Data Retention Policy

Retention windows per data type. Account deletion triggers full purge within 30 days; backups overwritten within 90.

Last updated: April 11, 2026 This page is the canonical, plain-language answer to " how long does Sistava keep what? ". It supplements (and does not replace) Section 8 of our Privacy Policy , Section 12 of our Data Processing Agreement , and Section 18.A of our Terms of Service (Data Portability & Switching). The values shown here are the same values implemented in our backend retention configuration and enforced by an automated cleanup job that runs daily at 03:00 UTC.

1. Honest Defaults, Transparent Practice

Sistava is an early-stage product. To improve the platform, optimize infrastructure, debug issues, investigate abuse, and understand how AI employees are used, we currently retain most operational and behavioral data for up to two (2) years by default. This is longer than some smaller vendors retain data, and we want you to know that up front rather than discover it later. We do not sell your data, we do not share it for advertising, we do not transfer it to data brokers, and we use it only to operate, secure, and improve the Services as described in our Privacy Policy. As we mature, we expect to shorten these windows; any future reduction will apply prospectively and will be announced on this page.

2. Categories & Retention Windows

The table below lists every category of customer data we process, the maximum retention window we apply today, and what triggers deletion. Data outside the scope of these categories (for example, data we are legally required to retain for tax or accounting reasons, or data we are required to preserve for an active legal hold) is governed by Section 4 below.

Data category — Retention — Trigger / notes
Account profile (email, name, password hash, settings) — Indefinite while account active — Deleted on user request or automatically after 12 months of inactivity (Terms §6).
Chat messages (conversations with AI employees) — Indefinite while account active — Full conversation history kept for as long as your account is active. You can delete individual conversations at any time.
Employee memory and notes — Indefinite while account active — What your employees learn and remember persists across sessions until you delete them or terminate the employee.
Work journals (daily logs and execution summaries) — 2 years — Daily work logs written by employees. Automatic cleanup after 730 days.
Activity timeline — 2 years — Record of every action, tool call, and decision made by employees. Used for behavioral analytics and abuse investigation.
Usage records (token usage, credit consumption) — 2 years — Per-call usage data for billing transparency, dispute resolution, and pricing-model validation.
Task history (completed, failed, cancelled tasks) — 2 years — Active tasks (in progress, waiting, planned) are kept indefinitely. Only terminal tasks are cleaned up.
Delegation history (employee-to-employee conversations) — 2 years — Conversations between AI employees during team collaboration.
Approval history (resolved approvals) — 1 year — Resolved human-in-the-loop approval records. Pending approvals are always kept.
Knowledge graph (Graphiti episodes) — 2 years — Raw conversation episodes ingested into the knowledge graph. Extracted facts and entities persist independently of the raw episodes.
Connected-app on-demand reads (Slack channel history, CRM records, calendar entries, files in connected drives, etc.) — Not retained — Content fetched from a third-party app you connected (Slack, Telegram, WhatsApp, Teams, Gmail, Outlook, Drive, Notion, CRMs, calendars, databases, knowledge bases, MCP servers, custom webhooks, and any other integration we may add) at the moment a task runs is held in memory only for that turn and discarded afterwards. What the agent decides to remember is converted to embeddings, knowledge-graph facts, or short notes and stored under those categories. Bulk extraction only happens for features that say so up front (such as training / knowledge ingestion below).
Training data (uploaded documents and ingestion records) — 1 year — Original training upload metadata. The trained knowledge derived from these uploads persists in the agent's knowledge graph.
Generated files and images (Drive) — Indefinite while account active — Files created by employees (documents, images, exports). Orphaned files (no matching database row) are cleaned after 30 days.
Voice recordings and transcripts — Tied to chat / file storage — Voice recordings and transcripts are stored as files in the Drive and follow file retention rules. They are not retained as a separate category.
Schedule execution logs — 1 year — Records of automated schedule triggers and their outcomes.
Debug traces (Langfuse snapshots) — 1 year — Detailed execution traces for debugging, model comparison, and quality optimization.
Email delivery logs — 1 year — Records of system emails sent (signup confirmations, alerts, notifications).
In-app notifications — 1 year — Notification history in your in-app inbox.
Authentication & security logs — 1 year — Sign-in attempts, failed logins, password resets, MFA events, OAuth grants, session creation/termination, IP and device fingerprints used for fraud detection and incident investigation. Required to investigate account compromise.
Support & customer service correspondence — 2 years — Emails, support tickets, contact-form submissions, and any other communications you send to our support, sales, or general contact channels. Kept to provide continuity of support, defend against disputes, and improve our help content. Anonymized after the retention window.
Idempotency keys — 30 days — Used to deduplicate retried requests. No personal data; cleaned aggressively.
LangGraph checkpoints (agent state snapshots) — 90 days — Only the latest checkpoint is needed for live agents; older snapshots are pruned.
Terminated employee data — 90 days — Memories, skills, configuration, and documents of terminated AI employees are deleted 90 days after termination.
Orphaned S3 files — 30 days — Files in object storage with no matching database row are cleaned after 30 days.
Billing records (invoices, payment metadata) — 7 years — Required by Dutch and EU tax, accounting, and audit law. Cannot be deleted on user request until the legal retention period expires.
Anonymized / aggregated metrics — Indefinite (only after irreversible anonymization) — Data that has been irreversibly anonymized to the standard described in GDPR Recital 26 — that is, the data subject is no longer identifiable by any means reasonably likely to be used — is no longer considered personal data under the GDPR and may be retained indefinitely for analytics, capacity planning, security research, and product improvement.
Backups (database and file storage) — Up to 30 days — Standard rolling backups for disaster recovery. Deleted records may persist in backups until the next overwrite cycle, typically within 30 days.

3. How Deletion Actually Happens

Retention is enforced by an automated cleanup job that runs daily at 03:00 UTC . The job processes each data category independently, deletes in batches of up to 2,000 rows per cycle to avoid database lock contention, and logs every deletion for compliance audit. Before any change to retention windows is deployed to production, we run a dry-run pass that reports the number of rows that would be deleted, so we can verify the change is what we intended. When you exercise your right to erasure (GDPR Article 17) by emailing dpo@sista.ai , we delete the data from our active systems within thirty (30) days of receiving and verifying your request, subject only to the legal-retention exceptions in Section 4 below. Standard backup cycles may retain a copy for up to thirty (30) additional days before it is overwritten in the ordinary course of our backup rotation.

4. When We Keep Data Longer

We may retain your data beyond the windows in the table above when:

We are legally required to (for example, billing records for tax law, security logs for incident investigation, or data subject to a lawful preservation order).
We are defending against an active or threatened legal claim, regulatory investigation, or dispute.
The data has been flagged as related to abuse, fraud, security incidents, or violations of our Acceptable Use Policy, and we need it to enforce our policies, protect the platform, or protect other customers.
You have an active subscription, an active workspace, or an active integration that depends on the data.
The data has been fully anonymized and is no longer personal data under GDPR.

5. Your Controls

You can shorten retention for your own data at any time by:

Deleting individual chat conversations from the workspace UI.
Deleting AI employees, which removes their memory, notes, journal, and configuration after the 90-day terminated-employee window.
Deleting files from your Drive.
Deleting your account, which deletes all of the above and triggers full erasure subject to Section 4.
Submitting a GDPR Article 17 erasure request to dpo@sista.ai .
Exporting your data first under Section 18.A of the Terms of Service before deletion, if you want to keep a copy.

6. Reconciliation with Other Pages

We mention retention in several places on the website. This page is the canonical, binding reference for any disagreement. Specifically:

The retention summary in our Data Security page is identical to the table above. Both are derived from the same backend configuration.
Section 8 of our Privacy Policy describes retention in legal prose. This page is the operational table that prose refers to.
Section 12 of our Data Processing Agreement describes return-or-deletion obligations after termination of a customer agreement. Those obligations apply on top of the standard windows in this table.
The pricing comparison table on our pricing page shows different retention windows per plan tier (currently advertised as 30 days / 90 days / 1 year / 2 years / Custom). Those tier-based retention controls represent a future product offering and have not been implemented in the backend yet. Today, retention is uniform across all plans according to the table in Section 2 above , and that is the legally binding reality. When tier-based retention controls ship, this page and the pricing page will be updated together.

7. Changes to This Schedule

We may change the retention windows in this Schedule at any time. Where a change reduces retention (we delete data sooner), the change applies prospectively to all data going forward and we will use commercially reasonable efforts to give advance notice. Where a change extends retention (we keep data longer), we will publish the change here before it takes effect and explain why.

8. Contact

For questions about retention, deletion requests, or any other data protection matter, contact dpo@sista.ai .