Data Retention & Deletion Policy
How we store, retain, and permanently delete your data.
Last updated: April 13, 2026
This page describes exactly what SecurityAlert.ai stores about you, how long we keep it, how to delete it, and how to exercise your rights under GDPR, CCPA, and other privacy regulations. We try to be concrete rather than vague. Every category below maps to a specific database table or system.
What we store about you
When you sign up for SecurityAlert.ai, we store the minimum necessary to operate your account and deliver the features you configure:
| Data category | Purpose | Retention |
|---|---|---|
| Account identity (email, name, company) | Authentication and support | Until account deletion |
| Brand monitor configurations | Typosquat, phishing, and impersonation scans for domains you protect | Until you delete the brand or your account |
| Brand findings (typosquats, dark web mentions, marketplace listings, infostealer hits, exposed secrets, etc.) | Exposure Dashboard, alerts, takedown evidence | Until you delete the brand or your account |
| Takedown case state (registrar contact, status, evidence URLs) | Tracking domain takedowns end-to-end | Until you delete the case or your account |
| Subdomain inventory and host exposure scan results | Attack surface and Shodan exposure mapping | Until you delete the brand or your account |
| Alert history (emails sent, Slack/Teams posts, webhooks fired) | Debugging alert delivery, cooldown tracking | 90 days |
| API keys | Programmatic access | Until revoked or account deleted |
| Audit logs (Enterprise tier) | SOC 2 evidence, internal change tracking | 1 year |
| Billing records (Stripe customer ID, plan history) | Processing subscription payments | 7 years (legal/tax retention) |
What we do NOT store
- Passwords (authentication is handled by Auth0; we never see your password)
- Full credit card details (Stripe tokenizes payment methods; we only see the last 4 digits)
- Content of monitored websites and pages (we only store status codes, response metadata, and finding evidence URLs, never the page body)
- Personal data of anyone you don't explicitly add (no automated contact scraping)
How to delete your data
Option 1: Delete individual items
You can delete individual brand monitors, takedown cases, and API keys at any time from the respective section of your dashboard. These deletions take effect immediately and remove all associated findings, scan logs, and alert history.
Option 2: Delete your entire account
From Settings → Account → Danger Zone, click "Delete my account" and confirm by typing DELETE MY ACCOUNT. This is immediate and cannot be reversed.
When you delete your account, we purge all of the following in a single transaction:
- All brand monitors, scan logs, and findings
- All subdomain inventory and host exposure data tied to your brands
- All check results, scan history, typosquat findings, and threat intel data
- All takedown cases, evidence, registrar communications, and case notes
- All API keys and alert configurations
- All alert log history (email, Slack, Teams, Discord, webhooks, PagerDuty, Opsgenie)
- All audit logs of actions you performed
- Your Auth0 login (you will no longer be able to sign in)
The deletion cascade covers ~60 database tables and runs as an atomic PostgreSQL transaction. If any part of the cascade fails, nothing is deleted and you will see an error. On success, you are signed out and redirected to the homepage.
Backups
We run automated PostgreSQL backups daily for disaster recovery. Backups are:
- Encrypted at rest
- Stored for a maximum of 7 days before automatic rotation
- Access-controlled. Only used for disaster recovery, never read for operational or analytical purposes
When you delete data (an account or individual items), the deletion takes effect immediately in the live database. However, the deleted data may persist in backups until those backups are rotated out of storage. This is a standard pattern for all SaaS products. A 30-day retention window balances disaster recovery needs with your right to erasure. No data that you have deleted is ever restored from backup into the live system unless you explicitly request it during a disaster-recovery scenario.
Your rights under GDPR, CCPA, and other regulations
Right to access
You can view all data we hold about you at any time by logging in and browsing your dashboard, settings, and brand detail pages. If you want a machine-readable export of everything we have, email privacy@securityalert.ai with "Data export request" in the subject line. We will respond within 7 days.
Right to erasure (right to be forgotten)
Use the self-service deletion from Settings. It immediately purges your data from the live database. Backup retention is capped at 7 days as described above. If you need faster backup purging for a specific legal reason, email privacy@securityalert.ai.
Right to rectification
Edit your profile from Settings → Profile Information. For corrections that aren't self-serviceable, email privacy@securityalert.ai.
Right to portability
Your brand findings and takedown cases can be exported as CSV from the respective dashboards. For a full account export in JSON format, email privacy@securityalert.ai.
Right to object to processing
If you object to specific processing (e.g., you don't want us to run typosquat scans against your brand), you can delete the relevant item from your dashboard. If you need to object to a class of processing we don't offer granular controls for, email privacy@securityalert.ai.
Data processing locations
All SecurityAlert.ai data is stored on Azure infrastructure. Database and application servers are located in the US East (Virginia) region. We use third-party processors for specific features:
- Auth0: authentication and identity management
- Postmark: transactional email delivery
- Stripe: payment processing
- Twilio: SMS alert delivery (only if you enable SMS alerts)
- Anthropic Claude: AI-assisted finding triage and report generation (only if you use the feature; finding metadata is sent, not your password or API keys)
- Shodan InternetDB: passive vulnerability lookups (we send IPs/hostnames, no personal data)
- Hudson Rock Cavalier: credential exposure lookups (we send your domain, no personal data)
Questions or requests
Email privacy@securityalert.ai for any question about data handling, retention, deletion, or your privacy rights. We respond within 5 business days and fulfill formal requests (access, erasure, portability) within 7 days.
This policy supersedes any prior data-retention guidance. Material changes will be announced on the changelog and reflected in the "Last updated" date at the top of this page.