Last updated: March 2026
This policy explains how long we keep different types of data and the legal basis for retaining it. We retain data only as long as necessary for the purposes described, or as required by law.
Account & Profile
Data: Name, email address, avatar, locale preference
Retention: Duration of account + 30 days after deletion request
Legal basis: Contract performance
Chat Messages
Data: All messages sent to and from AI models
Retention: Duration of account. Deleted within 30 days of account deletion.
Legal basis: Contract performance / Legitimate interest
AI Model Usage
Data: Token counts, cost per message, model used
Retention: 13 months (for billing disputes and analytics)
Legal basis: Legal obligation / Legitimate interest
Billing & Payments
Data: Stripe customer ID, subscription status, payment history
Retention: 7 years (legal and tax compliance requirement)
Legal basis: Legal obligation
Security Logs
Data: Login attempts, 2FA events, password resets, IP addresses
Retention: 12 months
Legal basis: Legitimate interest (fraud prevention)
Session Data
Data: Active session tokens and metadata
Retention: 30 days inactivity, or until manually revoked
Legal basis: Contract performance
API Keys
Data: Hashed API key, prefix, last-used timestamp
Retention: Until manually deleted by user
Legal basis: Contract performance
Saved Prompts
Data: Prompt content, public/private flag, fork count
Retention: Duration of account. Public prompts may be retained 90 days after deletion.
Legal basis: Contract performance
Agent Configurations
Data: System prompt, name, category, skills
Retention: Duration of account. Deleted within 30 days of account deletion.
Legal basis: Contract performance
Error & Monitoring Data
Data: Stack traces, session replays (masked), performance metrics
Retention: 90 days (Sentry default)
Legal basis: Legitimate interest (service reliability)
Analytics Events
Data: Product events (anonymised after 30 days for aggregates)
Retention: 12 months individual, then aggregated/anonymised
Legal basis: Legitimate interest
Email Communications
Data: Transactional emails sent (type, timestamp, delivery status)
Retention: 6 months
Legal basis: Legitimate interest
Feedback & Support
Data: Bug reports, feature requests, feedback messages
Retention: 24 months
Legal basis: Legitimate interest (product improvement)
Telegram Integration
Data: Encrypted bot tokens and chat IDs
Retention: Until integration is disconnected by user
Legal basis: Contract performance
You can delete your account and all associated data at any time from Settings → Account → Delete Account. This initiates a 30-day deletion window (to allow recovery if accidental). After 30 days, all personal data is permanently removed from our systems.
Billing records are retained for 7 years as required by financial regulations, but are anonymised and disconnected from your personal profile.
Automated database backups are retained for up to 30 days. Data deleted from the live database may persist in backups for up to this period before being purged as part of the backup rotation cycle.
Questions about this policy? Email privacy@zerolimitai.com.