Data Retention & Deletion Policy
How we store, retain, and permanently delete your data.
Last updated: April 13, 2026
This page describes exactly what ServiceAlert.ai stores about you, how long we keep it, how to delete it, and how to exercise your rights under GDPR, CCPA, and other privacy regulations. We try to be concrete rather than vague — every category below maps to a specific database table or system.
What we store about you
When you sign up for ServiceAlert.ai, we store the minimum necessary to operate your account and deliver the features you configure:
| Data category | Purpose | Retention |
|---|---|---|
| Account identity (email, name, company) | Authentication and support | Until account deletion |
| Uptime monitor configurations | Running the checks you configure | Until you delete the monitor or your account |
| Monitor check results (response times, status codes, SSL cert data) | Dashboard graphs, SLA reports, incident history | Personal: 90 days · Pro/Business: 90 days · Enterprise: 1 year |
| Brand monitor configurations | Typosquat and phishing scans for domains you protect | Until you delete the brand or your account |
| Brand findings (typosquats, dark web mentions, etc.) | Security Dashboard, alerts, takedown evidence | Until you delete the brand or your account |
| Alert history (emails sent, Slack/Teams posts, webhooks fired) | Debugging alert delivery, cooldown tracking | 90 days |
| Certificate inventory & compliance snapshots | Expiry alerts, policy compliance reports | Until you delete the cert or your account |
| Incident history (declared incidents, post-mortems, timelines) | Metrics dashboard, public status page history | Until you delete the incident or your account |
| API keys & push subscriptions | Programmatic access, browser push notifications | Until revoked or account deleted |
| Billing records (Stripe customer ID, plan history) | Processing subscription payments | 7 years (legal/tax retention) |
What we do NOT store
- Passwords (authentication is handled by Auth0; we never see your password)
- Full credit card details (Stripe tokenizes payment methods; we only see the last 4 digits)
- Content of your monitored websites (we only store status codes, response times, and SSL metadata — never the page body)
- Personal data of anyone you don't explicitly add (no automated contact scraping)
How to delete your data
Option 1: Delete individual items
You can delete individual monitors, brand monitors, certificates, API keys, and incidents at any time from the respective section of your dashboard. These deletions take effect immediately and remove all associated check history, findings, and alert logs.
Option 2: Delete your entire account
From Settings → Account → Danger Zone, click "Delete my account" and confirm by typing DELETE MY ACCOUNT. This is immediate and cannot be reversed.
When you delete your account, we purge all of the following in a single transaction:
- All uptime monitors, brand monitors, and certificate endpoints
- All check results, scan history, typosquat findings, and threat intel data
- All incidents, post-mortems, responders, and templates you've created
- All API keys, push subscriptions, status pages, and alert configurations
- All alert log history (email, Slack, Teams, Discord, webhooks, PagerDuty, Opsgenie)
- All audit logs of actions you performed
- Your Auth0 login — you will no longer be able to sign in
The deletion cascade covers ~60 database tables and runs as an atomic PostgreSQL transaction. If any part of the cascade fails, nothing is deleted and you will see an error. On success, you are signed out and redirected to the homepage.
Backups
We run automated PostgreSQL backups daily for disaster recovery. Backups are:
- Encrypted at rest
- Stored for a maximum of 7 days before automatic rotation
- Access-controlled — only used for disaster recovery, never read for operational or analytical purposes
When you delete data (an account or individual items), the deletion takes effect immediately in the live database. However, the deleted data may persist in backups until those backups are rotated out of storage. This is a standard pattern for all SaaS products — a 30-day retention window balances disaster recovery needs with your right to erasure. No data that you have deleted is ever restored from backup into the live system unless you explicitly request it during a disaster-recovery scenario.
Your rights under GDPR, CCPA, and other regulations
Right to access
You can view all data we hold about you at any time by logging in and browsing your dashboard, settings, and monitor detail pages. If you want a machine-readable export of everything we have, email privacy@servicealert.ai with "Data export request" in the subject line. We will respond within 7 days.
Right to erasure (right to be forgotten)
Use the self-service deletion from Settings — it immediately purges your data from the live database. Backup retention is capped at 7 days as described above. If you need faster backup purging for a specific legal reason, email privacy@servicealert.ai.
Right to rectification
Edit your profile from Settings → Profile Information. For corrections that aren't self-serviceable, email privacy@servicealert.ai.
Right to portability
All of your uptime check data and brand findings can be exported as CSV from the respective dashboards. For a full account export in JSON format, email privacy@servicealert.ai.
Right to object to processing
If you object to specific processing (e.g., you don't want us to run typosquat scans against your brand), you can delete the relevant item from your dashboard. If you need to object to a class of processing we don't offer granular controls for, email privacy@servicealert.ai.
Data processing locations
All ServiceAlert.ai data is stored on Azure infrastructure. Database and application servers are located in the US East (Virginia) region. We use third-party processors for specific features:
- Auth0 — authentication and identity management
- Postmark — transactional email delivery
- Stripe — payment processing
- Twilio — SMS alert delivery (only if you enable SMS alerts)
- Anthropic Claude — AI incident post-mortem generation (only if you use the feature; timeline data is sent, not your password or API keys)
- Shodan InternetDB — passive vulnerability lookups (we send IPs/hostnames, no personal data)
Questions or requests
Email privacy@servicealert.ai for any question about data handling, retention, deletion, or your privacy rights. We respond within 5 business days and fulfill formal requests (access, erasure, portability) within 7 days.
This policy supersedes any prior data-retention guidance. Material changes will be announced on the changelog and reflected in the "Last updated" date at the top of this page.