Data Retention Policy
Last updated: January 2026
This policy describes how long Roostr keeps the different categories of data it processes, and how deletion works. It applies in addition to the Roostr Privacy Policy and any executed Data Processing Addendum.
Retention schedule
| Data category | Retention | Notes |
|---|---|---|
| Active operator accounts & business data | Lifetime of the account | Customer records, quotes, bookings, jobs, invoices, and dispatch history live for as long as the operator's account is active. |
| Closed accounts | Target: tombstoned for 30 days, then purged | When an operator closes their account, we honor the deletion request within 30 days. A self-service in-product deletion + 30-day tombstone flow is on the roadmap; until then, closure requests are handled by emailing privacy@roostr.app. |
| Customer-initiated deletion requests | Honored within 30 days of request | Customers (and operators on their behalf) can request deletion of a customer record by emailing privacy@roostr.app; the record is removed within 30 days, except where retention is required to defend a legal claim. An in-product self-service deletion flow is on the roadmap. |
| Payment records | 7 years | Invoice and payment metadata is retained for 7 years to meet tax-record requirements. Full card data is never stored by Roostr; Stripe holds it under PCI DSS. |
| Authentication & security logs | 12 months | Sign-in events, session creations, and admin-action audit rows are retained for 12 months for incident investigation. |
| Quote photos uploaded for AI processing | Processed in flight, not retained at the model | Photos uploaded for AI auto-quote are processed by our AI model and discarded by the model after the quote is generated. The original upload is retained with the quote record for the operator's reference until the quote (or its account) is deleted. |
| Marketing & transactional email metadata | 24 months | Send, delivery, open, and bounce events from Resend are retained for 24 months for deliverability diagnostics. |
| Server error logs | 90 days | Sentry retains server error events for 90 days, then purges. |
How deletion works
Our target model is two stages: a 30-day tombstone window (the row is hidden from the product but recoverable on request), followed by a permanent purge. The tombstone window gives operators a safety net against accidental deletion and gives us a window to defend a legitimate legal claim before data leaves the database. The in-product self-service flow that implements this end-to-end is on the roadmap; in the interim, deletion requests are honored manually within 30 days via privacy@roostr.app.
Exceptions
Where applicable law requires longer retention (for example tax-record obligations on financial documents), Roostr retains the minimum data required for the minimum period required and isolates it from the operational product.
Contact
Retention questions or deletion requests: privacy@roostr.app.