Data retention
Three things have retention rules: submissions, files, and audit logs. The rules differ by plan.
Submissions
| Plan | Retention | Behaviour at end of window |
|---|---|---|
| Free | 30 days | Hard-deleted automatically |
| Pro | Forever | Kept until you delete |
| Team | Forever | Kept until you delete |
| Scale | Custom | Configurable per form (e.g. 90d, 365d, 7y) |
"Forever" means we don't auto-delete. You can still delete individual submissions or run bulk deletes any time, and a right-to-erasure request always takes precedence (see GDPR).
On Free, the 30-day rolling window is enforced by a daily job that hard-deletes anything past the boundary. We email you 7 days before a submission first crosses the line so you have time to upgrade or export. On Free, that email is your only warning — there's no recovery once the job runs.
Files
File retention follows the parent submission. When the submission is deleted (auto or manual), attached files are deleted from object storage in the same operation.
There's no separate "file-only" retention setting on standard plans. Scale customers can configure shorter file retention than submission retention (e.g. delete files after 90 days but keep the submission payload), useful when you want to retain evidence-of-receipt without retaining sensitive uploads forever.
Audit logs (Team+)
The team audit log retains:
- Sign-ins (timestamp, IP, user agent)
- Token mints, revocations
- Form mutations (create, update, archive, restore)
- Webhook mutations
- Bulk submission operations
- Membership changes (invite, role change, remove)
Retention:
- Team — 365 days
- Scale — configurable, default 365, max 7 years
After expiry, audit log entries are removed from the primary database. They're retained briefly in cold backups (35 days) before being unrecoverable.
Hard delete vs. soft delete
We use both, intentionally:
| Operation | Type | Recovery window |
|---|---|---|
| Submission deleted via right-to-erasure | Hard | None |
| Submission deleted via dashboard "Delete" | Hard | None |
| Submission past auto-retention window | Hard | None |
| Submission marked as spam | Soft (it's still in spam folder) |
Forever, until deleted |
| Form archived | Soft | Restorable from archived view |
| Form deleted | Hard | None |
| Webhook deleted | Hard | None |
| Team cancelled | Soft (then hard at retention end) | See cancellation |
The pattern: anything operationally reversible is soft-deleted; anything that touches user data under a privacy obligation is hard-deleted.
Backups
We take encrypted daily backups of the primary database. Backups age out after 35 days, after which the snapshot is unrecoverable.
When data is hard-deleted from the primary database, it's still present in any backup that was taken before the deletion — but those backups age out on the same 35-day rolling window. So:
- Hard delete in primary DB → instant
- Removal from latest backups → up to 35 days
For right-to-erasure requests this matches the standard "without undue delay" interpretation under GDPR. We do not selectively scrub backups; the rolling expiry handles it.
Right to erasure overrides retention
Even if your plan retains forever, a right-to-erasure request triggers immediate hard-delete. There's no "but Pro keeps it" exception. See GDPR for the request flow.
Custom retention on Scale
Scale customers can pin retention windows per form:
- Marketing forms: 30 days (don't keep newsletter sign-up data longer than necessary)
- Support forms: 365 days (keep enough history to handle follow-ups)
- Compliance forms: 7 years (regulated industries)
Configure under Form → Settings → Retention. The setting drives the daily auto-delete job. Email info@pixelandprocess.de to enable Scale features if you don't see the option yet.
What about anonymized submissions?
We don't run an anonymization pipeline. Submissions are either retained in full or hard-deleted. If you need anonymized analytics, export to JSON, anonymize on your side, and delete the original.
What's next
- GDPR → — DSARs and right to erasure
- Regional hosting → — where data lives
- Sub-processors → — third parties involved
- Encryption → — what's encrypted and where