← Back to FAQ

Data Retention & Deletion Policy

This policy governs how long we keep user data, when we delete it, and what users can do themselves. It's the contract behind every promise on our landing page.

---

1. The promises

1. Your data is yours. Export anytime from Settings → Export my data. Full JSON bundle, everything we have.
2. Delete means delete. When you delete your account, we remove your data within 30 days across every system we control.
3. We don't sell or license it. Not to advertisers, not to recruiters, not to AI model trainers.
4. We keep what we need, for as long as we need it, for reasons we can name. No idle stockpiling.

2. What we store, and why

Category	Retention	Reason
User account (email, hashed password, tenant, plan)	While account active	Auth, billing, product functionality
Profiles (name, role focus, location)	While account active	User-authored; core to the product
Resumes (text + parsed sections)	While account active; 10 most recent versions	User-authored; tailoring history enables revert
Job queue + applications	While account active	The user's pipeline IS the product
Mail inbox + threads	Last 365 days	Storage + UX sanity; older threads prune
Cover letters	While account active	Re-use + history
Outbound mail attempt log	1000-entry rolling buffer	Deliverability debugging
Event log	5000-entry rolling buffer	Product analytics
Cap-hit log	2000-entry rolling buffer	Pricing signal
Audit log (privileged actions)	500-entry rolling buffer	Security / incident forensics
Bug reports	500-entry rolling buffer	Product feedback
Exit surveys	1000-entry rolling buffer	Churn analysis
Session tokens	7 days (30 min for impersonation)	Keep users logged in; limit blast radius
Stripe customer + subscription IDs	While active + 90 days after cancellation	Refund + billing dispute window
Scanner output (global job queue)	Rolling — old jobs prune when no user has them	Dedup across users

We do NOT store:

• Plaintext passwords (salted hashes only)
• Raw credit card data (Stripe holds those; we see only customerId + last-4)
• Unencrypted API keys from users' own integrations (server-only vault)
• Training data for third-party AI (Anthropic's API is zero-retention for our tier)

3. What "delete my account" actually does

When a user clicks Delete My Account and confirms with password:

Immediate (synchronous)

• The DELETE /api/account request handles all these in one transaction
• Username appended to the revoked-usernames list (prevents signup race)
• /opt/incognito/userdata/{userId}/ directory removed recursively
• User record removed from users.json
• All sessions for that user invalidated
• HTTP cookie cleared

Fire-and-forget (async)

• Exit survey saved (if submitted) — contains no identifiable info after deletion
• Event log entries retain userId as an opaque string; no name/email to re-link

External systems (we don't control)

• Stripe subscription: canceled at period end (user's choice). Stripe retains transaction history per their policy.
• LeafRelay SMTP: in-flight outbound continues; no inbound can resolve to the deleted user after deletion
• Anthropic / Serper API: zero-retention by contract

30-day guarantee: Lingering references in log files rotate out within 30 days via pm2-logrotate. Residual data after 30 days is a SEV-1 bug.

4. What "export my data" produces

Single JSON file, downloaded directly: incognito-export-{userId}-{YYYY-MM-DD}.json

{
  exportVersion: 1,
  generatedAt: "ISO timestamp",
  user: { id, email, username, name, role, plan, tenantId, profileId,
          activeProfileId, stripeCustomerId, createdAt, updatedAt,
          searchOptIn, searchOptInAt },
  profiles: [ ... ],
  resumes: [ ... ],     // full text + sections + keywords
  jobs: [ ... ],        // entire queue
  applications: [ ... ], // entire history
  mail: { inbox: [ ... ], preferences: { ... } },
  notifications: [ ... ],
  scanConfig: { ... }
}

Exports are generated on-demand. We don't cache them server-side. We don't keep a copy.

5. Tenant-level deletion (enterprise / white-label)

When a tenant relationship ends:

1. Superuser uses /api/super/tenants/{id} DELETE
2. All users reassigned to 'default' tenant; their data stays intact
3. Tenant's branding overrides cleared
4. If full data deletion is requested, a one-off script runs with Sara's sign-off within 30 days

6. Retention schedule

Ring-buffered files cap themselves by design. No cron needed. User-data directories rely on active account state — no time-based pruning. A user on parental leave shouldn't lose their pipeline.

Exception: If an email confirms the user is deceased or incapacitated, we preserve the account for next-of-kin access per GDPR Art. 17 and CCPA §1798.105, coordinated through Sara.

7. Request mechanisms

Right	How	SLA
Export	Settings → Export my data	Instant
Delete	Settings → Danger Zone → Delete My Account	< 5s (local) + 30d (logs)
Correct / update	In-app edit on profiles, resumes, applications	Instant
Restrict processing	Disable all scan-config queries + cancel subscription	Instant
Data portability	Same as Export (machine-readable JSON)	Instant
Object	Email support@useincognito.com	30 days

For rights requests that can't be self-served, response SLA is 30 calendar days per GDPR Art. 12(3).

8. Breach notification

1. Incident response playbook kicks in (SEV-0)
2. Within 72 hours of confirmed breach, Sara notifies affected users, GDPR supervisory authority if relevant, and Stripe if payment data is involved
3. Post-mortem published within 30 days, redacted for security-sensitive details

9. Third-party processors

Processor	Purpose	Data	Retention
Stripe	Payment processing	Email, name, card (direct to Stripe)	Per Stripe policy
Anthropic API	AI drafting	Resume + JD snippets	Zero-retention (API tier)
Serper API	Web search for scanner	Queries, role focus	Per Serper policy
LeafRelay SMTP	Mail delivery	Email headers + body (outbound)	Logs 7 days

Each processor is vetted annually against their DPA and security posture.

10. Changes to this policy

Material changes are announced via:

• Email to all active users 30 days before effective date
• In-app banner on login for 14 days after effective date
• Diff published to this page with commit history

Users who don't consent can export + delete within the notice window.