Data Retention Policy
Data Retention Policy
Organisation: Heuristicworks LLC
Product: Spexsure (spexsure.com)
Owner: Parimal Mohile, Founder
Version: 1.0
Effective Date: 2026-06-25
Review Cycle: Annual
1. Purpose
This policy defines how long Spexsure retains customer data, log data, and backups, and what happens to data when an account is closed or a subscription is cancelled.
2. Customer Data
| Data Type | Retention Period |
|---|---|
| PRD content (uploaded or pasted) | Retained for the lifetime of the project. Deleted when the project is archived or the account is closed. |
| Gap analysis results | Retained for the lifetime of the project. |
| Enriched PRD content | Retained for the lifetime of the project. |
| Generated tickets | Retained for the lifetime of the project. |
| Jira push history | Retained for the lifetime of the project. |
| Billing and subscription records | Retained for 7 years for financial compliance purposes. |
| BYOK API keys (encrypted) | Deleted immediately when the user removes their key or closes their account. |
| Jira OAuth tokens (encrypted) | Deleted immediately when the user disconnects Jira or closes their account. |
3. Account Closure and Subscription Cancellation
- When a subscription is cancelled, the account remains accessible until the end of the current billing period.
- After the billing period ends, the account is downgraded to the free plan. Customer data is retained.
- Account deletion — Users may delete their account at any time by clicking the Unsubscribe / Delete account link in any Spexsure email, or by emailing support@spexsure.com. Deletion is processed immediately on confirmation.
What is deleted immediately on account deletion:
- Account and profile data
- All projects, PRD content, gap reports, enriched PRDs, and generated tickets
- Jira OAuth tokens and integration settings
- Billing subscription (cancelled immediately; no refund for current period)
- MFA configuration and backup codes
- BYOK API key (if applicable)
Forensic log retention after deletion: Security and activity logs are anonymised on deletion — all personal identifiers (name, email address, account ID) are permanently removed — and the anonymised records are retained for 12 months from the deletion date. This retention is necessary for fraud detection, security incident investigation, and Stripe dispute resolution (GDPR Article 6(1)(f) legitimate interest). After 12 months, anonymised logs are purged automatically. These records cannot be linked back to the deleted user.
Billing records (invoices, Stripe payment history) are retained for 7 years for financial compliance and are exempt from deletion requests.
4. Log and Event Data
| Data Type | Hot Retention | Cold Archive | Total Retention |
|---|---|---|---|
| Journey events (user actions) | 90 days (PostgreSQL) | Supabase Storage | 12 months |
| Error reports | 90 days (PostgreSQL) | Supabase Storage | 12 months |
| AI analysis records (token counts, COGS, guardrail flags) | 90 days (PostgreSQL) | Supabase Storage | 12 months |
| Background job records (pg-boss) | 30 days | Not archived | 30 days |
Logs do not contain plaintext PRD content, OAuth tokens, API keys, or unnecessary personally identifiable information.
5. Backups
- Supabase automated daily backups are retained for 7 days (point-in-time recovery window).
- Backups are encrypted at rest using AES-256.
- Backup data is not used for any purpose other than disaster recovery.
6. Third-Party Data Processing
Spexsure sends PRD content to Anthropic's Claude API for AI processing. Anthropic does not retain prompt or response content beyond the duration of the API call. Spexsure does not share PRD content with any other third party.
For the full list of subprocessors: https://spexsure.com/legal/subprocessors
7. Data Deletion Requests
Customers may request deletion of their data at any time by contacting support@spexsure.com. Requests are fulfilled within 30 days. Billing records required for financial compliance are exempt from deletion requests and are retained for 7 years.
8. References
Approved by: Parimal Mohile, Founder, Heuristicworks LLC
Date: 2026-06-25