> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Retention Policy

> Data Retention Policy defines how long we keep each category of data and how we securely delete it

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

The Data Retention Policy is the canonical record of how long botBrains keeps each category of data and how we securely delete it when it's no longer needed. botBrains retains data only as long as there is a business, contractual, or legal need, then disposes of it securely.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy applies to all data botBrains holds, across the EU production environment, backups, and operational tooling. The [Data Classification Policy](/trust/policies/data-classification-policy) classifies data; this policy governs how long botBrains keeps each class.

## Customer control

Customers control retention and deletion of their own conversation and personal data directly in the platform. They can search, [export](/concepts/data-export), and delete this data at any time. botBrains, as the processor, acts on the customer's instructions under the [Data Processing Agreement](/data-processing-agreement).

## Deletion on contract end

When a contract ends, botBrains deletes the customer's Customer Data from the production environment within 90 days of contract termination and doesn't start new processing. Deleted data ages out of backups. botBrains retains only what applicable law requires it to keep, for the period the law requires.

## Retention matrix

| Data category                                                                       | Store                                            | Retention                                                                                                                                                                                       |
| ----------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Customer Data (conversations, end-user personal data, uploads)                      | AWS managed database and object storage, Germany | While the contract is active or until the customer deletes it. botBrains deletes it within 90 days of contract termination                                                                      |
| Account and billing data                                                            | AWS production environment                       | Duration of the customer relationship, plus statutory retention required under German commercial and tax law                                                                                    |
| Database backups (PITR and write-ahead logs)                                        | AWS, Germany, replicated to Ireland              | 30 day recovery window, after which older points expire automatically                                                                                                                           |
| AI interaction traces (model inputs and outputs)                                    | Langfuse, EU                                     | Retained for the operational lifetime of the trace store pending a defined maximum under review. botBrains hasn't yet set a shorter contractual cap and is reviewing this for data minimization |
| Application logs, metrics, and alerts                                               | Better Stack, EU                                 | 30 days, then deleted                                                                                                                                                                           |
| Error tracking events                                                               | Sentry, EU                                       | 90 days                                                                                                                                                                                         |
| Product analytics                                                                   | PostHog                                          | 7 years                                                                                                                                                                                         |
| Security and audit records (incident log, access reviews, and similar ISMS records) | botBrains ISMS tooling, EU                       | Minimum 10 years, aligned with German commercial and tax retention (§257 HGB / §147 AO)                                                                                                         |
| Vulnerability finding records                                                       | botBrains ISMS tooling, EU                       | 5 years                                                                                                                                                                                         |

The [Subprocessors](/trust/subprocessors) page lists subprocessors and their data locations.

## Secure deletion

Deletion uses logical erasure from the production database and object storage, after which the data ages out of backups as the recovery window rotates. botBrains stores Customer Data only in EU cloud services, not on endpoints, so there are no local drives or removable media to wipe. The [Asset Management Policy](/trust/policies/asset-management-policy) covers endpoint disposal; full-disk encryption renders data on a decommissioned, encrypted laptop unrecoverable once botBrains destroys the keys.

## Legal holds

If botBrains becomes subject to a legal hold or a statutory retention obligation, it preserves the affected data for the required period, exempt from the schedule above until the obligation ends.

## ISO 27001 mapping

This policy supports Annex A 5.33 (protection of records), 5.34 (privacy and protection of personal identifiable information), and 8.10 (information deletion).

## Review

The CISO owns this policy and reviews it at least annually and on any material change.
