Data Retention & Deletion Policy

Last updated: March 2026

1. Purpose

This policy defines how long personal data is retained on the Pikaboo platform and how it is deleted. Pikaboo Enterprises follows the principle of storage limitation - personal data is kept only for as long as necessary for its stated purpose.

2. Retention Schedule

2.1 Stored Data

Data	Storage	Retention Period	Deletion Method
Username	Upstash Redis (EU)	Until removed by tenant admin	Admin panel or Redis command
TOTP secret (confirmed)	Upstash Redis (EU)	Until admin resets or removes user	Admin panel (Reset TOTP / Remove User)
TOTP secret (pending)	Upstash Redis (EU)	Until confirmed by first valid code, or until admin removes user	Overwritten on confirmation, or deleted with user
Last TOTP time step	Upstash Redis (EU)	Overwritten on each successful login	Deleted when user is removed
Session token	Upstash Redis (EU)	30 minutes (auto-expiry via Redis TTL)	Automatic

2.2 Transient Data (Not Persisted)

Data	Location	Retention Period	Notes
IP addresses (rate limiting)	Server memory (RAM)	60 seconds (rate limit window)	In-memory Map, pruned automatically. Never written to disk or database.
Room state (group calls)	Server memory (RAM)	Duration of the call	In-memory Map, cleaned up on disconnect.
Chat messages	Browser memory (RAM)	Duration of the page session	Peer-to-peer via WebRTC. Never sent to server. Lost on page close.
Call audio/video	Browser to Browser	Real-time only	Peer-to-peer. Never touches server. Not recorded.
Live captions	Browser memory (RAM)	Duration of the call	Generated on-device via Sherpa-ONNX. No audio sent externally.

2.3 Infrastructure Data

Data	Location	Retention Period	Notes
Docker container logs	VPS disk	Until container is removed or logs rotated	May contain HTTP request logs (paths, status codes). Can be disabled.
Caddy access logs	VPS disk (if enabled)	Default: disabled	Not enabled by default.

3. Data Deletion Procedures

3.1 Deleting a Single User

A tenant admin can delete a user via the admin panel. This immediately removes:

Username from the authorised users list
TOTP secret (confirmed and pending)
Last TOTP time step

Active sessions for the deleted user will expire naturally within 30 minutes.

3.2 Deleting an Entire Tenant

To remove all data for a tenant, the following steps are performed:

Stop and remove the Docker container
Remove tenant files from the VPS
Remove the Caddy route and reload configuration
Delete all Redis keys with the tenant's prefix

3.3 Responding to Data Subject Erasure Requests

When a data subject requests erasure (GDPR Article 17):

Identify the tenant the user belongs to.
Instruct the tenant admin to remove the user via the admin panel, or perform the deletion directly if the admin is unavailable.
Confirm deletion to the data subject within 30 days.

Because we store minimal data (username + TOTP secret only), erasure is straightforward and complete.

3.4 On Service Termination

When a Client terminates their use of Pikaboo:

The tenant's Docker container is stopped and removed.
The tenant's configuration and files are deleted from the VPS.
All Redis keys with the tenant's prefix are deleted.
The Caddy route is removed.
Written confirmation of deletion is provided to the Client upon request.

Timeline: All data deleted within 30 days of termination.

4. Data We Never Need to Delete

The following data is never stored, so no deletion is required:

Call audio and video
Chat messages
Live caption text
Call metadata (participants, duration, timestamps)
Email addresses, phone numbers, or real names
Cookies or tracking identifiers

5. Backups

Pikaboo Enterprises does not maintain backups of tenant data. Upstash may maintain internal backups as part of their infrastructure - see their privacy policy for details.

This means deletion is immediate and permanent. There are no backup copies to purge.

6. Review

This policy is reviewed annually or when significant changes are made to data processing activities.

Contact: privacy@pikaboo.app