Skip to main content

Data Retention & Deletion Policy

What we keep, how long, and what "delete" means

Effective June 1, 2026 · Last updated June 1, 2026

This policy describes what data EREBYX retains, for how long, and what "deletion" means operationally. It supplements our Privacy Policy with specific retention timelines for EREBYX.

What we store

Memory content (your saved memories)

  • What: the text you save via the save() MCP tool, the metadata your counterpart attaches (timestamps, conversation context, identity references), and all derived representations EREBYX generates from your content (vector embeddings, hierarchical aggregates, and other operational byproducts of memory organization and retrieval) — these are byproducts of providing the service, not separate data we hold about you
  • Where: PostgreSQL database in OVH Hillsboro, Oregon (US)
  • Encryption: envelope encryption at rest (XChaCha20-Poly1305 primary, AES-256-GCM) with per-tenant Data Encryption Keys at v0.1.1; per-user zero-knowledge encryption ships in v0.2 (target Q3 2026)
  • Retention while account is active: indefinite — your memories persist as long as your account is active. An account is "active" while you have a current paid subscription that is not in cancellation, suspension, or extended payment failure (defined below)
  • Definition of "active": your account is active when (a) your Genesis Arche subscription is current, OR (b) your subscription is in Stripe payment-recovery dunning of 21 days or less. After 21 days of failed payment recovery, the account exits active status and the post-cancellation flow below applies
  • Retention after cancellation: a 30-day post-cancellation grace period begins on the effective cancellation date shown in the cancellation confirmation email. During those 30 days your data is exportable and your account is reactivatable (subject to seat availability — see Terms of Sale § 6). After 30 days: hard delete from primary storage. After 90 days from cancellation: hard delete from encrypted backups.

Account data

  • What: email, name (if provided), password hash (argon2id), API key hashes (SHA-256), Stripe customer ID, billing history
  • Retention: for the lifetime of your account + 7 years post-deletion for tax/legal records (US IRS standard)
  • What we do NOT store: your password (only its hash), your full payment card (Stripe holds this), unhashed API keys

Activity logs

  • What: API request timestamps, error logs, system telemetry (no memory content)
  • Retention: 90 days for operational logs, 30 days for raw access logs
  • Purpose: debugging, security monitoring, incident response

Discourse community posts

  • What: posts, replies, reactions you make in arche.erebyx.com
  • Retention on subscription cancellation: Discourse posts are NOT deleted; you retain access to read while your account is in the 30-day grace period, and the post content remains visible to thread continuity for other members thereafter
  • Retention on full account deletion: permanent account deletion (separate, irreversible action) anonymizes your username on Discourse posts but preserves the post content for thread continuity. You may also request individual post deletion or full username anonymization at any time
  • Your control: you can edit your own posts, request post deletion via [email protected], and request username anonymization

What "delete" means operationally

Per-memory deletion

When you delete a memory, we begin removing it from active retrieval immediately — it can no longer be returned via search, the API, or your dashboard.

The memory and its derived representations — vector embeddings, hierarchical aggregates, and any other byproduct that uniquely traces back to the deleted content — are purged from EREBYX within 30 days, during normal backup rotation and our scheduled cleanup passes.

Account-level deletion (crypto-shred)

When you permanently delete your account, we go a step further. The crypto-shred happens in two phases:

  1. Live database: immediate. The shred runs as an atomic database operation that destroys the wrap material protecting your tenant's encryption keys. After it returns success, the live database can no longer derive the keys that protect your ciphertext — any read against your data past that point returns unrecoverable bytes.
  2. Encrypted backups: within 30 days. Our point-in-time-recovery backups retain a 30-day window. Until those backups age out, they still contain a copy of the pre-shred wrapped keys — same encryption protection, but technically recoverable by an operator holding both the master key and the backup contents. After 30 days the oldest backup expires and that window closes. If we ever restore from a backup predating a tenant's shred, our operational procedure REQUIRES re-applying the shred against the restored data; this is documented in our DR runbook.

After both phases complete, your data exists only as opaque random bytes — neither EREBYX nor any future operator can derive the keys to decrypt it.

What persists

Anonymized statistical aggregates (e.g., total memory count per tenant without content, system-wide retrieval timing percentiles) may persist beyond deletion because they no longer contain personal data and cannot be re-identified. These aggregates never include user-attributable content.

We do not retain "shadow copies" of deleted data. We do not move deleted data to a separate retention tier. Deletion is permanent.

What we don't do with your data

  • We do not sell your data. Period. Not now, not ever.
  • We do not use your memories to train AI models. Project EREBYX (our v2.0 model end-state) is designed FROM the architecture, not extracted from user corpus. This commitment binds any successor entity in the event of a business transfer.
  • We do not share your memories with third parties beyond the subprocessors listed at /security (Stripe for payment, MailerSend for transactional email, Cloudflare for DNS/CDN, DeepInfra for inference at v0.1.1, OVH for hosting).
  • We do not use your memories for advertising, profiling, or analytics beyond operational telemetry.

Your rights

  • Export your data at any time via dashboard → Settings → Export. JSON format. Includes all memories, metadata, and derived representations. Delivery: small accounts (under ~100MB) deliver via in-dashboard download; larger accounts deliver via async email link within 24 hours. Files are signed and re-importable into a future EREBYX instance.
  • Delete individual memories via the delete API endpoint or dashboard. Hard-delete + derived-representation deletion within 30 days per "What 'delete' means operationally" above.
  • Cancel your subscription at any time via the Stripe Customer Portal. 30-day grace period for reactivation (subject to Genesis seat availability — see Terms of Sale).
  • Permanently delete your account via dashboard → Settings → Delete Account. Irreversible.
  • Request data correction by contacting [email protected]; we correct within 30 days.
  • Request a copy of all data we hold about you by contacting [email protected]. We respond within 30 days.
  • General billing or support inquiries are answered at [email protected] within 2 business days.

Third-party processor data

Our subprocessors retain data per their own policies:

  • Stripe: payment records (7+ years per US financial regulations)
  • MailerSend: transactional email logs (90 days typical)
  • Cloudflare: edge cache, DDoS-protection logs (varies)
  • DeepInfra: inference logs (their retention policy applies; we do not control)
  • OVH: infrastructure logs

When you request account deletion, we delete data from systems we control. We instruct subprocessors to delete in accordance with their policies and our agreements with them, but their retention is governed by their terms.

Special circumstances

Legal hold: If we receive a valid subpoena, court order, or law enforcement preservation request, we may be required to preserve data despite deletion requests. We notify affected users when permitted by law.

Security incident: In the event of a security incident, we may retain logs related to the incident for up to 12 months for forensic investigation, after which they are deleted unless required for ongoing legal proceedings. We disclose incident scope in our annual transparency report (Q1 2027 first edition).

Account fraud / AUP violation: Accounts terminated for AUP violations may have data preserved for up to 7 years for legal or regulatory purposes.

Changes to this policy

Material changes announced via account email and in our Discourse community 30 days before taking effect.

Contact

General data questions and support: [email protected] (response within 2 business days)

Privacy and data-rights requests: [email protected] (response within 30 days)

EREBYX LLC
500 Westover Drive #32317
Sanford, NC 27330, USA