Overview
Triform retains different types of data for varying periods based on product functionality, legal requirements, and user preferences.Retention periods
Project data
What: Projects, Actions, Agents, Flows, code, configurations Retention: Indefinite while Project is active After deletion: 30-day soft delete, then permanent Purpose: Core product functionality User control: Delete Projects anytimeExecution data
What: Execution records, inputs, outputs, logs, traces| Tier | Retention |
|---|---|
| Free | 7 days |
| Pro | 30 days |
| Enterprise | 90 days or custom |
Project Variables
What: Configuration values, secrets, API keys Retention: Indefinite while active After deletion: Immediate permanent deletion (no soft delete) Purpose: Application configuration User control: Delete Variables anytime Note: Secrets deleted from our systems within 24 hours (key rotation cycle)API keys
What: API key metadata (not the secret itself) Retention: Active until revoked or expired After revocation: 90 days for audit purposes Purpose: Authentication, audit trails User control: Revoke anytime Note: The secret key itself is hashed and cannot be recoveredAudit logs
What: Security events, access logs, changes Retention: 90 days (standard), 1+ year (Enterprise) Purpose: Security, compliance, debugging User control: Export anytime Compliance: May be required longer for regulated industriesUser data
What: Account info, profile, email, preferences Retention: While account is active After deletion: 30-day soft delete, then permanent Purpose: Account management, communication User control: Delete account anytimePayment data
What: Billing history, invoices, payment methods Retention: 7 years Purpose: Legal/tax requirements, dispute resolution User control: Cannot be deleted (legal obligation) Note: We don’t store full credit card numbers (tokenized via payment processor)Analytics data
What: Aggregated usage statistics, performance metrics Retention: 2 years Purpose: Product improvement, capacity planning User control: Anonymized, cannot be deleted Note: No personally identifiable informationSoft deletion
Some data types use soft deletion for recovery.How it works
- Mark as deleted — Data hidden from UI and API
- Grace period — 30 days to recover
- Permanent deletion — After grace period
What uses soft deletion
✅ Projects — 30-day recovery window✅ User accounts — 30-day recovery window
❌ Project Variables — Immediate deletion (security)
❌ API keys — Immediate revocation
❌ Executions — Immediate deletion after retention period
Recovery process
Within grace period:- Contact support@triform.ai
- Provide Project/account ID
- Confirm identity
- We’ll restore within 24 hours
Data minimization
We collect and retain only what’s necessary.What we collect
✅ Necessary for service:- Project code and config
- Execution data for debugging and AI model training (only free community version)
- Account info for authentication
- Billing info for payments
- Personal data beyond account basics
- Tracking cookies (beyond essential)
- Browsing history outside Triform
- Third-party service credentials (unless you provide in Project Variables)
Anonymization
Analytics and training data is anonymized:- User IDs replaced with random identifiers
- IP addresses hashed
- Names and emails removed
- Aggregated only (no individual tracking)
Geographic data storage
Data residency
Standard: EU-based data centers Data localization: Customer data stays in EU.Data transfer
Within region: No cross-border transfer GDPR compliance: Data stored in EUDeletion procedures
Deleting Projects
- Project menu → Delete
- Confirm by typing Project name
- Project soft-deleted
- 30-day recovery window
- Permanent deletion after
- Project removed from UI
- Executions deleted per retention policy
- Audit logs retained
Deleting account
- Account Settings → Privacy → Delete Account
- Confirm by typing email
- Account soft-deleted
- 30-day recovery window
- Permanent deletion after
- Account deactivated immediately
- Projects you own deleted (after grace period)
- Shared Projects remain (your access removed)
- Payment history retained (legal requirement)
- Audit logs retained (90 days)
Deleting Organization
- Organization Settings → Delete Organization
- Requires Admin role
- Confirm by typing Organization name
- All Projects deleted
- All members removed
- Billing canceled
- You’re not the last Admin (transfer ownership first)
- Active subscription (cancel first)
- Recent executions (wait for retention period)
Data breach procedures
If a data breach occurs:Our response
Within 72 hours:- Identify scope and affected data
- Contain the breach
- Notify affected users
- File regulatory reports (if required)
- What data was affected
- How many users/records
- What we’ve done to fix it
- What you should do (e.g., rotate keys)
User actions
If notified of a breach:- Rotate API keys immediately
- Update Project Variables (especially secrets)
- Review audit logs for suspicious activity
- Enable 2FA if not already
- Monitor for unusual activity
Compliance
GDPR (EU)
Rights you have:- Access: Request copy of your data
- Rectification: Correct inaccurate data
- Erasure: “Right to be forgotten”
- Portability: Export in machine-readable format
- Object: Object to processing
Other regulations
We comply with applicable data protection laws in EU.FAQs
Q: Can I extend execution retention?A: Enterprise plans offer custom retention. Contact sales. Q: What happens to my data if Triform shuts down?
A: We’ll provide at least 90 days notice and export tools. Q: Are backups deleted too?
A: Yes, backups are deleted per the same schedule. Q: Can I request early deletion?
A: Yes, contact support for manual deletion requests. Q: Is deleted data truly unrecoverable?
A: After permanent deletion, yes. We use secure deletion methods.
Contact
Data requests: privacy@triform.aiSecurity concerns: security@triform.ai
General support: support@triform.ai Response time: 5 business days for data requests, 24 hours for security issues