1. Purpose
This document describes how Scribie retains and deletes customer data. It is intended to give the legal team a clear, up-to-date view of our retention practices and how those practices map to our SOC 2 Type II.
2. Guiding Principle
Scribie does not automatically delete customer data. Deletion only occurs when the account holder initiates an account deletion request. While the account is active, customer data is preserved so customers can continue to access, re-download, and re-use their files and transcripts.
When a deletion request is submitted, the account enters a 7-day grace period during which the request can be cancelled by the customer, or by an admin on the customer's request. We send the customer a confirmation email when deletion is initiated, and a second email once the actual deletion has been processed after the grace period. After the grace period (or on admin-forced deletion), data is anonymized or permanently removed across primary systems and propagates through backups within the timelines described below. Records that we are legally required to retain (e.g., invoices) are kept in anonymized form, linked only to an internal numeric user ID.
3. What We Retain and What We Delete
Deletion is customer-initiated. The table below summarizes, by data category, what is permanently removed when a deletion request is processed and what is retained afterwards in masked or anonymized form. Anything retained is keyed to an internal numeric user ID, not to the customer's original email or name.
| Data Category | What We Retain (post-deletion) | What We Delete on Request |
|---|---|---|
| Account & Profile Data | The account shell is retained, keyed by an internal numeric user ID. The email address is replaced with a masked placeholder (deleted_{userId}@deleted.scribie.com); name and other profile fields are nulled. A SHA-256 hash of the original email is kept on the deletion certificate. | Original email, name, profile preferences, API keys, and all other personally identifiable account fields are permanently removed. |
| Audio & Video Files | No customer media is retained. | All uploaded audio and video files are permanently removed from primary storage and from S3, and overwritten from backups within the standard backup cycle. |
| Transcripts & Derived Outputs | No transcripts or derived outputs are retained. | Transcripts, edits, exports, and all derived outputs are permanently deleted. |
| Billing & Invoices | Anonymized invoice and order records are retained for 7 years to meet statutory financial and tax obligations. Free-text fields (instructions, comments) are nulled, invoices are linked only to the internal user ID, and invoice PDFs are regenerated to remove customer PII. | Customer-identifying information on invoices (name, original email, free-text notes) is removed; original (PII-bearing) invoice PDFs are replaced with regenerated, anonymized versions. |
| Email Communications | Transactional and support emails are sent via AWS SES and are not stored in Scribie's database. Delivery records held by SES persist according to AWS's retention. | Nothing to delete within Scribie's systems, as no email content is stored. |
| System & Security Logs | Audit log entries are retained for SOC 2 evidence purposes, with IP address and user-agent scrubbed for actions belonging to the deleted user. | IP addresses, user-agents, and other personal identifiers on the deleted user's audit records are scrubbed. |
| Deletion Certificate | A deletion certificate is retained for 7 years, containing the internal user ID, deletion timestamp, retention expiry date, anonymized counts of records affected, and a SHA-256 hash of the original email (used only to verify a future re-request). | Not applicable — the certificate is generated by the deletion process itself. |
| Backups | Encrypted backups follow a rolling 30-day cycle. Deleted data is overwritten as the backup cycle rotates. | Customer data is overwritten from encrypted backups within 30 days of the primary deletion. |
4. Deletion Timelines
- Request submitted: Account status is set to PENDING_DELETION immediately; the account enters a 7-day grace period during which the customer can cancel.
- Primary deletion: After the 7-day grace period (or on admin force), the email is masked to deleted_{userId}@deleted.scribie.com, the name is set to "Deleted User", remaining PII is nulled, and uploads, transcripts, and API keys are removed from the database and S3.
- Invoice anonymization: Free-text fields on invoices and orders are nulled, and paid/billed invoice PDFs are regenerated to remove customer PII.
- Backup propagation: Deleted data is overwritten from encrypted backups within 30 days, in line with our 30-day rolling backup cycle.
- Statutory retention: Anonymized invoices, orders, and the deletion certificate are retained for 7 years to meet financial and tax obligations.
- Hard delete at expiry: On expiry of the 7-year retention window, the remaining anonymized records and the user shell are permanently removed.
5. Data Subject Deletion Request Timelines
Where a deletion request is made, Scribie completes primary deletion immediately after the 7-day grace period — that is, on the 7th day following the request, or sooner if an admin forces deletion at the customer's request.