Data retention & deletion

1. Principles

The user decides. You decide what to ingest, what to keep, and when to delete.
Minimum necessary. We keep data for as long as we need to provide the Service to you, plus the minimum needed to comply with law and to defend legal claims.
Plain commitments. We commit to specific time windows, not vague language like "as long as necessary." Where the law sets a window, we say what window.
One-click delete. Account deletion is always available without writing to support; instant deletion is one extra click and a typed attestation.
Backup expiry is real. Deleting from the live system is the first step; backups expire on a published schedule. We do not lie about that.

2. Retention schedule

Default retention while your account is active. Per-record windows can be tightened in Settings → Privacy & data → Retention.

Category	Active	After standard delete	After instant delete	Legal minimum
Account profile	Active life	≤24h primary; ≤30d backup	Immediate; ≤7d backup	None
Billing records (Stripe)	Active life	7 years	7 years (legally required)	7 years (tax)
Connector-source data	Active life; per-Connector cap if set	≤24h primary; ≤30d backup	Immediate; ≤7d backup	None
Derived records (AI summaries, tags, links)	Active life	≤24h primary; ≤30d backup	Immediate; ≤7d backup	None
Vector embeddings (Pinecone)	Active life	Namespace dropped ≤24h	Namespace dropped immediately	None
Uploaded files (Cloud Storage)	Active life	Deleted ≤24h; versions ≤30d	Deleted immediately; versions ≤7d	None
OAuth tokens	Active life	Revoked ≤24h	Revoked immediately	None
AI provider prompt caches	≤1h TTL (provider-managed)	Expires ≤1h	Expires ≤1h	Provider-managed
Server access & security logs	90d hot; 1y cold (PII-scrubbed)	Pseudonymized at 90d	Pseudonymized at 90d	Incident investigation
Audit log of data access	Active life	7 years	7 years (legally required)	7 years (security, SOC 2)
Deletion tombstone	n/a	7 years	7 years	Proof of deletion
Support tickets	Active life	2 years from last contact	Anonymized ≤30d	Defense of legal claims
Aggregated / de-identified stats	Indefinitely	Indefinitely	Indefinitely	n/a

3. Free-plan rolling cap

Free-plan users have a rolling 90-day history cap on Connector-source data: records older than 90 days are deleted on a rolling basis once the cap is enforced. Until enforced, retention follows the active-account policy.

4. How deletion works

Deletion is a coordinated fan-out across our systems and the systems we depend on. Every deletion path follows the same pipeline:

Mark. The record is marked for deletion in the live database and removed from indexes (so it stops appearing in search, chat, and exports immediately).
Purge primary store. Postgres rows are hard-deleted (not soft-flagged). Cloud Storage objects are deleted. Pinecone vectors and namespaces are dropped.
Revoke tokens. Any OAuth or API token tied to the deleted scope is revoked at the provider. Plaid items are removed.
Notify subprocessors. Where contract supports it, we send a deletion instruction (e.g., Stripe customer purge; ESP suppression-list confirmation).
Expire backups. Daily database snapshots and Cloud Storage object versions containing the deleted data age out on the schedule above.
Write tombstone. We write a signed, immutable deletion record. This is the one thing that survives — to prove the deletion happened.
Confirm. We email you when each stage completes.

5. Standard account deletion

Go to Settings → Account → Delete account.
You're offered the option to download a full export first (JSON + original files).
You confirm with your password and MFA.
Primary purge completes within 24 hours; backup expiry within 30 days.
You receive an email at each milestone.
Reversible only during a 5-minute cancel window immediately after submission.

6. Disconnecting a Connector

Disconnecting a Connector stops further reads.
You choose at disconnect time whether to also purge data already ingested from that Connector.
The token is revoked at the provider in the same step.

7. Deleting individual records

Any record can be deleted from the records browser.
Deletion removes the record and any derived records (summaries, tags, embeddings) generated solely from it.
Backup expiry follows the standard 30-day schedule.

8. Instant deletion

The standard path keeps a 30-day backup window because that's how cloud backups work — they age out over time. For users who want everything gone now, even at the cost of any ability to recover, we offer an instant deletion path.

What it does

Begins primary purge immediately on confirmation, not within 24 hours.
Marks all your Cloud Storage prefixes for expedited backup expiry (≤7 days instead of 30).
Drops your Pinecone namespace immediately.
Revokes every OAuth and Connector token immediately.
Sends deletion instructions to subprocessors that accept them.
Writes the tombstone and emails you when each stage completes.

What it requires

MFA reauthentication immediately before submission.
Typing the following sentence verbatim: "I understand all of my data will be unrecoverable if you proceed with this option."
A 5-minute cancel window after submission (the only undo). After 5 minutes, the path is irreversible.

What it does not change

Billing records (legally required 7 years).
Audit log entries about the deletion itself.
Subprocessor backups outside our direct control.
Active legal holds.

What you give up

The ability to recover anything. We will not, and after the cancel window we cannot, restore your account or its data.
If you later realize you needed a record (tax audit, lawsuit), we cannot help.
Copies you shared with others (CPA, attorney, household member) survive outside Lossless.

Standard deletion is enough for almost everyone. Choose instant deletion only if you specifically need the data gone now.

9. Legal holds

If a court order, subpoena, regulatory inquiry, or anticipated litigation requires us to preserve data, we apply a legal hold to the affected scope.

Standard and instant deletion are blocked for held data.
You'll see a banner explaining the hold, the date it was applied, and a contact for questions.
Held data is retained until released. We'll tell you when it is.
We may decline to disclose the source of a hold where legally prohibited, but we'll tell you a hold exists.

10. Vendor pass-through

Anthropic / OpenAI / Vertex: zero-retention or short-retention API tiers; prompt caches expire within 1 hour.
Plaid: on item removal, Plaid stops further reads. Plaid is GLBA-regulated.
Stripe: customer record marked for deletion; tax-required fields retained per Stripe's policy.
Pinecone: namespace and vectors dropped.
Cloud Storage: object deleted; versioned copies follow bucket lifecycle.
Resend (ESP): outbound email logs retained per Resend's policy.
Connector providers: we revoke tokens; underlying data in their systems is unaffected.

11. Audit trail

Every deletion writes an audit record with: who initiated it, when, what scope, what stages completed and when, and (for instant deletion) a SHA-256 hash of the typed attestation. The audit record is signed and append-only. You can request a copy at any time at privacy@lossless-ai.com — we keep the audit record for 7 years.

12. What we can and cannot guarantee

We guarantee:

To begin primary purge within the window we publish.
To revoke Connector tokens within the same window.
To not silently retain data past the published windows.
To deliver a deletion confirmation by email when each stage completes.
To honor your right to delete free of charge.

We cannot guarantee:

Reversal of an instant deletion past the 5-minute cancel window.
Removal of data that legitimately left Lossless before deletion.
Erasure from backups before their published expiry window.
Removal of data from a legally-held scope until the hold is released.
The behavior of subprocessors after we instruct them to delete; we hold them to contractual obligations and follow up if a deadline is missed.

13. Contact

Lossless, Inc.
548 Market Street #84301
San Francisco, CA 94104, USA

Privacy: privacy@lossless-ai.com
Security: security@lossless-ai.com
Legal: legal@lossless-ai.com