Data retention and deletion policy

Effective Date: May 15, 2026

This policy describes retention objectives and procedures. It is not a guarantee against compelled production or security incidents.

Retention schedule

CategoryDefault retentionNotes
Operator account data (profile, configuration, settings)Duration of Account + 90 days post-terminationExtendable under legal hold
Billing records7 years from last transactionTax and accounting law
Consent records and evidence vaultCustomer-configured; default 7 years from captureBusiness+ may configure windows where supported
Security and audit logs12–24 months from eventAnti-abuse, incident investigation
Support communications3 years from last interactionService improvement, dispute resolution
AI conversation logs (compliance assistant, support chat)Up to 90 days, then purged or aggregatedSafety, abuse detection, model evaluation
Edge cache and transient stateTTL-limited (seconds to hours)Operational performance
BackupsStandard rotation, typically 30–90 daysThen overwritten
Aggregated / de-identified analyticsIndefinitelyCannot be linked to a Data Subject

Customer-configurable retention applies to Consent Records and operator-controlled data where the product supports it. CapchaCloud-controlled data (operational logs, security signals, billing) is retained per the table above.

Deletion procedures

Active system deletion

When deletion is triggered (Customer request, account termination, expiration of retention window), CapchaCloud: (1) removes the data from active databases and storage within 90 days of the trigger; (2) issues confirmation on written request to support@serviceautomations.ai (subject: “Deletion confirmation”).

Backup deletion

Backups are immutable for their retention window. Data in backups is deleted on the normal backup rotation cycle, typically within 30–90 days of deletion from active systems.

Legal hold

Data subject to legal hold (preservation order, litigation, regulatory inquiry, BAA-related retention requirement) is retained beyond the standard window. CapchaCloud will document the basis for the hold and resume deletion when the hold expires.

De-identified data

CapchaCloud may retain de-identified data indefinitely. CapchaCloud commits not to re-identify de-identified data except as permitted by law.

Data subject rights — DSAR procedure

End User Data Subject Rights requests for data Processed on a Customer’s behalf are routed to the Customer as Controller (DPA §8). For data CapchaCloud Processes as Controller (operator data), Customers and Data Subjects may submit requests directly:

  1. Submit a request to support@serviceautomations.ai with subject “DSAR Request — [Type]” where Type is Access / Correction / Deletion / Portability / Opt-Out / Objection.
  2. Identity verification. We may require verification of identity before responding. We will not respond to requests we cannot verify.
  3. Authorized agents must provide signed authorization. We may contact the Data Subject directly to confirm authority.
  4. Response timeline. We respond within the timeframe required by applicable law (for example GDPR/UK GDPR: 30 days extendable; CCPA/CPRA: 45 days extendable with notice).
  5. No fees for the first request in any 12-month period; reasonable fees for manifestly unfounded or excessive requests as permitted by law.
  6. Exceptions. We may decline requests where we cannot verify identity, compliance would violate a legal obligation, data is subject to legal hold, compliance would compromise the rights or freedoms of others, or other lawful exceptions apply. We will explain the basis for any denial.
  7. Appeal. Submit a written appeal to support@serviceautomations.ai with subject “DSAR Appeal.” We will respond within the timeframe required by applicable law. For unresolved disputes, you may lodge a complaint with your local supervisory authority (EU/UK) or attorney general (U.S.).

Export

Customers may export their data via the dashboard or documented API at any time during the Service term and within the 30-day Export Window after termination. Exports are provided in machine-readable form (JSON or equivalent). See Terms §18.

Contact

support@serviceautomations.ai — use clear subject lines (“DSAR”, “Deletion”, “Security”).

End of data retention and deletion policy. Last updated: May 15, 2026.