Data Retention Policy

This Data Retention Policy describes what data createtodo retains, for how long, and the processes by which data is deleted or anonymized, in accordance with the GDPR principle of storage limitation (Article 5(1)(e)).

1. Guiding Principles

Minimization: We only retain personal data for as long as necessary to fulfill the purpose for which it was collected.
Purpose limitation: Data is not repurposed beyond its original collection purpose without consent.
Automated enforcement: Retention limits are enforced programmatically, not manually.

2. Retention Schedule

2.1 User Account Data

Data	Retention Period	Trigger for Deletion
Active user profile (name, email, display name, avatar, timezone, phone)	Duration of active account	User-initiated account deletion or admin soft-delete
Soft-deleted user profile	14 days after soft deletion (grace period for recovery)	Automated daily purge job permanently erases PII and hard-deletes the user record
Member records (after purge)	Indefinite (anonymized shell)	Display name replaced with “Former Member”, `userId` set to null — preserved for content attribution and referential integrity

2.2 Authentication Data

Data	Retention Period	Trigger for Deletion
Sessions	Until session expiry or user logout	Automatically deleted on expiry; all sessions invalidated on account deletion
Magic link verification tokens	Minutes (short-lived by design)	Automatically deleted on expiry or successful verification
Passkey credentials	Duration of active account	Deleted during account purge
OAuth account links (GitHub, Google)	Duration of active account	Deleted during account purge
Invitation records	Until accepted, declined, or expired	Automatically cleaned up on expiry

2.3 User-Generated Content

Data	Retention Period	Trigger for Deletion
Todos/issues	Duration of workspace existence	Soft-deleted (recoverable), then permanently deleted with workspace
Comments	Duration of workspace existence	Soft-deleted, then permanently deleted with workspace
Projects and lists (containers)	Duration of workspace existence	Deleted with workspace
Labels, custom fields, custom field values	Duration of workspace existence	Deleted with workspace
Workflows and workflow states	Duration of workspace existence	Deleted with workspace
Teams and team memberships	Duration of workspace existence	Deleted with workspace
Cycles	Duration of workspace existence	Deleted with workspace

2.4 Presence Data

Data	Retention Period	Trigger for Deletion
User presence records	Duration of workspace existence	Deleted with workspace

2.5 Organization and Workspace Data

Data	Retention Period	Trigger for Deletion
Organization/workspace record	Until all members leave or owner deletes	Owner-initiated deletion
Member records	Until member leaves or is removed	Immediate deletion on removal
Workspace settings	Duration of workspace existence	Deleted with workspace
Workspace sequences (counters)	Duration of workspace existence	Deleted with workspace

2.6 Payment and Billing Data

Data	Retention Period	Trigger for Deletion
Polar.sh customer reference	Managed by Polar.sh	Per Polar.sh’s retention policy
Subscription status	Managed by Polar.sh	Per Polar.sh’s retention policy
Invoices and transaction records	As required by applicable tax law (typically 7 years)	Managed by Polar.sh

2.7 Email Marketing Data

Data	Retention Period	Trigger for Deletion
Loops contact record (email, user ID, first name)	Duration of active account	Deleted from Loops on account deletion or soft-delete
Email event history	Managed by Loops	Per Loops’ retention policy

2.8 Technical and Operational Data

Data	Retention Period	Trigger for Deletion
Application server logs	30 days	Automatic log rotation
Database audit/replication logs	Managed by Neon	Per Neon’s infrastructure policies
CDN/edge logs (CloudFront)	Managed by AWS	Per AWS CloudFront log retention settings

3. Account Deletion Process

When a user deletes their account (or an admin soft-deletes a user):

Immediate actions (Day 0):

Account is soft-deleted (deletedAt timestamp set, isActive set to false).
All workspace member records are anonymized (display name set to “Former Member”, avatar removed).
All active sessions are invalidated and deleted.
User’s contact record is removed from the email provider (Loops).

Grace period (14 days):

The user can sign back in during this period and cancel the deletion.
On cancellation, the account is restored and member display names are recovered from the user’s profile.

Automated purge (after 14 days):

User’s name is replaced with a “Deleted User” placeholder.
Email is replaced with an anonymized deleted-<uuid>@deleted.invalid address.
Profile image, display name, avatar URL, and phone number are set to null.
All passkey credentials are deleted.
All OAuth account links are deleted.
All remaining sessions are deleted.
The user record is permanently hard-deleted from the database.
Foreign key cascades set members.userId to null, severing the link between the anonymized member shell and the deleted user.

Admin immediate erase: Administrators can bypass the grace period and immediately erase a user via the admin API, combining both phases in one step.

Content authored by deleted users (todos, comments) is not deleted, but the user’s identity is fully anonymized and attributed to “Former Member”. This preserves workspace integrity for other members.

4. Data Export (Portability)

Users may request an export of their personal data by contacting privacy@createtodo.com. Exports include:

User profile data
Todos and comments authored by the user
Organization memberships

Exports are provided in JSON format within 30 days of the request.

5. Exceptions

Data may be retained beyond the standard retention period when:

Required by applicable law (e.g., tax retention requirements for payment records).
Necessary for the establishment, exercise, or defense of legal claims.
Subject to a valid legal hold or law enforcement request.

6. Review

This policy is reviewed at least annually and updated when new data categories are introduced or retention requirements change.

7. Contact

For data retention inquiries: privacy@createtodo.com