Last updated: 2026-04-07 · Version 1.0
We keep personal data only as long as necessary for the purposes for which we collected it, plus any legally required retention. We delete or anonymize on a defined schedule. This policy reflects what is actually implemented in our codebase.
Legal basis references are to GDPR Regulation (EU) 2016/679 and Kosovo Law on Personal Data Protection 06/L-082, which use the same article numbering for the lawful bases of processing.
| Data category | Retention period | Legal basis | Deletion mechanism |
|---|---|---|---|
| Account profile (email, name, hashed password) | Until user deletion + 30 days grace | Art 6(1)(b) — contract | Soft-delete then hard-purge cron |
| Active subscription records | For the term of subscription | Art 6(1)(b) — contract | Cancelled at end of term |
| Billing & invoice records | 7 years from end of fiscal year | Kosovo tax law obligation | Manually archived; exempt from user deletion |
| Authentication logs (auth_login_events) | 180 days | Art 6(1)(f) — security | Automated cron purge |
| User activity log | 180 days | Art 6(1)(f) — audit | Automated cron purge |
| Error events | 180 days | Art 6(1)(f) — operational | Automated cron purge |
| Upgrade intent events | 180 days | Art 6(1)(f) — analytics | Automated cron purge |
| Search and API usage logs | 90 days raw, daily aggregates kept | Art 6(1)(f) — quota enforcement | Automated rotation |
| Saved searches and watches | Until user deletes them or account deletion | Art 6(1)(b) — contract | Manual or cascade |
| Business removal request audit (incl. ID document URLs) | 90 days after decision | Art 6(1)(c) — legal obligation | Manual review + cron |
| Email delivery logs (Microsoft Azure) | Per Microsoft retention (typically 30 days) | Art 6(1)(f) — service operation | Controlled by subprocessor |
| Backups | 30 days rolling, encrypted | Art 6(1)(f) — disaster recovery | Automated rotation |
| Soft-deleted accounts | 30 days from delete request | Art 17 — user request | Cron hard-purge with IP anonymization |
For cookie-specific retention durations, see the Cookie Policy.
On hard purge, IP addresses in auth_login_events and user_activity_log are hashed (MD5) and the user_id is set to NULL, breaking re-identification. Audit aggregates retain statistical value without personal data.
Backups are encrypted at rest, rotate on a 30-day schedule, and live in the same Hetzner region as production. Restore is tested quarterly. Backups are excluded from immediate deletion requests but expire automatically — within 30 days of an account deletion request, all copies are gone.
In limited cases (active legal proceedings, regulatory investigation, fraud investigation related to chargebacks) we may suspend automated deletion via the legal_hold column on the user record. Affected users are notified where lawful.
Users may request immediate deletion via the account settings page or by emailing [email protected]. We process within 30 calendar days unless legal hold or billing retention applies.
Users may export all their personal data via /api/account/export (GDPR Art 20 portability). Rate-limited to 1 export per hour. JSON format. We recommend exporting before requesting account deletion.
Material changes to this policy are notified by email or in-app banner 30 days in advance.
Email: [email protected]
Address: Rrahim Beqiri 1, 10000 Prishtinë, Republic of Kosovo
NUI: 812382414
Phone: +383 45 957 990
Governing law: Republic of Kosovo. Jurisdiction: competent courts of Pristina.
