Skip to main content
Draft pending counsel review.
Last updated: 27 May 2026 This Policy describes how long Brand Atlas retains different categories of data and how deletion works.

1. The principle

We retain personal data only as long as needed for the purposes for which it was collected, and as long as required by applicable law. We do not keep data indefinitely.

2. Retention by category

CategoryRetention while account is activeAfter account closure
Account profileActive for the life of the accountDeleted after the 30-day grace period
Brand record contentActive for the life of the accountDeleted after the 30-day grace period; tier-dependent history retention while active
Billing recordsActive for the life of the accountRetained for 7 years for tax and audit purposes, then deleted
Sign-in and security logs12 months12 months, then deleted
Application logs90 days90 days, then deleted
Analytics (aggregate)Indefinite, in aggregate non-identifiable formAggregate non-identifiable form retained
Henry conversation historyPer-user setting (default 30 days)Deleted with the account
Oswald audit trailIn line with the brand record’s history retentionDeleted with the account
Henry BYOK keyActive for the life of the connectionDeleted on key removal or account closure
Support tickets3 years3 years, then deleted

3. Brand record history retention by tier

  • Scout. Brand record history retained at full detail for 30 days. Older history summarised.
  • Keeper. Brand record history retained for 12 months. Older history summarised.
  • Guardian. Brand record history retained indefinitely while the account is active.
History “summarised” means the change is preserved as a record (when, by whom, what section) but the full content of the change is not surfaced beyond the retention window. The customer can export the full history while it is in the retention window.

4. Account closure flow

When a subscription is cancelled:
  1. End of billing period. The atlas enters a 30-day grace period. Read-only access remains; exports are available.
  2. End of grace. The brand record is deleted from active systems. Billing and audit records are retained per the categories above.
  3. Backup ageing. Backups containing the deleted data age out per the backup retention schedule (typically 35 days for daily backups, 12 months for weekly snapshots).
After backup ageing completes, the data is no longer recoverable.

5. Immediate deletion on request

A customer can request immediate deletion (before the standard grace period) by writing to legal@brandatlas.pro. We:
  1. Verify identity.
  2. Delete from active systems within 5 working days.
  3. Note that backups continue to age out per the standard schedule; the data is not in active systems but may remain in encrypted backups until those expire.
Immediate deletion is non-recoverable. We retain some data longer than the categories above where law requires:
  • Tax records. 7 years per UAE tax law (and most other jurisdictions).
  • Audit records. Per the longest applicable statutory period.
  • Material under legal hold. Retained until the hold is lifted.
The legal-retention overrides are minimal in scope and apply to specific data, not to the customer’s account or brand record at large.

7. Backups

  • Daily encrypted backups retained for 35 days.
  • Weekly snapshots retained for 12 months.
  • Disaster-recovery backups retained for 36 months.
Backups are not used to restore individual deleted records on request; they exist to enable disaster recovery of the Service as a whole.

8. Data subject right to erasure

The right to erasure under GDPR, UK GDPR, CCPA, PDPL, and similar laws is honoured. Requests are processed within 30 days. Where erasure conflicts with legal retention requirements, we erase what we can and explain what is retained and why.

9. Anonymised data

Data that has been anonymised (irreversibly stripped of personal identifiers) may be retained indefinitely in aggregate. We use anonymised data for:
  • Service improvement.
  • Aggregate reporting on usage patterns.
  • Cohort analysis.
No anonymised dataset can be re-identified to a specific individual.

10. Changes

We may update this Policy. Material changes are announced 30 days in advance.

What changed

  • 27 May 2026: Initial draft published.