Data Retention
Last updated: 25 June 2026 · Principle: keep personal data only as long as needed for the purpose it was collected, then delete or irreversibly anonymise.
Schedule
| Data category | Retention | On account closure / erasure |
|---|---|---|
| Account profile (handle, name, bio, avatar) | While the account is open | Deleted |
| Published reviews & ratings | While the account is open, or until you delete them | Removed or irreversibly anonymised — see below |
| Drafts (unpublished reviews) | 90 days of inactivity, then auto-purged | Deleted |
| Social actions (follows, collections, quick-rates) | While the account is open | Deleted |
| Take-away distance snapshot | With the review | Deleted/anonymised with the review |
| Moderation audit log | 12 months — abuse-handling and accountability | Retained (legitimate interest), minimised to the action and actor, never your content |
| Operational/security logs | 30–90 days | Aged out automatically |
| Machine-translation cache | Until the source review changes or is deleted | Deleted with the review |
| Backups | rolling 30 days | Purged on the backup cycle after erasure |
Reviews on account closure: delete vs. anonymise
We default to irreversible anonymisation of published reviews (detaching them from your identity), to preserve the integrity of the public review corpus. The legal basis for keeping the anonymised corpus is our legitimate interest (not the account contract, which has ended). Anonymisation is only valid if it is genuinely irreversible — so where a review contains self-identifying details that cannot be removed, we delete it instead. You can also request full deletion of your review content.
Moderation log
A minimal moderation record (the action taken and the moderator who took it, never the reviewed content) may be kept for up to 12 months after a user is erased, for abuse-handling and the establishment/defence of legal claims.
Erasure is implemented
Closing your account triggers a real deletion of your personal data, backed by the database's cascade rules — the GDPR right to erasure is built in, not aspirational.