Data Retention Policy

Effective Date: March 24, 2026 Last Updated: March 24, 2026

1. Overview

This Data Retention Policy describes how ConsoleSentinel, a product of Melhousen Solutions LLC ("we," "us," "our"), retains, archives, and deletes data collected through the Service. We retain data only as long as necessary to fulfill the purposes described in our Privacy Policy and to comply with legal obligations.

2. Data Categories and Retention Periods

| Data Category | Description | Retention Period | |---|---|---| | Account Data | Name, email, organization, role, authentication metadata | Duration of account + 30 days after deletion request | | Scan Results | Console errors, accessibility findings, security findings, screenshots | 90 days (Free) / 1 year (Pro/Team) / 2 years (Enterprise) | | Scan Reports | Generated HTML/JSON/PDF reports | Same as Scan Results per tier | | Audit Logs | Authentication events, API access, administrative actions | 12 months minimum (per ADR-005) | | Billing Data | Subscription status, plan tier, invoice references | 7 years (tax and financial compliance) | | API Keys | Hashed API key identifiers and scopes | Until revoked + 90 days | | Usage Metrics | Scan counts, page counts, feature usage | 2 years (aggregated/anonymized after 90 days) | | Support Communications | Support tickets, emails, feedback | 3 years | | Server Logs | HTTP access logs, error logs, performance logs | 90 days |

3. CLI and Free Tier Data

When using ConsoleSentinel via the CLI (npx consolesentinel) without an account, scan results are processed locally and are not transmitted to or stored on our servers. No data retention applies to local CLI usage.

4. Data Deletion

4.1 Account Deletion

You may request account deletion at any time through your account settings or by submitting a deletion request. Upon receiving a deletion request:

• Account data is removed within 30 days
• Scan results and reports are permanently deleted
• Audit logs are retained for the mandatory 12-month period for security compliance, then deleted
• Billing records are retained for the legally required 7-year period

4.2 Data Export

Before deletion, you may export your data through the ConsoleSentinel dashboard or API. Exportable data includes scan results, reports, and account metadata in JSON format.

5. Tenant Isolation

All data is stored with strict tenant isolation. Each organization's data is logically separated and access-controlled. Cross-tenant data access is prohibited at the application layer, enforced by Tallawah CIAM middleware.

6. Data at Rest and in Transit

• At rest: All stored data is encrypted using AES-256 encryption
• In transit: All data transmission uses TLS 1.2 or higher
• Backups: Encrypted backups follow the same retention periods as primary data

7. Automated Deletion

We implement automated data lifecycle management:

• Expired scan results are purged nightly via automated jobs
• Inactive accounts (no login for 24 months) receive a 30-day warning before data deletion
• Server logs are rotated and deleted on a 90-day cycle

8. Legal and Compliance Holds

Data subject to legal holds, regulatory investigations, or compliance requirements may be retained beyond the standard periods described above. We will notify affected users when legally permitted.

9. Changes to This Policy

We may update this Data Retention Policy periodically. Material changes will be communicated via email to account holders and posted on this page with an updated effective date.

10. Contact

For questions about data retention or to submit a deletion request:

• Contact: Submit a data retention inquiry
• Reference: Include "Data Retention Inquiry" in your message