menu
save_alt Download

Data Retention and Deletion Policy

Effective February 9, 2026

< Back

Purpose

This policy defines how Beekeeper Studio collects, stores, retains, and deletes customer data in our cloud services. It ensures compliance with privacy laws including GDPR, CCPA, and (for educational customers) the National Data Privacy Agreement (NDPA).

Our Architecture: Beekeeper Studio is a desktop database client. Customer database queries and results are processed locally on customer devices. This policy covers data we collect and store in our cloud services (account management, billing, license validation, support systems, and optional workspace sync). See Data Flow Diagram for complete architecture.

Privacy Notice: See our Privacy Policy for customer-facing information about data practices.

Scope

This policy applies to:

  • Customer data in our cloud services (account data, billing data, support data, optional workspace data)
  • All cloud systems, databases, backups, and logs containing customer data
  • All employees, contractors, and subprocessors handling such data
  • Does NOT apply to: Customer databases (we never access these), local workspace data (stored on customer device only)

1. Data Categories We Collect (Cloud Services)

Beekeeper Studio is a desktop database client. The data we collect is limited to what’s necessary to operate our cloud services.

What We Don’t Collect:

  • Customer database query results (processed and stored locally on customer devices)
  • Customer database content (we never access customer databases)

Note: If a customer opts in to cloud workspaces, we store saved queries and encrypted connection configurations to enable cross-device sync. Query results are never stored on our servers. See Section 1.3 for details.

What We Do Collect (for cloud services only):

1.1 Account and Authentication Data

What We Collect:

  • Email address
  • Name (optional)
  • Hashed password (never plaintext)
  • Account creation date
  • Last login timestamp
  • Subscription tier and status

Purpose: User authentication, account management, license validation

Retention: Active account + 90 days after cancellation

Legal Basis: Contractual necessity (GDPR Art. 6(1)(b))

Storage: Heroku PostgreSQL, encrypted at rest, sensitive fields also encrypted at the application level

1.2 Billing Data

What We Collect:

  • Payment history and receipts
  • Subscription status
  • Invoice records

What We Don’t Collect:

  • Credit card numbers (processed by Stripe, PCI-compliant)
  • Full payment details (handled by payment processor)

Purpose: Process payments, provide receipts, tax compliance

Retention: 7 years (tax and accounting requirements)

Legal Basis: Legal obligation (tax law), contractual necessity

Storage: Stripe (payment processor), Heroku Postgres (billing records)

1.3 Workspace Data (Optional Cloud Feature)

What We Collect (only if customer uses cloud workspace sync):

  • Saved queries and scripts
  • Database connection configurations (encrypted)
  • User preferences and settings
  • Tab layouts and workspace state

What We Don’t Collect:

  • Query results
  • Customer database content (we never access customer databases)

Purpose: Sync workspaces across devices

Retention: Active account + 30 days after cancellation

Storage: Heroku PostgreSQL, encrypted at rest, sensitive fields also encrypted at the application level

Customer Control: Customers can use local workspaces only (no cloud sync) to avoid storing any workspace data on our servers

1.4 Usage and Analytics Data (Opt-in)

What We Collect (only with user consent):

  • Feature usage statistics (anonymized)
  • Error logs and crash reports
  • Performance metrics
  • Application version information

Purpose: Product improvement, bug fixing, performance optimization

Retention:

  • Individual user analytics: 12 months
  • Aggregated analytics: Indefinitely (fully de-identified)

De-identification: After 12 months, usage data is aggregated and stripped of all personally identifiable information

Legal Basis: Consent (GDPR Art. 6(1)(a))

1.5 Customer Support Data

What We Collect:

  • Support ticket content
  • Email correspondence
  • Attachments and screenshots voluntarily provided by customers
  • Issue descriptions and resolutions

Purpose: Provide customer support, improve product

Retention:

  • Active tickets: Until resolution + 90 days
  • Closed tickets: 3 years

Important: Customers should redact sensitive data before sharing. We will redact upon request. Customer database content shared via support tickets is handled as confidential customer data.

For Educational Institutions: Student Data

Our Architecture and Student Data:

Beekeeper Studio is a desktop application. We do not access or collect student data from educational databases. The desktop app connects directly to school databases, and all queries and results are processed locally on staff devices.

When Student Data May Be On Our Servers:

Student data may only be stored on Beekeeper Studio cloud services if:

  1. Cloud workspace feature: Staff member saves queries or connection configs containing student information to cloud workspace
  2. Support tickets: Staff member voluntarily shares student data in support requests

Important Clarifications:

  • Desktop queries: Student data viewed in the app stays on the staff member’s device
  • Query results: Never sent to Beekeeper servers (processed locally)
  • Database credentials: Only in cloud workspaces if staff member enables cloud sync
  • Direct database connections: We never access the school’s database directly

NDPA Compliance:

For educational institutions under NDPA agreements:

Retention: Cloud workspace data containing student information: 60-day deletion upon request or contract termination

Storage: Heroku PostgreSQL, encrypted at rest, sensitive fields also encrypted at the application level

Best Practices for LEAs:

  1. Use local workspaces (not cloud sync) for sensitive student data
  2. Avoid including student PII in saved queries
  3. Regularly review cloud workspace content
  4. Request data export/deletion when staff leaves or contract ends

See Also: Privacy Policy, Data Flow Diagram

1.6 Backup Data

What We Backup:

  • Production cloud database data (accounts, billing, cloud workspaces)
  • Application configurations

What We Don’t Backup:

  • Local-only workspaces (stored on customer devices)
  • Customer databases (we never access these)

Purpose: Disaster recovery, business continuity

Retention:

  • Daily backups: 90 days rolling
  • Point-in-time recovery: 90 days

Storage: Heroku Postgres managed backups (encrypted) + offsite backups in AWS S3 (encrypted)

Deletion Process: Backups included in deletion requests; purged per rotation schedule (maximum 90 days for complete removal from all backups)

1.7 Log Data

What We Log:

  • Authentication events (login, logout, failed attempts)
  • API requests (excluding sensitive data)
  • System errors and exceptions
  • Security events and alerts
  • Administrative actions
  • Support access to customer data (full audit trail)

What We Don’t Log:

  • Database query contents (except when voluntarily provided in support)
  • Query results
  • Customer database credentials

Purpose: Security monitoring, debugging, compliance auditing

Retention:

  • Security logs: 12 months
  • Operational logs: 90 days
  • Audit logs: 12 months

Privacy: Logs automatically redacted to remove passwords, tokens, and sensitive data

See Also: Logging and Monitoring Policy

2. Storage Locations

2.1 Cloud Services Storage

Primary Storage:

  • Heroku Postgres (US region)
  • Encrypted at rest (Heroku managed encryption)
  • Encrypted in transit (TLS 1.3)

Geographical Location:

  • All data stored in US regions (Heroku US)
  • No international data transfers for US customers

See Also: Data Flow Diagram, International Transfers

2.2 Local Data (Customer Device)

User’s Device (we do not control or access):

  • Application configuration files
  • Local workspace data
  • Database connection credentials (encrypted in system keychain)
  • Query history and results (if using local workspaces)

User Control: Users can delete local data by:

  • Using application “Clear Local Data” function
  • Deleting workspace files manually
  • Uninstalling the application

2.3 Third-Party Subprocessors

See the Subprocessor List for all vendors with access to customer data. All subprocessors sign Data Processing Agreements ensuring equivalent or stronger data protection.

3. Retention Timelines

3.1 Standard Retention Periods

Data Category Retention Period Rationale
Account information Active + 90 days Account reactivation grace period
Cloud workspace data Active + 30 days User may need to export
Saved queries Active + 30 days User may need to recover work
Billing records 7 years Tax and legal compliance
Support tickets Closure + 3 years Quality assurance
Usage analytics (individual) 12 months Product improvement, then de-identified
Security logs 12 months Security investigations
Audit logs 12 months Compliance requirements
Backups 90 days rolling Disaster recovery

Aggregated, de-identified analytics: Retained indefinitely (no longer personal data)

3.2 Deletion Upon Request

Customer-initiated deletion: Completed within 60 days of request

What gets deleted:

  • Account data (email, name, preferences)
  • Cloud workspace data (saved queries, configurations)
  • Support ticket history (except legal compliance records)
  • Usage analytics (individual user data)

What’s retained (legal requirements):

  • Billing records (7 years for tax compliance)
  • Aggregated, de-identified analytics
  • Audit trail metadata (compliance)

For Educational Institutions: NDPA Retention Requirements

Timeline: 60 days from request or contract termination (NDPA Section 4.6)

What gets deleted (if applicable):

  • Cloud workspace data containing student information
  • Saved queries containing student PII
  • Support tickets containing student data

Audit logs: Retained for 12 months per compliance requirements (contains access records, not student content)

Process: See Section 6 below and Incident Response Plan

If data subject to legal hold (litigation, investigation):

  • Normal retention suspended
  • Data preserved until hold lifted
  • Legal counsel authorizes exceptions
  • Affected customers notified if legally permissible

4. Data Deletion Process

4.1 Deletion Methods

Soft Delete (reversible, 30-day grace period):

  • User-initiated account deletion or subscription cancellation
  • Records marked “deleted” but retained for recovery
  • Customer can reactivate within 30 days

Hard Delete (permanent, irreversible):

  • After 30-day grace period expires
  • Customer-requested deletion (completed within 60 days)
  • Includes: database records, file storage, exclusion from new backups
  • Backups age out per rotation schedule (90 days maximum)

4.2 Deletion by Storage Type

Cloud Database Records:

  • Soft delete: Set deleted_at timestamp, mark status as deleted
  • Hard delete: Permanently remove records from database
  • Automated cleanup script runs daily

File Storage:

  • Delete associated files and attachments
  • Verify deletion via automated script

Backups:

  • Exclude from new backups immediately
  • Old backups age out per 90-day rotation
  • Technical limitation: Cannot selectively remove from existing backups

Logs:

  • Redact or delete entries containing deleted user data
  • Document deletion request in audit trail

4.3 Verification

After deletion:

  1. Query databases to verify no records exist
  2. Check file storage for removed files
  3. Verify exclusion from new backups
  4. Document completion in deletion log
  5. Send confirmation to customer (if requested)

4.4 Exceptions to Deletion

Data we cannot delete (legal requirements):

  • Billing records (7 years for tax compliance)
  • Aggregated, de-identified analytics (no longer personal data)
  • Audit trail metadata (compliance requirement)
  • Security incident records (legal defense)

Transparency: Customers informed of exceptions in Privacy Policy before data collection

5. Data Export Process

5.1 Customer-Initiated Export

How to request:

  • Email: support@beekeeperstudio.io
  • Subject: “Data Export Request”
  • Include: Account email, what data you need

Timeline: Within 30 days of request (typically faster)

Export format:

  • JSON (account info, configurations)
  • SQL (saved queries)
  • CSV (tabular data)
  • ZIP archive (complete export)

Delivery:

  • Secure download link (expires after 7 days)
  • Encrypted email for small exports

What’s included:

  • Account information
  • Cloud workspace data (if applicable)
  • Saved queries and configurations
  • Support ticket history
  • Billing records (if requested)

See Also: Privacy Policy for data access rights under GDPR/CCPA

For Educational Institutions: NDPA Export Requirements

Timeline: Within 60 days (NDPA Section 4.6)

Request method:

  • Via designated LEA representative
  • Email to support@beekeeperstudio.io
  • Include: LEA name, NDPA effective date, scope of export

Export contents (if applicable):

  • Cloud workspace data containing student information
  • Saved queries containing student data
  • Support tickets containing student data

Format:

  • Standard machine-readable format (JSON, CSV, SQL)
  • Documented schema included

Delivery:

  • Secure encrypted download
  • SFTP to LEA-provided server (if requested)

Parent/Student Data Access Requests

Per NDPA Section 2.2:

Process:

  1. Parent/student submits request to LEA (school/district)
  2. LEA forwards to Beekeeper Studio
  3. We respond to LEA within 30 days
  4. LEA delivers to parent/student

Important: We respond to LEA only, not directly to parents/students. LEA verifies requestor identity and determines final delivery.

6. For Educational Institutions: NDPA Compliance Timeline

6.1 LEA Deletion Request

Timeline: 60 days from written request (NDPA Section 4.6)

Process:

  • Day 0-7: Acknowledge request, confirm scope
  • Day 7-30: Soft delete (no longer accessible)
  • Day 30-50: Hard delete from active storage
  • Day 50-60: Purge from backups (as they age out)
  • Day 60: Send deletion confirmation to LEA

Confirmation includes:

  • Categories of data deleted
  • Systems from which data removed
  • Any retained data with legal justification (audit logs, billing records)

6.2 Contract Termination

Timeline: 60 days from termination (NDPA Section 4.6)

Default: Delete all applicable data unless LEA requests:

  • Data export before deletion
  • Extended retention for specific purpose

Process:

  • T+7 days: Contact LEA to confirm disposition
  • T+14 days: Provide export if requested
  • T+30 days: Begin deletion
  • T+60 days: Deletion complete, confirmation sent

6.3 Parent/Student Access Request

Timeline: 30 days from receiving LEA request (NDPA Section 2.2)

Process:

  1. Receive request from LEA
  2. Identify and extract relevant data
  3. Prepare in accessible format (PDF + JSON/CSV)
  4. Deliver to LEA (not directly to parent/student)

Important: LEA verifies identity and handles final delivery to parent/student

7. Roles and Responsibilities

Security Contact / CTO (typically founder):

  • Oversees policy compliance
  • Approves deletion/export requests
  • Coordinates with customers on requests
  • Reports to executive team

Technical Team (contractors):

  • Implements deletion procedures
  • Maintains automated deletion scripts
  • Verifies successful deletion

Customer Support:

  • Receives and logs deletion/export requests
  • Communicates with customers
  • Escalates to Security Contact as needed

8. Data Minimization Principles

Collection Minimization:

  • Only collect data necessary for service
  • Desktop-first architecture (processing on customer devices)
  • Cloud workspace is optional feature

Purpose Limitation:

  • Data used only for stated purpose
  • No secondary use without consent
  • Never used for advertising or profiling

Retention Minimization:

  • Shortest practical retention periods
  • Automated deletion after retention expires
  • Regular cleanup of old data

Access Minimization:

  • Role-based access controls
  • Least privilege principle
  • MFA on all production systems

See Also: Information Security Policy

9. Customer Controls

Self-Service (when available):

  • Export data from account settings
  • Delete specific workspaces
  • Clear query history
  • Use local workspaces (avoid cloud storage)

Email Requests: support@beekeeperstudio.io

  • Subject: “Data Deletion Request” or “Data Export Request”
  • Include: Account email, scope of request

For LEAs: Use designated representative contact, reference NDPA agreement

See Also: Privacy Policy for data access rights

10. Compliance Monitoring

Over-Retention (keeping data too long)

Detection:

  • Automated monthly audits flag data past retention deadline
  • Alerts sent to Security Contact

Remediation:

  • Immediate deletion of over-retained data
  • Investigate why automation failed
  • Update deletion scripts

Reporting:

  • Log in compliance record
  • Notify affected customers if material breach

Premature Deletion (deleting too early)

Prevention:

  • Confirmation prompts for manual deletions
  • Legal hold checks before automated deletion
  • Backup verification

Recovery:

  • Restore from backups if possible
  • Notify affected customers
  • Document incident, improve procedures

11. Audit and Compliance

Internal Audits

Monthly (1st Friday, 30 minutes):

  • Review deletion queue
  • Check for over-retained data
  • Verify backups rotating correctly

Quarterly (1 hour):

  • Sample deletion requests to verify compliance
  • Review storage for data sprawl
  • Update data inventory if systems changed

Annually (November, during compliance week):

  • Full retention policy review
  • Update retention periods if needed
  • Assess legal/regulatory changes

See Also: Compliance Actions Calendar

External Audits

Customer Audits:

  • Cooperate with customer security reviews
  • Provide evidence of compliance
  • Respond to questionnaires within 30 days

Documentation maintained:

  • Deletion request log with completion dates
  • Export request history
  • Deletion verification reports

Compliance Targets

  • Deletion requests completed within 60 days: 100%
  • Export requests completed within 30 days: 100%
  • Average deletion processing time: <30 days

12. Special Considerations

When data subject to legal hold:

  1. Legal counsel notifies Security Contact
  2. Hold applied to specific data
  3. Automated deletion disabled
  4. Manual override required to lift hold
  5. Customers notified if hold affects their request

De-Identified Data

Definition: Data with all PII removed per NIST standards

Retention: Indefinitely (no longer personal data)

NDPA Compliance: Section 4.5 allows retention of de-identified data

Process:

  • Remove direct identifiers (names, IDs, emails)
  • Remove indirect identifiers (IPs, precise timestamps)
  • Aggregate to prevent re-identification

Metadata and Audit Trails

Challenge: Deleting user data while maintaining audit integrity

Solution:

  • Replace PII with pseudonymous identifiers in audit logs
  • Retain “User X did Action Y” but not who User X is
  • Document this exception in deletion confirmation

13. Policy Management

Review Schedule

Annual review: First week of November (compliance week)

Trigger-based review:

  • Changes in privacy laws
  • Significant infrastructure changes
  • After retention compliance incidents

Change Management

  1. Security Contact proposes updates
  2. Legal review (if needed)
  3. Technical review for feasibility
  4. Executive approval
  5. Notify customers of material changes
  6. Update related policies

Version control: All versions in Git with dated revisions

Security Policies

Contact

Data Requests: support@beekeeperstudio.io

  • Subject: “Data Deletion Request” or “Data Export Request”
  • Include: Account email, scope of request

LEA/NDPA Requests: support@beekeeperstudio.io

  • Include: LEA name, NDPA effective date, specific request

Policy Questions: support@beekeeperstudio.io

Document Information

Version: 2.0
Effective Date: 2026-02-09
Last Reviewed: 2026-02-09
Next Review Due: 2027-02-09
Owner: CTO / Security Contact
Approved By: CEO

Changes from v1.0: Clarified desktop app architecture, made NDPA requirements optional section, added cross-references to legal documents, simplified appendices.

Appendix A: Deletion Request Template

Customer/LEA Data Deletion Request

To: support@beekeeperstudio.io
Subject: Data Deletion Request

Requestor Information:

  • Name/Organization: ___________
  • Email (must match account): ___________
  • For LEAs: NDPA Effective Date: ___________

Request Details:

  • Date of Request: ___________
  • Reason: [ ] Account cancellation [ ] Contract termination [ ] Privacy request [ ] Other

Scope of Deletion:

  • All my data (standard)
  • Specific cloud workspaces (list: ___________)
  • Specific time period (dates: __ to __)

Optional:

  • Please export my data before deletion
  • Special instructions: ___________

Acknowledgment: I understand billing records will be retained for 7 years per tax requirements, and de-identified analytics may be retained indefinitely.

Signature/Confirmation: _________
**Date**: _____________

Appendix B: Data Export Manifest Template

Beekeeper Studio Data Export

Export Information:

  • Export Date: ___________
  • Requestor: ___________
  • Account Email: ___________
  • Export ID: ___________

Contents:

  • Account information
  • Cloud workspace data
  • Saved queries
  • Billing records
  • Support ticket history

Format: ZIP archive containing:

  1. account_data.json - Account info and settings
  2. workspaces.json - Workspace configurations (if applicable)
  3. queries.sql - Saved SQL queries
  4. README.txt - Data dictionary

Delivery:

  • Method: Secure download link
  • Expiration: 7 days from generation
  • File Size: ___________
  • SHA-256 Hash: ___________

Contact: support@beekeeperstudio.io (Reference Export ID: ___________)

Appendix C: Deletion Confirmation Certificate

Certificate of Data Deletion

Beekeeper Studio Data Deletion Confirmation

Requestor: _________
**Account Email**: ___________
**Request Date**: ___________
**Completion Date**: _____________

Data Deleted:

  • Account information
  • Cloud workspace data
  • Saved queries
  • Support ticket history
  • Usage analytics

Deletion Verification:

  • [✓] Deleted from production databases
  • [✓] Deleted from file storage
  • [✓] Redacted from operational logs
  • [✓] Excluded from new backups (will age out within 90 days)

Retention Exceptions (legal requirements):

  • Billing records (7-year tax compliance)
  • Aggregated, de-identified analytics (no longer personal data)
  • Audit trail metadata (compliance requirement)

Certification:
This confirms deletion was completed per our Data Retention and Deletion Policy.

Authorized by: _________
**Title**: CTO / Security Contact
**Date**: _____________
Organization: Beekeeper Studio
Contact: support@beekeeperstudio.io

Appendix D: Quick Reference - Retention Periods

Data Type Retention Period Legal Basis
Account data Active + 90 days Business need
Cloud workspaces Active + 30 days Business need
Billing records 7 years Tax compliance
Support tickets Closure + 3 years Quality assurance
Usage analytics (individual) 12 months Product improvement
Security logs 12 months Security monitoring
Audit logs 12 months Compliance
Backups 90 days rolling Disaster recovery
De-identified data Indefinitely Not personal data

For NDPA customers: Cloud workspace data containing student info: Contract + 60 days (NDPA Section 4.6)

Appendix E: Deletion Processing Checklist

60-Day Deletion Timeline

Day 0-7: Planning

  • Receive deletion request
  • Acknowledge within 24 hours
  • Confirm scope of deletion
  • Create tracking ticket
  • Identify all affected data (databases, files, logs)
  • Check for legal holds

Days 7-30: Soft Deletion

  • Mark records as deleted (no longer accessible)
  • Revoke access to cloud workspaces
  • Verify data not accessible to customer

Days 30-50: Hard Deletion

  • Permanently delete database records
  • Delete associated files from storage
  • Redact from operational logs
  • Exclude from new backups

Days 50-60: Verification and Confirmation

  • Verify no records in databases
  • Verify no files in storage
  • Generate verification report
  • Complete Deletion Confirmation Certificate
  • Send confirmation to requestor
  • File in compliance records
  • Close ticket

Success Criteria

  • No records in production systems
  • No files in storage
  • Excluded from new backups (old backups age out within 90 days)
  • Documented retention exceptions (billing, audit logs)
  • Confirmation delivered within 60 days