Data Use and Retention Policy
Effective date: 2026-05-11 · Contact: [email protected]
Purpose
Avestris collects only what is useful, protects it while it is needed, keeps records required for operations and legal/accounting duties, and deletes or archives material when it no longer has a legitimate purpose.
What We May Handle
- Contact and customer relationship information.
- Intake answers, project descriptions, screenshots, logs, databases, exports, source code, configuration files, and related artifacts.
- Generated reports, manifests, checksums, analysis outputs, and delivery records.
- Payment, invoice, receipt, refund, and accounting records.
- Security logs, web logs, mail logs, token-use logs, and abuse-control records.
Public Intake Quarantine
Files uploaded through public intake are untrusted evidence objects. Public uploads must land in quarantine storage outside the public web root, receive generated storage names, have checksums and metadata recorded, and remain unavailable for direct public download. For first public launch, random internet uploads are capped at 100 MB.
Standard Retention Targets
| Data Type | Default Retention Target |
|---|---|
| Unpaid or incomplete public intake | Up to 30 days |
| Rejected or unsafe upload | Up to 30 days, unless needed for security review |
| Raw uploaded files for fixed-scope orientation reports | Up to 90 days after report delivery |
| Generated reports and delivery records tied to paid services | Up to 7 years |
| Billing, invoice, payment, refund, and tax records | At least 7 years |
| Security logs and abuse-control records | 90 days to 1 year depending on operational need |
| Backups | Expire on backup rotation schedules and may persist temporarily after deletion from primary storage |
Deletion and Correction Requests
You may request access, correction, deletion, or limitation of information by contacting Avestris. Some records may be retained where required or reasonably necessary for tax/accounting records, invoices, disputes, legal compliance, security investigations, abuse prevention, backups, disaster recovery, or documenting work performed.
Third-Party Providers
Avestris may use providers for hosting, DNS, email, payment processing, banking/accounting integration, repository hosting, backups, security monitoring, and operational tooling. Data shared with providers is limited to what is needed for those functions.