Account and organization records
Kept while the workspace is active. Deleted or anonymized after a verified deletion request unless retention is required for security, billing, fraud prevention, or legal obligations.
Retention and deletion defaults for monitored workflow data.
How Norevin limits workflow data, report access, and deletion handling during public launch.
Checkpoint events, validation results, and completed runs
Plan-based retention: Sandbox 7 days, Monitor 30 days, Guard 90 days, Agency 180 days, and Enterprise custom or 365 days by default.
Open incidents
Kept while needed for operational review, customer reporting, and audit history. Resolved incident history follows the workspace retention tier.
Reports and share links
Reports are generated from sanitized summaries. Owners can revoke shared links from the console; deleted workspaces remove report access.
API keys and secrets
Raw API keys are shown once and never stored. Hashes, prefixes, encrypted alert destinations, and audit metadata remain until revoked, rotated, or deleted with the workspace.
Billing records
Stripe is the system of record for payment methods, invoices, and subscription charges. Norevin stores only Stripe ids, plan status, and aggregate usage needed to operate billing.
Deletion requests
Workspace owners can request export, deletion, or access removal.
Norevin verifies ownership before destructive changes and keeps a short operational note so future support and audit reviews can explain what happened.
- Send the request from the workspace owner email to founders@norevin.com.
- Include the organization name and whether the request is export, deletion, or access revocation.
- Norevin will verify ownership before deleting or exporting workspace data.
- Deletion requests target active product data first, then backups and logs as they age out through provider retention windows.
Related policies
Privacy and terms reference the same retention model.
The legal pages are intentionally plain-language for launch, and can be replaced by a signed DPA or enterprise agreement when a customer requires one.