/docs/privacy/retention
Retention Matrix
Version 2026-04-04-v24, updated 2026-04-04.
| Category | Retention | Legal Basis | Notes |
|---|---|---|---|
| Account and profile data | Until account deletion; active primary data is then deleted or anonymized | Art. 6(1)(b) GDPR | - |
| Workspace, board, and content data | Until user deletion or contract end; trash objects typically 30 days | Art. 6(1)(b) GDPR | - |
| Invoice, payment, and accounting data | Typically 6 to 10 years according to legal retention duties | Art. 6(1)(c) GDPR | Applies to active paid services and statutory retention duties |
| Consent and legal-text evidence | Until expiration of applicable limitation periods | Art. 6(1)(c) and (f) GDPR | - |
| Support, DSAR, and abuse-prevention records | Until the case is completed and until relevant evidentiary or limitation periods expire; hashed rate-limit identifiers only within active windows | Art. 6(1)(b), (c), and (f) GDPR | Support records may include message content, delivery metadata, and technical abuse-prevention data |
| Security and operational logs | Usually short-term, typically 30 to 90 days; exceptionally longer for incidents | Art. 6(1)(f) GDPR | - |
| Backups | Only for recovery and IT security; deletion or overwrite follows technical necessity and rotation | Art. 6(1)(f) GDPR | - |
| Invitation and permission metadata | Until acceptance, expiry, or deletion of the invitation and, where necessary, longer for abuse prevention or evidentiary purposes | Art. 6(1)(b) and (f) GDPR | Depends on invitation status |