← Back to home

Data Retention Policy

Last updated: June 28, 2026

This document maps every piece of personally identifiable information (PII) the platform stores to its purpose, lawful basis, and retention window. It satisfies the GDPR documentation obligation (Art. 5(1)(e) — storage limitation) and accompanies our Privacy Policy.

1. Data Categories & Retention Windows

DataPII fieldsPurposeLawful basisRetention window
Business owner accountprofiles, businessesemail, name, phone, business detailsPlatform account managementContractUntil account deletion + 30 days
Customer bookingsbookingscustomer_name, customer_email, customer_phone, notesAppointment record; owner operational needLegitimate interest24 months from appointment date, then anonymised
Chat conversationsconversationscustomer_emailSession linkingLegitimate interest12 months from last message
Chat messagesmessagesFull chat transcript textAI context; owner insightLegitimate interest12 months from creation (deleted with conversation)
OTP verification codescustomer_otpsemail, token_hashOne-time booking verificationLegitimate interest24 hours from creation
Customer lookupcustomersemail, name, phoneCRM aggregation viewLegitimate interestDerived from bookings — purged when all related bookings are anonymised
PaymentspaymentsStripe payment intent IDsFinancial recordLegal obligation7 years (statutory accounting requirement)
Knowledge baseknowledge_base_documents, knowledge_base_chunksNone (owner-uploaded business content)RAG context for AIContractUntil owner deletes
Uploaded filesSupabase Storage knowledge-base bucketNoneDocument sourceContractUntil owner deletes

2. Automated Purge Schedule

A retention purge cron enforces these windows automatically on a daily schedule. The purge rules are:

  • OTP verification codes are deleted 24 hours after creation.
  • Chat messages and conversations are deleted 12 months after creation; a conversation is removed once it has no remaining messages.
  • Bookings older than 24 months (and no longer pending) are anonymised — customer name, email, phone, and notes are erased while the appointment record is preserved.

3. Right to Erasure (GDPR Art. 17)

Business owners can erase a specific customer's data on request from the dashboard Customers page → customer detail panel → "Erase customer data". This:

  • Hard-deletes all conversations and messages for that email and business
  • Hard-deletes all OTP codes for that email
  • Anonymises all bookings (PII fields set to a redacted placeholder)
  • Removes the customer lookup row

The action is access-controlled (owner only), audit-logged (a non-PII hash of the email and business ID), and applied immediately without waiting for the automated purge schedule.

4. Right of Access (GDPR Art. 15)

Data subjects may request a copy of their data by contacting the business owner directly; the owner can retrieve booking and conversation data from the Customers dashboard. A self-service export flow is planned.

5. Data Processors

ProcessorPurposeRegionDPA
SupabaseDatabase, auth, file storageEU (Frankfurt)Supabase DPA
OpenAIAI chat, intent classification, embeddingsUSOpenAI DPA
ResendTransactional emailUSResend DPA
VercelHosting, serverless functionsEdge (global)Vercel DPA
StripePayment processingUS/EUStripe DPA
UpstashRedis rate limitingEUUpstash DPA
Lemon SqueezyPlatform subscription billing (MoR)USLS Privacy

6. Changes to This Policy

This document is updated whenever:

  • A new table or data category is added to the schema
  • A retention window is changed
  • A new data processor is onboarded