← Ataski · Trust & security · DPA · Subprocessors

This is the canonical English version. Native translations for DE / ES / FR / PT / RU are pending counsel sign-off.

Data Retention Policy

Last updated: 2026-05-12 Status: Draft for legal review.

Scope

Applies to all Customer Data and any third-party-sourced data (firmographic, contact PII, public records) processed by Ataski roles.

Retention periods

Data class	Retention	Trigger
Customer Data (CRM, outreach history, drafts)	While customer subscription active + 30 days post-offboarding	Subscription end
Contact PII (recipient name, email, title) — per-tenant RLS	Same as parent customer	Subscription end
Firmographic cache (non-PII, cross-tenant)	30 days from last access	Inactivity
MCP call log (audit, RLS-scoped)	24 months	Time-based
Audit log (system-wide)	24 months	Time-based
Outreach send history (per-tenant)	24 months	Time-based
Suppress list (per-tenant)	Indefinite (legal obligation under CAN-SPAM + CCPA)	Never auto-purge
Right-to-delete request log	7 years (regulatory evidence)	Time-based
Contract extraction records (Contract Intelligence role) — extracted fields, evidence anchors, model version metadata (worker + supervisor model identifiers, internal prompt/schema/classifier versioning), and the detected personal-data category set	Same as parent customer (auto-deleted 30 days after offboarding)	Subscription end

Deletion mechanisms

Customer offboarding (30-day window)

When a customer subscription is cancelled or expires:

Day 0: Subscription ends. Tenant marked offboarding_started_at. Tenant data remains accessible for export via /api/export for 30 days.
Day 7: Reminder email to admin: "30 days until permanent deletion."
Day 23: Final reminder.
Day 30: Automated deletion runs (scheduled_jobs/deletion_sweep.py, already in production per pre_release_blockers.md): - All tenant_id == X rows deleted from every RLS-scoped table - Suppress list retained (legal obligation under CAN-SPAM + CCPA) - Firmographic cache rows referenced only by this tenant: deleted; rows shared with other tenants: retained - MCP call log + audit log: retained 24 months for regulatory compliance, then purged

/api/privacy/optout and /api/ccpa-delete (per ADR-0038, see also ai-disclosure-statement.md):

Request received → right_to_delete_request row created
Within 45 days (CCPA) / 30 days (GDPR): - All PII matching the request identifier purged from tenant scope - Suppress list entry added to prevent re-contact (legal obligation) - Confirmation email sent to requestor - Request log retained 7 years

Vendor cache propagation

Every external MCP source that caches data on our behalf has a deletion contract: - BrightData: handled by their own GDPR/CCPA controls (vendor responsibility per their DPA) - Apify: actor results stored in our DB only, deleted with tenant - ZeroBounce: no PII retained (verification result is yes/no/catchall, no contact records) - Custom MCP caches (firmographic, email-pattern shapes): purged on tenant offboarding sweep when last-referencing tenant is the deleted one

Triggers to update this document

New data class added to a role → add row above
Regulatory change (state Delete Act, new GDPR guidance) → adjust periods
Subprocessor with different retention policy added → reconcile with subprocessor's posture in subprocessors.md
Deletion sweep job changes (e.g., interval, scope) → update timeline in this doc