Data Retention Policy
Last updated: March 20, 2026
Effective date: March 20, 2026
This Data Retention Policy describes what data createtodo retains, for how long, and the processes by which data is deleted or anonymized, in accordance with the GDPR principle of storage limitation (Article 5(1)(e)).
1. Guiding Principles
- Minimization: We only retain personal data for as long as necessary to fulfill the purpose for which it was collected.
- Purpose limitation: Data is not repurposed beyond its original collection purpose without consent.
- Automated enforcement: Retention limits are enforced programmatically, not manually.
2. Retention Schedule
2.1 User Account Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Active user profile (name, email, display name, avatar, timezone, phone) | Duration of active account | User-initiated account deletion or admin soft-delete |
| Soft-deleted user profile | 14 days after soft deletion (grace period for recovery) | Automated daily purge job permanently erases PII and hard-deletes the user record |
| Member records (after purge) | Indefinite (anonymized shell) | Display name replaced with “Former Member”, userId set to null — preserved for content attribution and referential integrity |
2.2 Authentication Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Sessions | Until session expiry or user logout | Automatically deleted on expiry; all sessions invalidated on account deletion |
| Magic link verification tokens | Minutes (short-lived by design) | Automatically deleted on expiry or successful verification |
| Passkey credentials | Duration of active account | Deleted during account purge |
| OAuth account links (GitHub, Google) | Duration of active account | Deleted during account purge |
| Invitation records | Until accepted, declined, or expired | Automatically cleaned up on expiry |
2.3 User-Generated Content
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Todos/issues | Duration of workspace existence | Soft-deleted (recoverable), then permanently deleted with workspace |
| Comments | Duration of workspace existence | Soft-deleted, then permanently deleted with workspace |
| Projects and lists (containers) | Duration of workspace existence | Deleted with workspace |
| Labels, custom fields, custom field values | Duration of workspace existence | Deleted with workspace |
| Workflows and workflow states | Duration of workspace existence | Deleted with workspace |
| Teams and team memberships | Duration of workspace existence | Deleted with workspace |
| Cycles | Duration of workspace existence | Deleted with workspace |
2.4 AI and Chat Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| AI chat conversations | Duration of workspace existence | Deleted with workspace |
| Chat messages | Duration of workspace existence | Deleted with workspace |
| AI action logs | Duration of workspace existence | Deleted with workspace |
| File attachments in chats | Duration of workspace existence | Deleted with workspace |
| AI tokens (streaming) | Duration of parent message existence | Cascade-deleted with parent message |
| User presence records | Duration of workspace existence | Deleted with workspace |
2.5 Organization and Workspace Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Organization/workspace record | Until all members leave or owner deletes | Owner-initiated deletion |
| Member records | Until member leaves or is removed | Immediate deletion on removal |
| Workspace settings | Duration of workspace existence | Deleted with workspace |
| Workspace sequences (counters) | Duration of workspace existence | Deleted with workspace |
2.6 Payment and Billing Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Polar.sh customer reference | Managed by Polar.sh | Per Polar.sh’s retention policy |
| Subscription status | Managed by Polar.sh | Per Polar.sh’s retention policy |
| Invoices and transaction records | As required by applicable tax law (typically 7 years) | Managed by Polar.sh |
2.7 Email Marketing Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Loops contact record (email, user ID, first name) | Duration of active account | Deleted from Loops on account deletion or soft-delete |
| Email event history | Managed by Loops | Per Loops’ retention policy |
2.8 Technical and Operational Data
| Data | Retention Period | Trigger for Deletion |
|---|---|---|
| Application server logs | 30 days | Automatic log rotation |
| Database audit/replication logs | Managed by Neon | Per Neon’s infrastructure policies |
| CDN/edge logs (CloudFront) | Managed by AWS | Per AWS CloudFront log retention settings |
3. Account Deletion Process
When a user deletes their account (or an admin soft-deletes a user):
Immediate actions (Day 0):
- Account is soft-deleted (
deletedAttimestamp set,isActiveset to false). - All workspace member records are anonymized (display name set to “Former Member”, avatar removed).
- All active sessions are invalidated and deleted.
- User’s contact record is removed from the email provider (Loops).
Grace period (14 days):
- The user can sign back in during this period and cancel the deletion.
- On cancellation, the account is restored and member display names are recovered from the user’s profile.
Automated purge (after 14 days):
- User’s name is replaced with an encrypted “Deleted User” placeholder.
- Email is replaced with an encrypted
deleted-<uuid>@deleted.invalidaddress. - Email hash is updated to match the anonymous email.
- Profile image, display name, avatar URL, and phone number are set to null.
- All passkey credentials are deleted.
- All OAuth account links are deleted.
- All remaining sessions are deleted.
- The user record is permanently hard-deleted from the database.
- Foreign key cascades set
members.userIdto null, severing the link between the anonymized member shell and the deleted user.
Admin immediate erase: Administrators can bypass the grace period and immediately erase a user via the admin API, combining both phases in one step.
Content authored by deleted users (todos, comments) is not deleted, but the user’s identity is fully anonymized and attributed to “Former Member”. This preserves workspace integrity for other members.
4. Data Export (Portability)
Users may request an export of their personal data by contacting privacy@createtodo.com. Exports include:
- User profile data
- Todos and comments authored by the user
- Organization memberships
- AI chat history
Exports are provided in JSON format within 30 days of the request.
5. Exceptions
Data may be retained beyond the standard retention period when:
- Required by applicable law (e.g., tax retention requirements for payment records).
- Necessary for the establishment, exercise, or defense of legal claims.
- Subject to a valid legal hold or law enforcement request.
6. Review
This policy is reviewed at least annually and updated when new data categories are introduced or retention requirements change.
7. Contact
For data retention inquiries: privacy@createtodo.com