Legal
Data retention policy
Last updated: June 2026 · How long re.fer keeps each category of data.
Short retention is part of how re.fer protects customer trust. We keep what we need to run the service and surface useful insights, no longer. Where a customer wants a shorter window, the workspace setting controls it.
| Category | Retention | Detail |
|---|---|---|
| Audit log | 90 days | The customer-facing audit log keeps sensitive actions (member added, role changed, connector connected or revoked, export requested, deletion requested) for 90 days, then auto-deletes. Owners can export the log at any time before that. |
| Insight rows | Term of subscription | Computed insight rows (network shape, overload signals, team coupling) are kept for the duration of the customer’s subscription so Rehoboam can compare across reads. They are deleted on account closure as part of the 30-day grace described below. |
| Collaboration metadata | Org-configurable, default 180 days | Raw collaboration metadata in interaction_event and interaction_edge is retained per the workspace-level retention_days setting. The default is 180 days. Owners can lower it (down to 30 days) or raise it (up to 365 days). When the window passes, raw rows are deleted by a nightly job; the derived insight rows remain. |
| AI call telemetry | 365 days | The ai_call_log table records model, provider, token count, and cost for each LLM call. It is retained for 365 days for cost analysis and capacity planning. It does not store the prompt or completion body. |
| Waitlist entries | Until promoted or opted out | Waitlist email addresses are kept until the address is invited into a workspace or the person opts out. Opt-outs trigger immediate deletion. |
| Backups | 7 days (14 days on Enterprise) | Supabase point-in-time recovery covers the last 7 days of the production project by default, extended to 14 days for Enterprise customers on request. Backups inherit AES-256 at rest. |
Account deletion
Deletion is a four-step path. The export step is always available before the request, and the grace period gives the owner a safe window to reverse course.
Step 1 · Export
Owners can export the workspace at any time. The export covers members, settings, insight rows, the 90-day audit log, and the raw collaboration metadata still within the retention window.
Step 2 · Request deletion
An owner can request deletion from the workspace settings, or by emailing privacy@userefer.app from a verified owner address. The request is acknowledged within 1 business day and recorded in the audit log.
Step 3 · Grace period
A 30-day grace period begins. During this window the workspace is suspended (no sign-in, no new reads) but the data is recoverable on owner request. This window is intended to catch mistaken or coerced deletion requests.
Step 4 · Permanent deletion
After the grace period, primary storage is purged. Backup copies are overwritten on the normal backup rotation, with the last residual copy gone within the backup window described above. A deletion certificate is sent to the requesting owner.
See also: DPA · Subprocessors · Incident response · Privacy