Skip to content
CalProof

Retention and Deletion

Last updated: 2026-04-30

Retention and Deletion

This page sets out exactly how long we keep each category of data, what happens after you cancel, how to ask us to delete your data sooner, and how to export everything we hold about you. The retention numbers on this page are the same numbers used in our Privacy Policy and Terms of Service; they all derive from a single internal source-of-truth document.

CalProof is a trading name of Crocker Digital Ltd, registered in England and Wales under Company No. 17008789. The contact for any retention or deletion enquiry is privacy@calproof.co.uk.

1. Active subscriptions

While your subscription is active, we keep the following data for as long as you keep your account open:

  • account profile (email, name);
  • calibration data (instruments, calibrations, out-of-tolerance workflows, UKAS templates);
  • certificate PDFs in our certificates storage bucket;
  • the append-only audit log of administrative actions;
  • billing records (invoices, payment metadata).

We also keep small amounts of operational data on shorter cycles: email-delivery logs for 90 days rolling, Sentry events for 90 days, Netlify request logs for 7 days, and anonymous GoatCounter page-view counts indefinitely.

2. Cancellation grace

When you cancel your subscription — either through Stripe's customer.subscription.deleted webhook or through the in-app cancel-account form — we set a cancellation timestamp on your organisation. Your data then enters a 30-day grace state.

During the grace period:

  • the account is read-only: you cannot create or edit records, but you can sign in to review them;
  • the Export Everything button remains available so you can take a copy of your calibration data and certificate PDFs;
  • a reminder email is sent on day 23, eight days before hard delete, to flag the deadline and the export link;
  • you can reactivate the subscription with a single click in the billing area; reactivation cancels the grace timer and restores normal access.

3. Hard delete at day 31

A scheduled function (scheduled_purge_cancelled_orgs) runs daily at 04:00 UTC. On the first run after cancelled_at is older than 30 days, it permanently deletes:

  • the organisation profile;
  • all calibration data attached to the organisation;
  • all certificate PDFs in the storage bucket prefixed by the organisation's UUID.

Deletion is permanent and cannot be reversed. There is one exception: the audit log, which is treated under a UK GDPR retention exception described in section 4.

Billing records are not deleted at day 31. We are required to keep invoice and tax records for 7 years from the invoice date under the UK Companies Act 2006 §388 and HMRC retention rules. Billing records are stored separately from calibration data and contain only the information needed to evidence the transaction.

4. Audit log GDPR retention exception

The audit log is the one category of data we retain beyond the 30-day post-cancellation window. The disclosure below applies in full and is repeated verbatim in our Privacy Policy §3 and Terms §6, and on the signup form:

"To meet UK ISO 9001 / ISO 17025 record-retention obligations and to support compliance audit cycles, your organisation's audit log is retained for 7 years from the date of your last activity, even if you cancel your subscription. This is the only category of data we retain beyond the 30-day post-cancellation window. All other data (profile, calibration data, certificates) is permanently deleted at day 31. You can request earlier deletion of the audit log by contacting privacy@calproof.co.uk; we will honour the request unless a regulatory hold applies."

In practice the audit log holds timestamped, append-only records of administrative actions — sign-ins, record creates and updates, billing changes — and does not contain calibration data, certificate content, or the body of any record beyond the action type and the affected row identifier. A quarterly scheduled function (scheduled_purge_audit_log_after_7y) hard-deletes audit-log rows older than 7 years from created_at.

5. Account-deletion request flow

There are two routes to deletion. Pick the one that matches what you need to delete.

5a. Cancel your subscription (org-data flow)

To wind down the workspace itself — instruments, calibrations, certificates — cancel your subscription from the billing area. Cancellation starts the 30-day grace described in section 2 and triggers the day-31 hard delete described in section 3. The audit log is retained per section 4. This is the route to use if you are leaving CalProof and need the org-owned data to be gone.

5b. Delete your auth account (personal-data flow)

To delete your personal auth record (email, name, signup metadata) immediately, use /app/account/delete/ while signed in:

  1. Go to /app/account/delete/.
  2. Type the confirmation phrase to enable the destructive button.
  3. We immediately remove your auth.users row, soft-delete your profile (email + name scrubbed), remove you from all org memberships, anonymise your account-state metadata, and delete your personal email-log entries.
  4. We write an audit-log entry per organisation you belonged to so the action is traceable.

The expedited route deletes you only — it does not cancel an active subscription or delete the organisation's calibration data. If you are the sole owner of an organisation and want both to disappear together, run 5a (cancel subscription) and then 5b (delete auth account); the standard 30-day grace runs in parallel with your account being gone.

If you cannot sign in, email privacy@calproof.co.uk from the address registered on the account and we will verify the request manually before processing.

The audit log is excluded from the expedited route by default, in line with section 4. You can ask us to delete it earlier in the same email; we will honour the request unless a regulatory hold (such as an open ISO surveillance audit involving your organisation) applies.

6. Export request flow

You can export every record we hold about you at any time. There are two exports — pick whichever matches the data you need.

6a. Personal-data export (every signed-in user)

  1. Go to /app/account/export/ while signed in.
  2. Click "Download JSON archive". The export contains your profile, account-state metadata, org memberships, feedback, and cancellation history — every row tagged to your user_id.

This export is available to every signed-in user, regardless of plan or subscription state.

6b. Workspace-data export (org owners)

  1. Go to /app/export/ while signed in as an org owner.
  2. We generate a ZIP bundle containing the equipment register, calibrations, OOT events, certificate PDFs, audit log, and audit-report PDFs — every row tagged to your org_id.
  3. For organisations with up to 500 instruments and up to 500 certificates, the archive is produced synchronously and downloads in your browser. Larger organisations queue the export in generated_export_jobs and we email a signed URL when it is ready (link valid 7 days).

The workspace export is bundled with the Pro tier during normal operation. Compliance bypass: if your subscription has been cancelled, has lapsed (past-due-no-grace), or your trial has expired, the workspace export becomes available regardless of plan tier so you can take your data with you. The bypass is rate-limited to one request per 24 hours.

In all cases the export is generated within 7 days of the request, in line with UK GDPR Article 15. If you cannot sign in, email privacy@calproof.co.uk and we will fulfil a Data Subject Access Request within the same window after verifying your identity.

7. Sub-processor data deletion timing

When we delete data on our side, we also instruct our sub-processors to delete the corresponding data they hold. Timings vary slightly by provider:

  • Supabase — Postgres rows and storage objects are deleted at day 31 along with our scheduled purge. Backup snapshots roll off in line with Supabase's standard backup retention.
  • Stripe — billing records are retained for 7 years from invoice date; on hard deletion of an account, we anonymise the customer record where possible while keeping the legally required invoice trail.
  • Resend — transactional email content and deliverability metadata are aged out on the 90-day rolling window described in section 1.
  • Microsoft 365 — inbound support emails are retained on the standard mailbox retention cycle and are deleted on a rolling basis once a support thread is closed.
  • Sentry — error events are deleted on Sentry's 90-day default retention.
  • Cloudflare Turnstile — IP and header data is transient and is not retained beyond the bot-check itself.
  • Netlify — request logs roll off on a 7-day window.
  • GoatCounter — events are anonymous; no per-user deletion is required.
  • Upstash Redis — rate-limit counters are keyed on hashed identifiers and expire on their own TTL within minutes.

If you have a deletion request that is not covered by the routes above, email privacy@calproof.co.uk and we will help.