Aura
Sign inJoin Aura

Data Retention Policy

Version 2026-05-03

Aura keeps personal data only as long as necessary for the purposes described in our Privacy Policy or as required by law. This page explains the schedule.

Schedule by category

Account data

  • While the account is active.
  • On account deletion: soft-delete sets deleted_at, scrubs PII (name, image, wallet, email replaced with tombstone), and the account becomes inaccessible.
  • Hard-delete from backups: 30 days after soft-delete (next backup rotation).

Posts and media

  • While published. Removed posts are unpublished immediately; their media is kept for 30 days for restore-on-appeal, then purged from R2 storage.
  • Posts removed for AUP / Take It Down Act / DMCA violations: kept indefinitely as evidence (with PII minimized) for legal defense.

Consent records (2257-style)

  • Retained indefinitely for legal defense. The records (creator ID, post ID, attestations, IP, UA, timestamp) are immutable and survive account deletion.
  • If applicable jurisdictions require shorter retention (none currently), we will comply with the shortest legally-valid period.

Transaction records

  • On-chain transactions are public and permanent by nature.
  • Off-chain we retain transaction metadata (kind, amount, split, tx hash, tx status) for 7 years to satisfy tax record-keeping (IRS, SAT) and AML obligations.
  • Subscription state (start, end, period) retained for 3 years past the end of the last paid period.

KYC records

  • Identity verification reference IDs (not the underlying ID images, which are held by the verifier) retained for 5 years past creator account closure, per AML / payment-processor practice.

Reports and takedowns

  • Reports filed by users (or anonymously) retained for 7 years for legal defense and pattern analysis.
  • Resolution actions (strikes, removals) retained per the same schedule.

Document acceptances

  • Records of which user accepted which version of which document (Terms, Privacy, AUP, Creator Agreement) retained for 7 years past account closure.

Server logs and analytics

  • Web server access logs: 90 days, then aggregated.
  • Application audit logs (admin actions, security events): 12 months.
  • Analytics events (if you opted in): 12 months, then aggregated.

Backups

  • Daily backups of the database, retained for 30 days.
  • Deletions in the live database propagate to backups within 30 days.

Triggers that extend retention

  • Active legal hold, litigation, or law-enforcement preservation request.
  • Open trust-and-safety investigation or appeal.
  • Outstanding tax obligation or audit.
  • Statutory record-keeping mandate (e.g., 2257-style retention).

Your right to deletion

You may request deletion at any time via /settings or privacy@aura.app. We delete within 30 days, except where law requires longer retention (the categories above marked with specific retention periods). On request we will tell you exactly what was kept and why.

Contact

Retention questions: privacy@aura.app.