Data Retention

This page describes what Forge Metal keeps on your behalf, how long we keep it, and under what conditions it can be exported, preserved, or deleted. The retention windows listed here are commitments; they apply equally to every customer organization on this deployment, and the same windows drive the observability-store TTLs and deletion scheduler that execute them.

Our own organizations — the platform tenant and its parent-company tenant — are subject to this policy on the same terms as any other customer. See Founder handling.

This policy covers data Forge Metal stores in your organization's account on this deployment. It does not cover data held by third-party subprocessors we integrate with; their retention is governed by their own DPAs, listed on our subprocessor page.

The categories below are referenced throughout this document.

Forge Metal plays two distinct roles with respect to the data it handles. Which role applies determines who is responsible for responding to data-subject requests and under what legal basis the data is processed.

• Controller for your organization's account and billing information — administrator contacts, authentication events, invoices, tax records, usage metering aggregates.
• Processor for the workload data your users place into the substrate — durable volumes, execution logs, mailboxes, and other objects your organization creates on our compute. Forge Metal processes that data only on your documented instructions, in line with GDPR Art. 28 and our Data Processing Addendum.

A full Record of Processing Activities is published as part of the Privacy Policy.

Every Forge Metal account passes through up to five observable states. The current state is visible on your billing page, and every transition is written to an audit log you can read at Billing → Activity or via the audit-events API.

• Active → Past due: A payment attempt fails.
• Past due → Suspended: The Stripe retry schedule closes without payment. Fixed at 14 days from the first failed charge.
• Suspended → Pending deletion: The account is closed — by the customer, by the operator for non-payment, or by contract expiration.
• Pending deletion → Deleted: The retention window closes.

Windows are measured from the state-transition timestamp recorded on your billing page. An extension granted by Forge Metal supersedes the default window.

Per-volume snapshot retention is a separate setting that governs how long snapshot generations are kept within each volume. It is independent from the account-lifecycle windows above; a volume with a 30-day snapshot policy still has its snapshots deleted with the parent volume when the account reaches final deletion.

Jurisdictions with longer billing-records retention requirements — for example Germany (10 years, HGB §257), France (10 years), and the United Kingdom (6 years) — are honored automatically where they apply to the customer's billing entity.

You can export your durable data throughout the Active, Past due, Suspended states. Export access continues for the first 30 days after your account enters pending deletion, then stops.

Export is performed from your billing page via the Export data action or the equivalent API endpoint. Signed URLs valid for 72 hours from issuance. Export is read-only and does not reset the retention clock; if you need more time to complete one, request an extension before the window closes.

Under GDPR Articles 15–22 and comparable laws (California CPRA §1798.100 et seq., Virginia VCDPA, Colorado CPA, and others), end users have rights to access, correct, delete, and port personal data about them.

• Where Forge Metal is the processor — for data your organization processes about its own end users on our substrate — route requests through the customer (that is, your organization). We will forward requests received directly and cooperate with your response on the timeline the law requires.
• Where Forge Metal is the controller — billing contacts, organization administrators, support correspondence — requests go to the privacy mailbox. We respond within the statutory window (30 days under GDPR, 45 days under CPRA) and record each request in the audit log.

A deletion request served before the 90-day retention window closes is honored early; the same deletion guarantees and methods in Final deletion apply.

If you need more time to resolve a billing issue or complete an export, you can request an extension. Extensions are granted by Forge Metal staff and recorded with the requesting_principal, requested_duration, granted_duration, justification, granted_at on the extension record.

An extension replaces the remaining retention window with the granted duration, starting from the extension's granted_at timestamp.

An extension does not restore compute and does not change the amount owed. Multiple extensions may be granted; each is audited independently. Extensions may be declined when repeated requests do not show a path to resolution.

When Forge Metal receives valid legal process or issues a preservation hold, the retention clock is paused for the scope of the hold and resumes when the hold is lifted. A hold supersedes the account's state-transition schedule but does not restore compute.

When the retention window closes, your durable data is deleted from our storage. This is not a soft delete. Once deletion has executed, Forge Metal cannot recover the data, even with founder intervention.

Deletion is implemented using:

• Durable-volume destroy followed by pool free-space reclamation
• Observability-store part drops driven by per-table TTL
• Relational-store row deletes followed by compaction

Billing records are retained beyond final deletion in accordance with applicable tax and accounting law. See Retention windows for specifics.

Aggregated statistics that cannot be re-associated with an individual or organization are retained indefinitely, per GDPR Recital 26. Such data falls outside the retention windows above.

Packet captures, binary artifacts, and forensic timelines associated with a declared security incident. Retained for two years regardless of account state so post-incident review and regulator requests can be served.

Forge Metal's own organizations — the platform tenant and its parent-company tenant — are subject to this policy on the same terms as any other customer. Internal usage accrues real invoices; those invoices are finalized with a 100% showback adjustment rather than being excluded from the billing pipeline.

This keeps the account-lifecycle code path identical across customer and internal tenants, and ensures the true cost of operating the platform is visible in the same ledger customers see.

Material changes take effect 30 days after they are announced by email to the administrators on each affected organization. The effective date at the top of this page is the date the current version took effect. Prior versions of all policies live at /policy/changelog, and every change is recorded there in commit-addressable form.

Policy identifier: data-retention.

Questions and requests under this policy go to privacy@anveio.com. Security reports go to security@anveio.com and take precedence over routine policy correspondence. GDPR data-protection correspondence may be directed to dpo@anveio.com; abuse reports to abuse@anveio.com.