Retention — Admin & Privacy

Storage limitation, made enforceable.

GDPR Art. 5(1)(e) says personal data must be kept "no longer than is necessary." Below is the live retention table, sourced from src/lib/server/config.ts, and the timestamps of the cron jobs that enforce it. If the schedule slips, this page is the proof.

Per-table retention

Live values

Table	Window	Policy	Why this number
`analytics.events`	60 days (~2 months)	Hard DELETE on daily cron	Individual page views, journey transitions. Past this window, only the daily aggregate row survives.
`analytics.sessions`	60 days (~2 months)	Hard DELETE on daily cron	Per-visit metadata: started_at, last_seen, consent_tier. Same retention as events to keep the join clean.
`analytics.daily_page_stats`	365 days (~1 years)	Hard DELETE on daily cron	Pre-aggregated rollups (path / day / count). No individual visitor data — kept longer to draw long-term traffic trends.
`analytics.consent_events`	395 days (~1.1 years)	Hard DELETE on daily cron	Proof of consent (or its withdrawal). 13 months satisfies Art. 7(1) demonstrability without overshooting.
`feedback.feedback`	—	Manual deletion only	User-authored content. We have no automatic expiry; you can request removal at any time and the operator deletes the row.
`auth.session`	—	Better Auth session expiry	Sessions expire on their own per Better Auth config. Logout invalidates immediately.

Cron status

Live

Loading…

How a row dies

Daily at 02:00 UTC Vercel Cron pings /api/cron/analytics-cleanup with a Bearer token.
The job computes today's cutoffs from ANALYTICS_RETENTION_DAYS and CONSENT_RETENTION_DAYS.
A single DELETE per table removes everything older than the cutoff. No soft delete, no archival bucket — the row is gone.
The run is recorded in jobs.job_executions with rows-deleted, status, duration. That table is what this page reads.
If the schedule slips beyond 26 hours, the badges above flip to "overdue" and the /admin/analytics tile flags it too.