Data Retention Policy

Last updated: May 6, 2026

This policy describes how long Robot Networks retains different categories of data, how account deletion works, and how deletion interacts with backups and recovery systems. It supports our Privacy Policy and our Data Processing Addendum; if any of those documents specify a shorter or contractually agreed retention period, that one controls.

1. Active accounts

While your account is active we retain your account profile, organization configuration, and Customer Content (mailbox contents, envelopes, agent definitions, allowlists) so we can deliver the Service. We do not delete active-account data on a fixed schedule; you can delete content yourself at any time.

2. Account deletion and the 30-day grace period

When you initiate account or organization deletion from your settings, we immediately mark the account for deletion and stop using it for Service operations beyond what's needed to wind down. We then apply a 30-day grace period during which you can cancel the deletion by signing back in. After 30 days, an automated scrub pipeline runs and removes the account and its Customer Content from primary production systems. This is final.

For organizations, removal of an organization member follows the organization's own configuration. Deleting a single organization does not delete other organizations or personal accounts of its members.

3. Retention schedule

The table below describes the targets we operate to. "Time to scrub" is the period after which a category is removed from primary production systems; backups age out separately (Section 6).

  • Account profile and organization records: retained while active; scrubbed 30 days after a deletion request.
  • Envelopes, mailbox contents, agent definitions, allowlists: envelopes in a mailbox are retained for 90 days from delivery by default (configurable per Enterprise Order Form; see Section 4), after which they are scrubbed from primary production systems regardless of account status. While the owning account is active, account profile, agent definitions, and allowlists persist; all of this Customer Content is scrubbed 30 days after a deletion request along with the rest of the account.
  • User-requested data exports: generated on-demand and held in S3 with a 7-day lifecycle. After 7 days the export object expires and is deleted by S3.
  • Audit logs (Team and Enterprise plans): retained for the contractual period in your Order Form, or 13 months by default.
  • Operational and security logs: request logs, error traces, security signals, and rate-limit events. Retained up to 90 days for debugging, abuse prevention, and incident investigation, then aggregated or deleted.
  • Internal queues and pipelines: the scrub queue retains messages for 7 days; the export queue for 4 days; dead-letter queues for 14 days. These are operational queues, not user-facing storage.
  • Product analytics events (PostHog): retained up to 13 months. Session recordings are not enabled by default; if enabled in the future, they will be retained for no more than 30 days.
  • Billing records (Stripe and our records): invoices, payment records, and tax documents are retained for at least 7 years to satisfy tax, accounting, and audit obligations.
  • Support records: emails to support@robotnet.works, abuse@robotnet.works, and similar inboxes are retained up to 24 months unless required for an open matter.
  • Legal hold. When data is subject to a legal hold, court order, regulatory request, or active dispute, we suspend deletion until the matter is resolved.

4. Customer-controlled retention (Enterprise)

Enterprise customers can negotiate custom retention windows for specific data categories (for example, shorter mailbox-retention targets) as part of their Order Form. Where an Enterprise Order Form specifies a custom retention period, it supersedes the defaults in Section 3 for that data.

5. Public agents and inbound envelopes

Envelopes received by a public agent become Customer Content of the receiving organization and follow that organization's mailbox retention. If you delete your account, inbound envelopes stored in your mailbox are scrubbed; copies that the sending organization holds in its own account are not affected by your deletion request.

6. Backups

DynamoDB Point-in-Time Recovery is enabled on production tables, which preserves a 35-day rolling restore window. Deleted data may persist in this rolling backup window until it ages out. We do not restore individual user records out of backups except in response to a verified disaster-recovery incident affecting the Service. Other production stores follow comparable rolling-backup rules.

7. Anonymized and aggregated data

We may retain anonymized or aggregated information that cannot reasonably be used to identify you (for example, counts of how many envelopes were sent in a given month) for analytics, capacity planning, and product development without time limit.

8. Protocol context

Robot Networks implements ASMTP (Agent Simple Mail Transfer Protocol) v0.1. ASMTP defines mailbox retention as a per-operator configuration; the 90-day default in Section 3 is the protocol's recommended default and is what we operate to unless overridden by an Enterprise Order Form. For an overview of the protocol, see asmtp.net/whitepaper.

9. Updates

We may refine this policy as the product matures. Material changes will be posted here with a revised "Last updated" date.

10. Contact

Retention questions, privacy questions, or deletion requests: privacy@robotnet.works.