Data retention & deletion schedule
GDPR requires us to keep your data only as long as necessary for the purpose we collected it (Art. 5(1)(e)). This page is our exact retention timetable, by data class.
Effective 2026-04-30.
| Data class | Retained for | Reason | Earlier deletion? |
|---|---|---|---|
| Pending inline-form record (unverified email) | 30 days from creation | Magic-link expiry. Not yet a user account. | On request to DPO |
| Application drafts (preview & full text) | 30 days after last activity | You may need to re-download or edit. | Yes — delete from dashboard or DPO |
| Answers to wizard questions | 30 days after last activity | Lets you resume an interrupted application. | Yes |
| Uploaded images / PDFs (response letters) | 30 days from upload | OCR & reply drafting; deleted after. | Yes |
| Account record (email + sign-in metadata) | Until you delete your account | Lets you sign in and access prior drafts. | Yes — request via DPO |
| National ID, IBAN, sensitive special-category data | 30 days, encrypted at rest with per-row keys | Used only to fill the unlocked draft after payment. | Yes — immediate erasure on request |
| IP address, user-agent (security log) | 14 days | Abuse and brute-force detection. | Yes — but we may retain in event of active investigation |
| Stripe payment records | 10 years | EU/Member-State accounting and tax law (overrides erasure under GDPR Art. 17(3)(b)). | No — legally required |
| Email-delivery audit logs | 30 days | Bounce / failure debugging. | Yes |
| DPO request records | 5 years from request | Demonstrate compliance with Art. 5(2) accountability. | No — keeps Buronia accountable to your rights |
How auto-deletion works in practice
A nightly job (scripts/cleanup_old_uploads.py) scans
every retention class and erases records past their cutoff. The
job logs what it deleted (counts, not contents) for audit. Any
deletion request you make is processed within 24 hours and
doesn't wait for the nightly job.
Backups
We keep encrypted off-site backups for 14 days for disaster recovery. When you request erasure of live data, your record is flagged so it's also dropped from any backup we restore from. In the worst-case where we restore from a 14-day-old backup, your erased data is re-deleted within 24 hours of the restore via the same flag.
Requesting earlier deletion
Email dpo@buronia.com with "Erasure request" and the email you signed up with. We acknowledge within 72 hours and complete erasure within 30 days (Art. 12(3)).