Data Retention Summary
Version effective as of 2026-04-14. A plain-language overview of how long content is kept in CleverContracts.
CleverContracts treats messages and attachments as working conversation artifacts with automatic expiry, and approvals, receipts, and scope versions as the durable record surfaces that persist longer.
This balances dispute-resistance with privacy, storage limitation, and data minimization. Endless chat archives are not the durable truth of the workflow — the explicit decisions and agreements are.
| Data category | Retention period | What happens |
|---|---|---|
| Message content (body) | 18 months from creation | Body is redacted; a placeholder is shown in context |
| File attachments | 6 months from upload | File is deleted from storage; metadata placeholder is retained |
| Client notes (body) | 18 months from creation | Body is redacted; placeholder retained |
| AI diagnostic events | 30 days | Automatically expire (content-free metadata only) |
| OTP codes | 10 minutes | Automatically expire after use or timeout |
| Portal sessions | 30 days | Session expires; re-verification required |
| Freelancer sessions | 14 days | Session cookie expires; re-login required |
| Rate-limit counters | Minutes to hours | Automatically expire in Redis |
| Scope versions and approval receipts | Duration of engagement | Durable record — persists until engagement or account deletion |
| Change items and decision receipts | Duration of engagement | Durable record — persists until engagement or account deletion |
| Engagement metadata | Duration of workspace | Deleted when engagement or account is deleted |
| Time entries | Duration of workspace | Deleted when engagement or account is deleted |
| Templates and clause library | Duration of workspace | Deleted when account is deleted |
| Freelancer account data | Duration of account | Deleted via account deletion flow |
| Client contact records | Duration of workspace | Deleted when account is deleted |
| Billing and accounting data | 10 years | Required by Swiss law (OR Art. 958f); minimal record retained after account deletion |
When content expires, it does not silently disappear. Instead:
- Messages: the body text is removed and replaced with a clear “Expired” placeholder. The message metadata (author, timestamp, type) remains visible in context.
- Attachments: the file is deleted from storage and becomes unavailable for download. The attachment metadata (file name, size, type) remains visible as a placeholder.
- Client notes: the note body is removed and replaced with a placeholder. The note metadata remains.
Expiry applies even if an engagement is still active — data minimization remains true regardless of engagement status.
The following records are designed to be the long-term proof surfaces and do not auto-expire:
- Approved scope versions: immutable snapshots of the scope/terms at the time of approval, including the client's typed name confirmation, decision, and timestamp
- Decision receipts: records of every approval or decline for scope versions and change requests
- Change items: the full change proposal and decision history
The portal and application continue to show the latest scope/terms and decision receipts even as message content expires. This ensures the “what was agreed” question always has an answer.
Account deletion
When you delete your account, all workspace data is deleted promptly — including all engagements, messages, files, templates, client records, and notes. Client portal access is revoked immediately. Firebase Auth credentials are removed.
A minimal billing record (Stripe customer ID, subscription metadata, plan information) is retained for up to 10 years as required by Swiss accounting law. This record contains no engagement content, messages, or scope text.
Engagement deletion
When you delete an individual engagement, all associated data is deleted (messages, files metadata, scope versions, changes, time entries). Client portal access for that engagement is revoked immediately.
Export before deletion
We recommend exporting any data you need (receipts, snapshots, timesheets) before deleting an engagement or your account. Deletion is irreversible.