Principles
- Stripe is the system of record. Axiru does not duplicate the customer's Stripe data; we record decisions and the evidence that produced them.
- Decision ledger is append-only. Entries cannot be edited or deleted without a documented redaction request and an audit trail of the redaction itself.
- Minimization on imports. Shadow-mode imports are scoped to the last 90 days and are refreshed in place, not accumulated.
- Backups roll off independently. Even after a customer-initiated deletion, encrypted snapshots persist for up to 35 days and then expire automatically.
Retention by data category
| Category | What it contains | Retention | Basis |
|---|---|---|---|
| Decision ledger entries | Every governed decision (refund, charge, payout, credit, dispute, cancel, write-off, etc.) with the policy evaluation that produced it. | 7 years from entry date | Audit + tax recordkeeping (US IRC §6001; EU regulatory record floors). |
| Evidence attachments | Files attached to decisions for audit purposes (chargeback evidence, customer messages, screenshots). | 7 years from entry date, or 30 days after dispute resolution if attachment is dispute-only — whichever is longer. | Audit defense + Stripe/card-network evidence retention norms. |
| Audit logs (admin actions) | Who-did-what events: policy edits, enforcement toggles, role changes, billing actions, magic-link claims. | 2 years rolling | Security incident reconstruction; SOC 2 control alignment. |
| Authentication + session data | Clerk-managed sessions, refresh tokens, login history. | Per Clerk defaults (30-90 days after last activity) | Operated by Clerk under the sub-processor DPA. See sub-processors. |
| Stripe historical imports (shadow mode) | The last 90 days of Stripe charge / refund history customers import to evaluate shadow-mode policies. | Deleted on workspace close, or on customer request, whichever comes first; otherwise refreshed in place — never appended. | Minimization. Stripe remains the system of record. |
| Billing records (invoices, payment metadata) | Stripe-issued invoices, plan changes, usage counters, customer billing email. | 7 years | US GAAP + tax recordkeeping. |
| Account data (workspace, user profile, contact) | Workspace name, user names + emails, role assignments, contact email of record. | Active workspace lifetime + 90 days after closure | Operational need + dispute window. |
| Webhook delivery logs | Inbound Stripe webhook deliveries and outbound webhook attempts to customer endpoints. | 30 days rolling | Diagnostic + replay window. Anything beyond 30 days lives in the decision ledger. |
| Backups | Encrypted database snapshots. | 35 days rolling | Disaster recovery. Backups are not append-only — they roll off on a 35-day clock independent of customer-initiated deletion. |
| Aggregated, de-identified telemetry | Counts and timing for product analytics. No customer-identifiable content. | Indefinite | De-identification removes the PII tie. We do not re-identify aggregated telemetry. |
Customer-initiated deletion
- Workspace closure. Any admin can close a workspace from
Settings → Workspace. Closure schedules deletion of account data after a 90-day operational window. - Specific record redaction. Per-record redaction is supported via written request to privacy@axiru.com. Redacted records remain in the ledger as tombstones with the original payload removed; the redaction itself is logged.
- Subject access. EU/UK/CA data-subject requests are routed through /privacy and answered within statutory timelines (30 days under GDPR, 45 days under CCPA, etc.).
- Backup expiry. A successful customer-initiated deletion does not purge encrypted backups on day zero. Backups age out on the 35-day rolling cycle.
Statutory retention overrides
We will retain decision ledger entries, evidence attachments, and billing records past a customer-initiated deletion when required by law (US IRC §6001, EU bookkeeping minimums, AML/KYC where applicable to a customer's flow). These overrides are scoped to the specific records the law applies to; everything else is deleted on the same schedule as a normal request.
Changes
Material changes to retention windows are announced 30 days before they take effect through the customer's billing email of record. The current effective date is shown at the top of this page. Historical versions are available on request.
Related documents
- Privacy policy — what we collect and why
- Data Processing Agreement — how we process customer data on the customer's behalf
- Sub-processors — third parties that handle data on our behalf
- Security — controls that protect retained data
Questions?
Email privacy@axiru.com for retention or deletion requests, or legal@axiru.com for procurement-grade contract language.