Data Retention Policy
How long TheAccessible.org retains each category of customer and account data, when it is deleted, and how backups and legal holds work.
- Version
- 1.0
- Published
- April 21, 2026
- Next review
- April 21, 2027
- Approved by
- Larry Anglin
1. Principles
We retain personal data only for as long as we need it to provide the Service, meet our legal and tax obligations, resolve disputes, and enforce our agreements. When a retention period ends, the data is deleted or irreversibly anonymized.
Two principles drive this policy:
- Purpose limitation — data is kept only while it is needed for the purpose it was collected for.
- Minimization on deletion — when we delete, we delete across our primary systems, search indexes, and queues. Backups follow a separate, bounded schedule described in section 6.
2. Retention schedule
| Category | Retention period | Trigger for deletion |
|---|---|---|
| Account profile (name, email, organization) | Life of account + 30 days | Account deletion |
| Authentication sessions and tokens | Up to 30 days from last use | Session expiry or sign-out |
| Uploaded source documents | While associated with your account | User deletion or account deletion |
| Converted output documents | While associated with your account | User deletion or account deletion |
| Conversion job metadata (job ID, timestamps, pages, status) | 13 months | Rolling deletion by age |
| Request and usage logs | 90 days | Rolling deletion by age |
| Security logs (auth events, admin actions) | 13 months | Rolling deletion by age |
| Billing records and invoices | 7 years | Statutory tax-retention period |
| Support tickets and correspondence | 3 years after ticket close | Rolling deletion by age |
| Email send records (transactional) | 13 months | Rolling deletion by age |
| AI provider prompt/response logs (our side) | 30 days | Rolling deletion by age |
| Anonymized / aggregated analytics | Indefinite | Not personal data after anonymization |
| Backups (see §6) | Up to 30 days | Rolling backup rotation |
3. Account deletion
You can delete your account from your profile settings. On account deletion:
- Account profile, authentication data, and personal preferences are deleted within 30 days.
- Uploaded source documents and converted output are deleted within 30 days.
- Billing records are retained for the statutory period (see the table above) with any personal data beyond what is legally required removed.
- Support tickets are disassociated from the account and retained for the correspondence-retention period, with personal identifiers minimized.
The 30-day window lets us reverse accidental deletions and complete any in-flight operations safely. During this window, sign-in is disabled.
4. Customer-initiated deletion
You can delete specific documents or records at any time from the Service. You can also request broader deletion (for example, all documents from a date range or all content older than a threshold) via the Data Subject Rights Procedure.
5. Legal holds
If we become subject to a legal hold, subpoena, or other legal process that requires preservation of specific data, we will suspend the retention and deletion schedule above for the affected records only and only for as long as the hold requires. When the hold is lifted, the data is deleted on the next scheduled cycle unless retention is otherwise required.
We do not preserve data voluntarily beyond the schedule in section 2.
6. Backups
Backups exist so we can recover from a catastrophic failure. They are encrypted at rest and access is restricted to a small on-call team.
- Backups are retained for up to 30 days on a rolling basis.
- Deleting a record from the live system does not immediately remove it from backups. A record that was present at the time a backup was taken will persist in that backup until the backup itself is rotated out (maximum 30 days after deletion).
- If a restore is ever required, restored data is reconciled against live deletions before the system is returned to service — records that had been deleted will not reappear.
7. Third-party processors
Our subprocessors retain data per their own published retention practices and their agreements with us. The current list is at Subprocessors; AI provider retention is covered specifically in the AI & ML Disclosure.
8. Anonymized and aggregated data
We may keep aggregated statistics and de-identified analytics (for example, monthly document-volume counts, feature-usage distributions) indefinitely, because these cannot reasonably be linked back to an individual. We do not attempt to re-identify anonymized data.
9. Enforcement
Retention schedules are enforced by automated jobs that run on a defined cadence and whose logs are reviewed. Exceptions require documented justification. Where an error causes data to be retained beyond the schedule, it is treated as an incident and remediated.
10. Changes to this policy
We will update this policy when our retention practices change. The effective date appears at the top of this page. For material changes (for example, extending a retention period for personal data) we give at least 30 days' advance notice in line with our Privacy Policy. Prior versions remain available from the version history link below.
11. Contact
Questions about retention or requests for deletion: privacy@theaccessible.org.