Data Retention Policy

Last updated: 25 April 2026. Complements the Privacy Policy.

This policy specifies how long NORĴI Ltd retains each type of data and when it is deleted. We delete data we no longer need. Where UK law requires us to keep something (e.g. tax records for 7 years), that law takes precedence.

Retention schedule

Data type	Retention period	Deletion trigger
Active customer data (account profile: name, email, handle, tier; memories; embeddings; draft history)	Retained while subscription active	Account closure or /wrap initiates deletion
Deleted customer data (post /wrap or post account closure)	Purged 30 days after account closure	30-day grace window for accidental-closure recovery; after that the deletion is irreversible (except statutory items below)
Raw email content (emails NORĴI reads from Gmail / Outlook)	≤ 30 days	Rolling — summarised into memory then discarded within 30 days
Memories + embeddings	Life of account	Account closure OR user-initiated memory-delete command
Calendar events read	≤ 30 days	Rolling — retained only while NORĴI is actively acting on them
CRM data read (Reapit, Salesforce)	≤ 30 days	Rolling — cached only for active draft generation
Draft actions (Decision Cards, including pending, approved, rejected)	Life of account	Account closure
Audit log (every action taken on your behalf; engineer access to production data)	2 years from event	Rolling 2-year window for security and compliance investigation; entries past 2 years auto-purged unless a specific entry is held under legal obligation
Email send log (outbound emails sent through NORĴI)	Life of account + 12 months	For delivery dispute resolution
Workflow instances + touchpoints (commission chases, compliance tracking, etc.)	Life of account	Account closure
OAuth access tokens	Until disconnection	Deleted immediately on integration disconnect OR account closure (no grace window — tokens are an active credential)
OAuth refresh tokens	Until disconnection	Deleted immediately on integration disconnect OR account closure (same as access tokens)
Stripe customer ID	7 years	HMRC requirement for financial records
Invoice / billing records	7 years	HMRC requirement
Diagnostic / error logs (Sentry, Railway logs)	30 days	Rolling auto-purge
Access logs (web server: IP, route, timestamp)	30 days	Rolling auto-purge
Database backups	30 days rolling	Oldest backup removed when new one created past 30-day window
Images generated (via The Operator image tools)	90 days	Unless referenced in audit log (then kept while reference exists)
Prospects (non-customer business contacts surfaced for outreach)	12 months from last meaningful activity	Auto-deleted at the 12-month mark if no engagement (no reply, no opens of two consecutive emails); explicit objection (privacy@norji.co.uk) or /stop-emailing triggers immediate removal plus permanent suppression-list entry
Suppression list (do-not-contact addresses)	Permanent	Never — deleting would risk re-mailing an unsubscribed address

Deletion triggers

Account closure — the user requests deletion, either via the bot, via the web, or by emailing privacy@norji.co.uk. A 30-day grace window allows accidental-closure recovery; after that the deletion is irreversible except for items with a statutory retention period (billing records).
GDPR erasure request — processed within 30 days. Items with a statutory retention period are excluded from the deletion and we tell you which.
Automated /wrap process — long-inactive accounts (defined in product policy) are wrapped and deleted on schedule. Users are warned 30 days before wrap and can cancel.
Integration disconnect — OAuth tokens for the disconnected provider are deleted immediately.

Data sub-processors

Sub-processor retention is governed by their own agreements. See the Privacy Policy for the full list.