Data Retention Policy
Effective Date: May 22, 2026 · Version: 1.0.0
This policy describes how long Dormitory LLC (“Dormy”) retains data collected through the Services and how that data is deleted. It supplements the Privacy Policy and the Terms of Service.
1. Summary
Most of your data is kept for as long as your account is active and deleted on a defined schedule after account closure. Payment, tax, and security records are kept longer where law or fraud-prevention requires it. Encrypted backups rotate on a fixed cadence. The table below is a quick reference; the sections that follow give the detail.
| Data category | Retention period |
|---|---|
| Account & profile data | Account lifetime + 30-day grace after closure |
| Founder profile data | Account lifetime; deleted on account closure |
| Customer Content (chat, intros, match results, imports) | Account lifetime; deleted on account closure |
| BYOK API keys (encrypted) | Until you remove the key or close the account; deleted within 24 hours of either event |
| User observations stored in EverCore memory | Account lifetime; deletion requested from EverCore on closure |
| One-time-password tokens | 5-minute TTL; hashed at rest; consumed or expired within minutes |
| Session JWT cookies | 7 days from issuance |
| Usage telemetry & tool-call logs | 90 days |
| Security & abuse-prevention logs | 180 days, or longer where needed to investigate an incident |
| Credits ledger entries | 7 years (tax and accounting) |
| Stripe payment records | 7 years (tax and accounting); Stripe retains separately |
| Support tickets | 2 years from last activity |
| Encrypted database backups | Rolling ~30 days, then overwritten |
2. Customer Content & Generated Outputs
Dormy is designed to retain your chat sessions, intro drafts, match results, and other generated content while your account is active because durable history is part of the product experience — investor follow-ups, comparable matches, and memory recall all depend on it. You can delete individual sessions or items from the console at any time; deletion from your view is followed by purging from primary storage within 24 hours and from encrypted backups within the backup rotation window (typically 30 days).
You are responsible for keeping copies of any Output you wish to preserve independently. After account closure, generated content is deleted and cannot be restored.
3. EverCore Memory
Dormy uses EverCore Cloud as its managed memory backend to store user observations across sessions. These observations are scoped to your user identifier and are deleted by calling the EverCore deletion API when your account is closed or on your request. EverCore’s own retention policy applies to operational logs and backups it maintains independently.
4. BYOK API Keys
BYOK API keys are encrypted with AES-256-GCM at rest. When you rotate or remove a key from the console, the encrypted record is overwritten with the new value or deleted, and the corresponding routing hash is removed within 24 hours. Closing your account removes both records.
5. Third-Party Contact Data
Third-Party Contact Data is retained while it remains useful for the matching and intelligence features described in the Privacy Policy. Records you imported are deleted with your account. Records you did not import (for example, public-source curated investor data) are reviewed periodically and removed when no longer relevant. An Affected Individual may request deletion at any time as described in Privacy Policy § 6.
6. Third-Party Sub-processors
Sub-processors listed in the Privacy Policy retain data under their own retention policies and legal obligations, including:
- Stripe retains payment and KYC records for the periods required by U.S. and applicable foreign financial regulators.
- Model providers (Anthropic, OpenRouter, NVIDIA, MiroThinker, and others) retain inference logs under their default API terms. Where their standard terms commit to short-lived retention, we rely on those commitments; where they do not, we will state so before use.
- Telegram stores bot messages as part of normal messaging service operation; users should review Telegram’s own privacy notice.
7. Backups
Database backups are encrypted at rest, kept on a rolling ~30-day rotation, and overwritten thereafter. Deleting a record from primary storage does not immediately purge it from backups; the record is removed from backups when the backup that contained it is overwritten in the normal rotation. Restoring from a backup for disaster recovery may temporarily reintroduce data that was previously deleted; if this occurs, the data will be deleted again on the next rotation.
8. Legal Holds & Exceptions
We may retain data longer than the periods above when (a) legally required (subpoena, regulatory request, tax law), (b) necessary to investigate or defend legal claims, (c) needed to prevent or address fraud, security incidents, or violations of our Terms of Service, or (d) needed to enforce rights. In those cases we retain the data only for as long as necessary for the relevant purpose.
9. Requesting Deletion
You can close your account and request deletion of associated personal information by emailing support@heydormy.ai with the subject line “Deletion Request”. After identity verification, we will complete deletion within approximately 30 days, subject to the legal-hold exceptions in Section 8 and the backup rotation in Section 7. You will receive confirmation when deletion is complete.
10. Changes
We may update this policy from time to time. The effective date and version at the top of this page indicate the current version; material changes will be announced as described in the Privacy Policy § 14.