This page describes how long we retain different categories of data, why, and how data is removed when retention expires. It supplements Section 7 of our Privacy Policy, which has a high-level summary.
We are honest about what's automated versus what requires manual operation today. As the service grows, we will automate more enforcement; this page will be updated when that happens.
User-deletable data — kept while you use the service, removed shortly after you delete it.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| Account profile | Name, email, profile fields, settings | While account is active; 30 days after account deletion | Service provision; legal retention obligations | Manual quarterly sweep (see Section 8) |
| Workspace settings | Workspace name, mailboxes, automations, send templates, document sources | While workspace exists; 30 days after workspace or account deletion | Service provision | Manual quarterly sweep |
| Cases + documents | All case data, file uploads, extracted values, activity timeline | While the case exists; 30 days after case, workspace, or account deletion | Service provision | Manual quarterly sweep |
| Email body capture | Body text from automation-ingested emails (only when explicitly enabled per automation) | Until the case is deleted | User opt-in per automation | Auto-cleanup on case delete |
Records we must retain regardless of user request, to demonstrate compliance and meet legal obligations.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| Sensitive-data audit log | Read, write, and decryption events for sensitive fields (timestamp, actor, IP, user agent, field key) | 7 years | Statute of limitations on privacy claims | Not currently auto-pruned (volume low; will revisit) |
| Legal acceptance records | Terms of Service, Privacy Policy, Cookie Policy, and DPA acceptance events with signer info, IP, timestamp | 7 years | Demonstrating contract formation in disputes | Not currently auto-pruned |
| Billing records | Subscription state, invoices, payment events, plan history | 7 years | Tax and accounting obligations; fraud prevention | Stripe retains independently; we mirror what we need |
| Stripe webhook event log | Idempotency dedup records to prevent duplicate event processing | 90 days | Webhook deduplication; debugging | Not currently auto-pruned (small volume) |
Tokens and identifiers used to keep you signed in and authorize integrations.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
Session cookies (__session) | Firebase Auth session cookie | 14 days | Authentication user experience | Auto-expires |
| OAuth tokens (Drive, Gmail, Calendar) | Encrypted access and refresh tokens for user-granted integrations | While the connection is active; deleted on revoke or account deletion | Required for the OAuth-gated feature | Auto-clear on revoke; manual cascade on account delete |
Cookie consent (_legal_consent) | Your cookie banner choice (necessary, analytics, marketing) | 1 year | Demonstrating consent | Auto-expires; user can update at any time at /legal/preferences |
Data sent to Google's Gemini API for document extraction and template fill features.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| Gemini API requests | Prompts (PDF text, image data, case data) and extracted values, sent to Google | Not retained beyond the request lifecycle by Google. Document Blueprint does not store separate copies of prompts. | Per Google's published Gemini API terms | N/A (no retention) |
Logs maintained by Google Cloud for operational debugging. Document Blueprint does not store separate application-level logs of user activity.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| Cloud Logging (Firebase + Cloud Functions) | Server-side request logs, error logs | 30 days (Google default) | Operational debugging | Auto-prune by Google Cloud |
| Firebase Auth audit logs | Login events, account creation events | 30 days | Operational debugging; fraud detection | Auto-prune by Google |
| reCAPTCHA Enterprise risk scores | Per-request bot-detection scores | Not retained by us beyond the verification request | Bot detection on public endpoints | N/A (Google manages on their side) |
Records of emails sent or received in connection with the service.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| SendGrid transactional email logs | Delivery and bounce records for invitations, billing notices | 30 days (SendGrid default) | Deliverability debugging | Auto-prune by SendGrid |
| privacy@ inbox + support email | DSR requests, privacy inquiries, support threads | Until resolution + 3 years (statute of limitations on privacy claims) | DSR compliance and audit trail | Manual (per DSR runbook) |
Disaster-recovery snapshots maintained by our cloud infrastructure.
| Category | What it includes | Retention | Basis | Deletion mechanism |
|---|---|---|---|---|
| Firestore Point-in-Time Recovery | Snapshots of all Firestore data | 7 days (Firestore default) | Disaster recovery | Auto-managed by Google |
| Cloud Storage object versions | Older versions of uploaded files (retained briefly so deletions can be undone in error scenarios) | 30 days (configured via lifecycle rule) | Disaster recovery; user-deletion grace period | Auto-prune via lifecycle rules |
| Manual exports | Ad-hoc backups (none currently scheduled) | N/A | N/A | N/A |
We are honest about which retention windows are auto-enforced and which require manual operation today:
We will revisit auto-enforcement as data volume grows. Until then, the quarterly sweep is the steady-state mechanism.
We may update this retention schedule from time to time. We will provide at least 30 days' written notice — by email or by updating this page — before changing a retention period in a way that materially affects how long your data is kept.
For privacy or retention questions: privacy@documentblueprint.com.