Data retention

Version 1.0 · Last updated 2026-05-09. App version 0.4.0.

Defaults below; the workspace admin may shorten them. Product-honest, not legal advice. Must be reviewed by counsel before commercial sale.

Default retention windows

Data	Retention	Where
User account, password hash	Until the workspace admin deletes the account	auth.sqlite3
Sessions	14 days, or until logout / password change / deactivation	auth.sqlite3
Companies, discovered jobs, scan history	Until the user deletes the company or exports + clears	company_discovery.sqlite3
Imported jobs, AI briefs	Until the user deletes them or the company is removed	company_discovery.sqlite3
Invitation / password-reset tokens	48 hours (invitations) or 1 hour (resets); single-use	tokens.sqlite3
Per-user usage counters	Per-day rows; rows older than 90 days are pruned by the operator	quotas.sqlite3
Admin audit log	Append-only; rotated by the operator (see deployment docs)	data/admin_audit.log
Email outbox (dev only)	Append-only; rotated by the operator	data/email_outbox.log
Backups	Operator-defined retention (default in shipped script: 30 days local)	./backups

What never gets stored

Raw AI provider keys.
Session-only API keys typed into the UI; sent once, then discarded.
Restricted-platform pages (LinkedIn, XING, StepStone, Indeed) — these are blocked at fetch time.

Deletion requests

You can request account deletion from Settings → Privacy → Request deletion; an admin confirms and runs Admin → Tester accounts → Delete. The delete cascade removes companies, scans, discovered + imported jobs, saved searches, support tickets, analytics events, AI provider preferences, and active sessions. Backup tarballs are pruned per the configured retention.

Before deletion, an admin can archive your data by calling GET /api/admin/users/<id>/export. The response is the same JSON shape as Settings → Backup & restore → Export backup, scoped to the target account. The action is recorded in the admin audit log as export_user_data.