Data Retention

This page documents what Itstabyl stores, for how long, and how to remove it. It is the customer-facing companion to the Privacy Policy and applies to all production environments.

The first thing to know: Itstabyl does not store your source code. The pipeline reads repository structure (file paths, dependency declarations, import graphs) and discards the cloned working tree at the end of every scan. Only derived artefacts — scores, profiles, gap registers — are retained.

What we store

| Category | Description | Retention | Lawful basis (UK GDPR) | | -------------------------- | ------------------------------------------------------------------------ | -------------------------------------------- | -------------------------------------------------- | | Account | Email, Clerk identifier, plan, billing customer ID | Lifetime of the account, +30 days post-deletion | Contract (Art. 6(1)(b)) | | Scans | Repository URL, scan job state, commit SHA, owner/repo metadata | 90 days | Contract (Art. 6(1)(b)) | | Pipeline outputs | LRS, SVR, MCS, SDE, vendor lock-in matrix, gap register, remediation list | 90 days | Contract (Art. 6(1)(b)) | | Webhook acknowledgments | Salted SHA-256 of client IP (hashClientIp), timestamp, warning type | 365 days | Legitimate interest — abuse prevention & audit | | Stripe billing artefacts | Invoices, subscription state, payment-method tokens (Stripe-side) | 7 years (statutory) | Legal obligation (Art. 6(1)(c)) — UK tax retention | | Operational logs | Sentry errors, application logs (no scan content, no source code) | 30 days | Legitimate interest — debugging & security | | Email transactional logs | Resend send/bounce records | 30 days (Resend-side) | Legitimate interest — deliverability |

The 90-day window for scans and derived outputs matches the in-app disclosure presented before a customer's first scan. After 90 days the records are deleted by an automated nightly job; the deletion is irreversible.

What we do not store

• Source code. The cloned repository is deleted at scan end.
• Cleartext IP addresses. Only a salted hash is retained, and only where required for audit (warning acknowledgments, abuse prevention).
• Payment card numbers. Card data lives entirely in Stripe; Itstabyl never sees it.

Self-service deletion

Account holders can request erasure from the Settings page. The dashboard exposes a single self-service deletion path that:

1. Deletes the user row, cascading via foreign-key constraints to all scans, pipeline outputs, warning acknowledgments, and feedback rows.
2. Revokes the Clerk session and removes the Clerk user record.
3. Cancels any active Stripe subscription (immediately or at period end, per the customer's choice).
4. Returns a confirmation receipt with a deletion-id the customer can reference if they need to corroborate the request later.

Deletion completes synchronously within the request lifecycle when all third-party dependencies are healthy. On vendor-breaker-open conditions the request returns HTTP 503 with a Retry-After hint; the deletion is queued and re-attempted automatically.

GDPR & UK data subject rights

Itstabyl honours the rights granted by the UK GDPR / Data Protection Act 2018 and EU GDPR:

• Article 15 — Right of access: export your account data via the Settings page.
• Article 16 — Right to rectification: update your email and profile data via the Settings page.
• Article 17 — Right to erasure: the deletion path above.
• Article 18 — Right to restriction: contact support.
• Article 20 — Right to portability: export available in JSON; CSV exports for scan results are available from each report page.
• Article 21 — Right to object: contact support.

Where Itstabyl receives a verifiable request via support email, the controller will respond within 30 calendar days as required by UK GDPR Art. 12(3).

Sub-processors

Itstabyl uses the following sub-processors. Their own retention policies apply in addition to those above:

| Sub-processor | Purpose | Region (default) | | ------------- | -------------------------------- | ---------------- | | Clerk | Authentication & session storage | US | | Stripe | Payments & invoicing | US / EU | | Resend | Transactional email delivery | EU | | Sentry | Error monitoring | EU | | Managed Postgres provider | Primary database | EU (planned) |

The database region is being finalised in operator follow-up VAR-006; non-EU customers may be assigned a US-region database with explicit disclosure on sign-up.

Contact

For data-protection enquiries, including access requests and erasure disputes, email the support address shown on the Settings page. Identifiable requests must be made from the email on the account or accompanied by sufficient evidence to verify identity.