete_expired_sessions(). Hard-delete 48h after soft-delete is a committed target pending a second cron job. | Art. 5(1)(e) storage limitation; Art. 17 right to erasure | Enforced (soft-delete) |
| Session messages | Same as parent session | Cascades with session soft/hard delete. Content is E2E encrypted; Styrby cannot read it. | Art. 5(1)(e); zero-knowledge architecture | Enforced (cascades with session) |
| Data export requests | 72 hours for pending/processing status, then marked expired | Nightly cron styrby_expire_stale_exports marks stale requests expired at 03:30 CT. Records remain in the audit table. | Art. 15 (subject access right); migration 025 styrby_expire_stale_exports | Enforced (nightly cron) |
| Account (profile) | 30-day grace window after deletion request | Soft-delete on request (deleted_at set immediately). Hard-delete via edge function purge-deleted-accounts after 30 days (deployment in progress). | Art. 17 right to erasure (30-day grace period per Art. 17(3)(e)) | Target (edge function pending) |
| Audit log entries | 90 days after account deletion, then permanently removed | Retained for security investigation per SOC2 CC7.2. Automated purge cron is a committed target; no scheduled job as of migration 025. | Art. 5(1)(e); SOC2 CC7.2 system monitoring | Target (cron pending) |
| Cost records | Duration of account + 90 days after deletion | BRIN-indexed time-series table retained for billing reconciliation. Automated purge on account deletion is a committed target; no scheduled job as of migration 025. | Financial record retention; tax compliance | Target (cron pending) |
Live Proof - Records Purged in Last 30 Days
Live counts are shown only for Enforced rules. Target rules will appear here once their automated jobs are deployed.
Sessions soft-deleted (last 30 days)
0
Source: sessions WHERE deleted_at IS NOT NULL AND deleted_at > now() - 30 days
Enforced by styrby_delete_expired_sessions (nightly, 03:00 CT)
Count computed at
May 11, 2026, 7:02 AM CT
Cached for up to 1 hour. Nightly cron runs at 03:00 CT.
Target rules without automated enforcement will be backed by scheduled jobs in a future release. See migration 025 (supabase/migrations/025_data_privacy_control_center.sql) for the canonical enforcement definitions.
Questions about our retention policy? [email protected]
Related: Data Processing Agreement | Privacy Policy | Subprocessors