Data Retention
Retention windows by data category and how account deletion is propagated across systems and backups.
Draft document
This text is an engineering placeholder pending review by qualified legal counsel. It is published so SymaOS can be evaluated end-to-end before public launch, but it is not legal advice and must not be relied upon for production decisions. The launch gate (SYMAOS_LEGAL_APPROVED=false) keeps public signup, paid plan activation, and App Store submission blocked until lawyer-reviewed versions ship.
Effective date
June 12, 2026
1. Retention windows
| Category | Retention | Deletion trigger |
|---|---|---|
| User account record (identity, display name, plan) | For the lifetime of the account | Hard-deleted after the configured cooling-off window following an account deletion request |
| Active sessions | Up to the configured session expiry (default 30 days) | Revoked immediately on sign-out, account deletion, or detected compromise |
| OAuth tokens (encrypted) | Until the integration is disconnected or the account is deleted | Removed when the user disconnects the integration or requests account deletion |
| Raw email and calendar payloads | Not persisted - normalized in-memory and dropped after extraction | N/A |
| Derived tasks, plans, briefs | For the lifetime of the account | Removed during the account deletion sweep |
| Audit log entries | 12 months by default, configurable per environment | Pruned by automated retention job; cleared on hard deletion of the account |
| Billing records (Stripe-backed) | Retained as long as legally required (typically 7 years) | Personal identifiers detached on account deletion; financial records retained for tax / audit obligations |
| Application and security logs | 30 days rolling, sampled, with PII scrubbed | Automatic rotation; expedited deletion on request |
| Backups | Encrypted snapshots retained for up to 35 days by the database provider | Backups expire on their own rotation schedule and cannot be selectively edited |
2. Account deletion workflow
- You initiate deletion from
Settings → Account → Delete accountor via theDELETE /api/account/dataendpoint. - SymaOS records a tamper-evident deletion request, revokes all sessions, disconnects every connected integration, and cancels active paid subscriptions at the end of their billing period.
- A cooling-off period begins. During this window you may cancel the request via
POST /api/account/deletion/cancel. - After the cooling-off window expires, the user record and all owning rows are hard-deleted. Audit entries are retained only as long as required by law.
- Backups are not selectively edited; the deleted data is purged naturally as backup snapshots roll out of the retention window.
3. Legal holds
If we are required by law to preserve data (regulatory request, litigation hold, fraud investigation), the affected records are retained for the period mandated by that obligation regardless of the schedule above.
4. Contact
Retention questions: privacy@symaos.com.