Data Retention Policy
Last Updated: January 2026
1. Overview
FileFlow is committed to retaining personal data only as long as necessary to provide our services and meet legal obligations. This Data Retention Policy explains how long we keep different types of data and our deletion processes.
This policy complies with GDPR, CCPA, and other applicable data protection regulations.
2. Data Retention Periods
The following table outlines our retention periods for different data types:
| Data Type | Retention Period | Reason |
|---|---|---|
| Download Analytics IP addresses (hashed), user agent, device info, timestamps | 90 days | Provide merchants with usage insights and download trends |
| Order Records Customer email, name, order numbers | Subscription duration | Required for order fulfillment and customer support |
| Uploaded Files Digital products stored in cloud | Merchant-controlled | Merchants can delete files at any time; all files deleted upon app uninstallation |
| Customer Emails Email addresses from orders | Linked to orders | Required for email delivery; deleted when order is deleted |
| Session Tokens OAuth access tokens | 30 days (or until refresh) | Authentication and API access |
| Encrypted Backups Database and file backups | 30 days | Disaster recovery and data loss prevention |
| Uninstalled Shop Data All shop data after app uninstallation | 48 hours | GDPR compliance (grace period for accidental uninstalls) |
3. Automatic Deletion Processes
3.1 Analytics Data (90 Days)
Download analytics records older than 90 days are periodically reviewed and can be deleted upon request. This ensures we provide valuable insights without indefinitely retaining customer activity data.
3.2 App Uninstallation (48 Hours)
When a merchant uninstalls FileFlow:
- All files are deleted from cloud storage (Cloudflare R2)
- All database records are removed (orders, analytics, settings)
- Process completes within 48 hours of uninstallation
- Backups are purged within 30 days
3.3 Backup Rotation (30 Days)
Encrypted backups are retained for 30 days for disaster recovery purposes, then permanently deleted. Backup retention follows the same retention rules as primary data.
4. Manual Deletion Requests
4.1 Customer Data Requests
Customers can request deletion of their personal data by contacting:
- The merchant (store owner) directly
- FileFlow support at vellir.tech@gmail.com
We will process deletion requests within 30 days in accordance with GDPR requirements.
4.2 Merchant Data Requests
Merchants can delete their data at any time by:
- Deleting individual files through the FileFlow dashboard
- Deleting orders through the dashboard
- Uninstalling the app (deletes all data)
5. Legal Retention Requirements
In certain circumstances, we may be required to retain data for longer periods due to:
- Legal or regulatory obligations
- Ongoing legal proceedings or investigations
- Tax or accounting requirements
- Fraud prevention and security
When legal requirements conflict with retention policies, we will retain data only as long as legally required and notify affected parties when possible.
6. Data Anonymization
For analytics data that must be retained for business purposes, we may anonymize personal identifiers while preserving aggregate statistics. Anonymized data:
- Cannot be linked back to individual customers
- Uses hashed identifiers instead of real data
- May be retained beyond standard retention periods
7. Secure Deletion Methods
When data is deleted, we employ the following methods:
- Files: Permanent deletion from cloud storage (Cloudflare R2)
- Database Records: Hard deletion from PostgreSQL (not just soft deletion)
- Backups: Complete removal from backup systems
- Encryption Keys: Destruction of encryption keys for encrypted data
Deleted data cannot be recovered once the deletion process is complete.
8. Retention Policy Updates
We may update this Data Retention Policy to reflect changes in legal requirements, business practices, or service improvements. Updates will be posted on this page with a revised "Last Updated" date.
Material changes will be communicated to merchants via email or in-app notifications.
9. Contact Information
If you have questions about our data retention practices or want to request deletion of your data, please contact us: