Data retention
We keep data only as long as it's useful to you or required by law. Most categories can be deleted on-demand from the app. The schedule below is the default — your organisation can tighten any customer-configurable category from Settings → Security & Privacy.
| Category | Retention | Trigger |
|---|---|---|
| Account & profile | Until account deletion + 30 day grace period | User clicks Delete account in Settings → Security A 30-day reminder email is sent before final purge so accidental deletions can be recovered. |
| CRM records (companies, contacts, deals, notes, tasks) | Until customer deletes them OR until account deletion | Per-record delete or account deletion Soft-deleted records are kept for 7 days then hard-deleted. |
| Email messages (Gmail / Microsoft sync) | Per customer setting — default unlimited, configurable 30/90/365 days | Daily retention cron |
| Meeting transcripts (raw text) | Per customer setting — default keep forever, configurable 30/60/90/180/365 days | Nightly transcript-retention cron AI extractions (summary, action items) are kept independently of raw text. |
| AI extraction outputs | Same as the parent CRM record | CRM record deletion |
| Audit log | 24 months | Monthly purge of entries older than 24 months Kept for forensic and compliance purposes; never deleted by user action. |
| Billing records (invoices, payment history) | 10 years | Legal requirement (Belgian commercial law) Stored by Stripe; we only retain Stripe customer IDs and invoice references. |
| Server logs | 30 days | Vercel platform retention policy |
| Webhook event log (stripe_events, webhook_events) | 180 days | Monthly purge Used for replay during incidents; retained for idempotency. |
| Backup snapshots | 30 days (daily PITR) | Supabase platform rotation Required for disaster recovery; deletion requests are honoured by re-running deletions after restore. |
Need a custom retention period for an enterprise contract? Email dpo@michiplatform.com.