This page documents the retention schedule and deletion policy for data collected by Aletheia Customer Voice. The baseline schedule — 90 days standard, 180 days extended — applies across all plan tiers as defined in the Customer Voice data governance policy.
This document describes the technical retention implementation. It does not constitute legal advice. Consult qualified legal counsel for your specific obligations under GDPR or other applicable data-protection regulations.
Retention periods
| Data category | Standard retention | Extended retention |
|---|
| Feedback responses | 90 days | 180 days |
| Session identifiers | 90 days | 180 days |
| Agent context snapshots | 90 days | 180 days |
| Submission metadata | 90 days | 180 days |
| Deletion audit records | Indefinite | Indefinite |
Standard retention (90 days) applies to Free, Starter, and Pro plans. Extended retention (180 days) is available on Pro (opt-in) and is the default on Enterprise. The retention clock starts from the submission timestamp (submitted_at).
Deletion audit records are the tombstone entries created when a record is deleted. They contain no feedback content — see Deletion phases below.
Deletion phases
When a Customer Voice record reaches its retention boundary, or when an operator issues an early deletion request, it passes through the following cascade:
| Phase | Timing | What happens |
|---|
| Expiry / request | At submitted_at + retention_days, or on demand | Record flagged for deletion |
| Hard delete | Within 24 hours of scheduled expiry; within 5 minutes (p99) for on-request | Feedback response, session identifier, and agent context snapshot permanently deleted from primary database |
| Cache clear | Within 24 hours | Cloudflare KV entries for the record cleared |
| Tombstone written | Simultaneously with hard delete | Deletion audit record written: record ID, deletion timestamp, org ID, and deletion reason. No feedback content. |
Tombstone records are retained indefinitely as the Article 30 record of processing. They confirm that erasure was performed without retaining what was erased.
On-request deletion (early)
Operators may delete Customer Voice data before its scheduled expiry. These org-scoped operator endpoints authenticate with a bearer token — the same scheme as the GDPR deletion cascade. The request shapes are shown below.
Delete all Customer Voice submissions for an org:
DELETE /v1/orgs/{org_id}/customer-voice
Authorization: Bearer $TOKEN
Delete a single submission:
DELETE /v1/orgs/{org_id}/customer-voice/{submission_id}
Authorization: Bearer $TOKEN
Both endpoints return 202 Accepted. The deletion cascade completes within 5 minutes (p99).
Configuring retention
Retention is managed through the org-scoped Customer Voice settings endpoint, which authenticates with a bearer token.
Check the current retention setting for an org:
GET /v1/orgs/{org_id}/customer-voice/settings
Authorization: Bearer $TOKEN
Set extended retention (Pro opt-in / Enterprise):
PATCH /v1/orgs/{org_id}/customer-voice/settings
Authorization: Bearer $TOKEN
Content-Type: application/json
{"retention_days": 180}
Restore standard retention:
PATCH /v1/orgs/{org_id}/customer-voice/settings
Authorization: Bearer $TOKEN
Content-Type: application/json
{"retention_days": 90}
Reducing retention_days from 180 to 90 schedules immediate deletion of all records older than 90 days. The next scheduled deletion run (within 24 hours) will permanently remove those records. This action is irreversible.
Audit trail
Every deletion — scheduled or on-request — is recorded in the org governance audit log:
| Audit field | Value |
|---|
event_type | customer_voice.record_deleted (single) or customer_voice.bulk_deleted (org-wide) |
submission_id | The deleted record’s ID (omitted for bulk) |
record_count | Number of records deleted (bulk only) |
deletion_reason | retention_expiry, operator_request, or subject_request |
org_id | The org that owned the records |
deleted_at | ISO 8601 timestamp |
Query the audit log:
curl -H "Authorization: Bearer $TOKEN" \
"https://api.mnemom.ai/v1/orgs/{org_id}/audit-log?event_type=customer_voice.record_deleted"
The audit log entry serves as the GDPR Article 30 record of processing for the deletion and is available to data protection officers conducting compliance reviews.
Plan availability
| Plan | retention_days default | Maximum | Configurable |
|---|
| Free | 90 | 90 | No |
| Starter | 90 | 90 | No |
| Pro | 90 | 180 | Yes (opt-in) |
| Enterprise | 180 | 180 | Yes (can be reduced to 90) |