All legal documents
Legal & Compliance
Data Retention Schedule
Version1.0UpdatedJun 15, 2026Reading time8 min read
1. Purpose
This Data Retention Schedule sets out, in one place, how long FLOW FN PTE. LTD. (UEN 202617303Z, Singapore) ("FlowFn", "we") keeps each category of personal data and the legal basis for that retention period. It supplements our Privacy Policy and the retention summaries in our DPA, GDPR Compliance Statement, CCPA Compliance Statement, and PDPA Compliance Statement. Where a specific contract, court order, or legal-hold instruction overrides this schedule for a particular record, that override takes precedence.
2. Account and Profile Data
Records: name, email, hashed password, country (optional), age-confirmation attestation (boolean only — we do not store date of birth), authentication factors, role memberships, preferences. Active retention: for the life of your account. Post-termination: deleted within 30 days of account closure (immediate when you submit a verified deletion request via /legal/data-request, except for records that fall into the categories below).
3. Customer Content (Workflows, Forms, Playgrounds, Data Sheets, Files, AI Outputs)
Records: workflows, workflow runs, form submissions, Playground source code (HTML / CSS / JavaScript), Playground media assets stored in S3 (images, video, audio, etc.), Data Sheets (the standalone, team- and app-scoped tabular store — databases of user-defined sheets, including rows visitors insert / update via the public flowfn.data primitives through a linked published Playground when the owner has opted-in), Playground visitor-uploaded files in S3 (collected via the in-Playground flowfn.upload primitive when the owner has opted-in; stored privately and accessed via short-lived signed URLs), uploaded files in S3, AI generations, integration credentials. Active retention: for the life of the workspace that owns the content. Post-termination: deleted within 30 days of the workspace owner submitting a deletion request, including by way of the in-app account-deletion flow. Object-level deletion in S3 is immediate; CDN edge caches (e.g. CloudFront) may continue to serve previously cached Playground asset URLs for a short period (typically up to 24 hours) before they expire. Some derivative data (e.g. an AI output you have already shared with a third party, or a Playground asset URL that has been copied or republished by you elsewhere) cannot be recalled and is not subject to deletion. Cross-team transfers: when you transfer an app or item to another team, retention follows the content — the destination workspace's retention applies from the transfer date and the source workspace no longer holds it (immutable audit-log entries recording the transfer in each team age out on their own schedule under Section 4).
3a. Plan-Based Retention Windows (Accumulated Customer Content)
Some categories of accumulated customer content are subject to plan-based retention windows during the active life of the workspace. Specifically: (a) form submissions stored against published forms, (b) accumulated visualizer data rows pushed by Data Visualizer tasks, (c) workflow run history and run logs, and (d) AI assistance request audit rows (workflow chat, playground chat, code-generation, and workflow-run AI-model audit log). The applicable retention period for each category is determined by your plan and is surfaced on the Pricing page and in your team owner's plan settings. Rows older than the plan's retention window are removed by a daily automated process. For categories (a)-(c) we soft-delete the rows first (they disappear from your dashboards immediately) and hard-delete them 90 days later, so workspace owners may request restoration during that 90-day grace window via /legal/data-request. AI assistance audit rows (d) are an internal audit log and are hard-deleted in one step at the retention cutoff. Plans whose retention setting is `unlimited` keep their data indefinitely. You can export your full dataset at any time via /legal/data-request before retention takes effect.
3b. Soft-Deleted Workspace Items (Trash)
When you delete a form, visualizer, playground, workflow, or app from your dashboard, the item is moved to a soft-deleted state and removed from active views. Soft-deleted items are kept for 90 days so workspace owners may restore them themselves from the Trash in their dashboard (or via support), after which they are permanently purged by an automated nightly job along with any nested content (form submissions, visualizer data rows, playground assets in S3, workflow run history). Permanent deletion at the end of the 90-day window is irreversible.
3c. Realtime Stream Data (Presence, Activity Log, Player Identifiers)
Streams (realtime rooms for games and live applications) keep three kinds of records, all scoped to the owning team. Presence and connection state (which player identifiers are connected and in which rooms): held only in volatile storage and expiring automatically within minutes of disconnect or room inactivity — never written to durable storage. Stream activity log (connection/disconnection events, room joins, kicks, and automation outcomes, including the player identifier and display name supplied by the team's game): retained for 3 days, then deleted automatically by the database itself; message contents are not logged. Automation records: when a team binds a channel to a workflow, stream function, or AI agent, the triggering message (including the player identifier) becomes part of that run's record and follows the plan-based run-history retention in Section 3a, the same as any other run. Deleting a stream removes its configuration immediately; its activity log entries expire on the same 3-day schedule.
3d. Recoverable Data-Sheet Rows
When you delete an individual row from a Data Sheet — from the sheet grid in the Data Sheets section, or when a visitor deletes a row via the public flowfn.data.delete primitive through a linked published Playground (where the owner has opted-in) — the row is soft-deleted: it disappears from all reads and from the SDK immediately, but is retained in a recoverable state for 90 days. The owner can restore it from the 'Recently deleted' panel on the sheet during that window, after which it is permanently purged by the automated nightly retention job (the same job that enforces Section 3a). Teams under a legal hold or an Article 18 processing restriction are exempt from the automated purge until the hold is lifted. Two actions remove sheet rows immediately and irreversibly, with no recovery: importing a CSV in Replace mode and an AI full-replace of the sheet. Deleting the sheet or its database does not erase its rows on the spot — they are soft-deleted alongside the parent and then permanently purged on the Section 3b 90-day item-trash schedule.
4. Audit, Security, and System Logs
Records: authentication events, admin actions, API access logs, error stack traces, security incident records. Active retention: 90 days in hot storage; up to 13 months in cold/archive. Legal basis: legitimate interests in security monitoring and fraud prevention; PDPA "reasonable security arrangements" requirement; SOC-2 / ISO 27001 evidence retention. Logs are aggregated and pseudonymised wherever possible; user IDs are replaced with deletion pseudonyms when an account is deleted.
5. Billing, Tax, and Accounting Records
Records: invoices, receipts, tax line items, billing addresses, plan changes, credit-ledger entries, refunds, chargebacks. Active retention: 5 years and 1 month from the end of the financial year to which they relate. Legal basis: Singapore Companies Act (s.199) and Income Tax Act (s.67); analogous obligations in other jurisdictions where customers are based. After the retention period these records are anonymised (user_id severed and replaced with a deterministic deletion pseudonym) or deleted.
6. Stripe Customer Records (Sub-Processor)
Records held by Stripe under our account: customer object (name, email scrubbed at deletion), payment-method tokens, charges, invoices, refunds, disputes. Treatment at user account deletion: (a) we immediately scrub PII from the Stripe customer (replace name, email, phone, address, description with anonymised placeholders keyed to a deletion pseudonym; detach all payment methods); (b) we keep the scrubbed customer record for 5 years for tax / accounting traceability; (c) after 5 years the scheduled-deletion worker permanently deletes the Stripe customer record (Stripe API `customers.del`). You can request immediate full deletion (forgoing the 5-year retention) by submitting a verified request via /legal/data-request; we will honour the request unless retention is required by law for an unresolved tax matter, ongoing dispute, or open legal hold.
7. Marketing and Communications
Records: email subscription state, opt-out events, campaign send/open/click metadata. Active retention: while you remain a subscriber. After unsubscribe / opt-out: we keep a minimal suppression record (email hash and opt-out timestamp) indefinitely so we can honour your opt-out and prove compliance, even if your account is later deleted.
8. Cookie Consent and Privacy Preferences
Records: cookie consent state, AI assistance opt-out, do-not-sell signals, GPC honour records. Active retention: indefinitely while you have an account. Post-termination: opt-out signals are kept indefinitely as suppression records; the rest are deleted with your account.
9. Data Subject Requests (DSRs)
Records: DSR submissions, request type, response, internal notes, status timeline. Active retention: 3 years from the date the request is closed. Legal basis: GDPR Art. 5(2) accountability principle; CCPA Reg. §7101(a) record-keeping obligation. After 3 years, identifiers are removed and only the aggregate request statistics are retained.
10. Backups and Disaster Recovery
Records: encrypted database backups in AWS S3 (US East / N. Virginia, us-east-1). Active retention: rolling 35-day window. Deletion requests: deleted records may persist in backups for up to 35 days; we do not restore deleted personal data from backups except where required to recover from a disaster, and we re-apply the deletion immediately after any such restoration.
11. Anonymised and Aggregate Data
Where data has been irreversibly anonymised (e.g. deletion-pseudonym replacement, k-anonymity aggregation for analytics) it is no longer personal data under GDPR / PDPA / CCPA and may be retained indefinitely for product analytics, capacity planning, and security research.
12. Legal Holds and Disputes
Where required by a court order, tax investigation, regulator inquiry, or active dispute, we may retain otherwise-deletable records for the duration of the hold. Affected records are tagged so that automatic deletion sweeps cannot remove them. Once the hold is lifted the record is processed under the schedule above.
13. Changes to This Schedule
We may update this schedule when retention periods change due to new laws, new sub-processors, or new product features. The version date at the top of this page reflects the last revision. Material changes will be notified in-app or by email.
14. Contact
Questions about retention: contact our Data Protection Officer at legal@flowfn.com. To exercise rights, use https://www.flowfn.com/legal/data-request.