Security

Data deletion

Two things happen when a redaction job finishes — or when you delete an account:

  1. The primary R2 object holding the source PDF is dropped from our storage bucket.
  2. Any plaintext text snippets that were stored in Postgres during the review window (so you could verify each detected span before commit) are nulled out before the job's terminal status flip lands.

Storage backups are the next layer to think about, and the one we can't pretend doesn't exist. Postgres write-ahead logs and our database provider's point-in-time-recovery retain rows for a recovery window — Supabase's default paid-tier window is around 7 days. Cloudflare R2 versioning is disabled on our buckets, so a deleted object is gone without a version-history trail to scrub. We can't reach into a managed backup snapshot to do a synchronous delete, and we won't market our way around it; the operational discipline is to bound the window and disclose it, not to deny it.

Source PDF objects are dropped from primary storage at job terminal state and are not retained in any sub-processor backup beyond that provider's standard recovery window (Postgres PITR ~7 days; R2 immediate). Sub-processors that never see a PDF (Stripe, Resend, Clerk) have their own retention windows for the billing / email / identity metadata they do hold — disclosed on the sub-processor page.

Audit-log entries are not deleted. The hash-chained audit log retains a record that a job existed, the engine version that processed it, the SHA-256 of the input file, the span counts, and the timestamps — but no content of the file itself. On account deletion or DSAR request, PII columns (filename, email) are tombstoned: the encrypted ciphertext is replaced with a null marker, and the chain hash is recomputed with the marker in place. The chain remains verifiable end-to-end.

During an active review window, extracted snippets of the detected text plus a small surrounding context are stored alongside the job so you can verify each decision before committing. These snippets are removed when you commit the redaction, when the review window expires, or when the job is cancelled — and are never written to the audit log or to logs ingested by Sentry.

For a DSAR (deletion or data-export) request, contact privacy@lacunapdf.com. Our SLA is 30 days from receipt; we will reply within 7 business days with a confirmation and a tracking reference.

Deletion or DSAR questions
privacy@lacunapdf.com