Data Retention Policy
Effective date: July 9, 2026
- Company/product
- Cracken / https://cracken.ai
- Legal entity
- CrackenAGI Ltd.
- Registered office
- 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
- Governing law for self-serve terms
- England and Wales
1. Purpose
This Data Retention Policy defines how Cracken retains, deletes, exports, de-identifies and preserves data for self-serve services. It aligns with the Privacy Policy, Cookie Policy, DPA, Sub-processor List, Breach-Response Policy, Acceptable Use Policy, Rules of Engagement and Terms.
2. Principles
Cracken applies these retention principles:
- retain data for the minimum period reasonably necessary for the relevant purpose and applicable law;
- minimize secrets, regulated data and unnecessary personal data in evidence and logs;
- provide customer deletion from main storage by request where legally and technically feasible;
- preserve security, audit, billing, compliance and abuse-prevention records where necessary;
- treat cybersecurity testing artifacts as sensitive confidential data;
- de-identify or aggregate data where practical for long-term product analytics and model/system improvement;
- suspend deletion where legally required, where a dispute or investigation is active, or where export/sanctions, prohibited reverse-engineering or abuse evidence must be preserved.
3. Data categories and retention approach
| Data category | Examples | Purpose | Retention approach | Deletion / de-identification action | Notes |
|---|---|---|---|---|---|
| Website visitor data | IP, cookie IDs, page views, referrer, campaign source | Analytics, marketing, security | Minimum period needed for analytics, consent, security and legal purposes | Delete or aggregate | Must align with Cookie Policy and consent settings |
| Essential and security logs | IP, user agent, auth events, bot/security events | Security, fraud, export/sanctions, abuse prevention | Retained as needed for monitoring, investigations, legal defense, export/sanctions compliance and platform safety | Delete, aggregate or preserve for legal/security need | Longer retention may be justified for an offensive-security platform |
| Account data | Name, email, company, role, settings | Account administration | Retained while the account or related legal, security, billing or support need exists | Delete or anonymize after closure where feasible | Admin audit history may be retained as needed |
| Billing records | invoices, payment metadata, tax/business info | Subscription, tax, accounting, disputes | Retained for the minimum period required by finance, tax, accounting, dispute and legal obligations | Retain as legally required, then delete | Payment card data should be handled by payment processor |
| Compliance screening records | IP location, sanctions/export checks, supporting documents, verification outcome | Eligibility, export/sanctions, anti-abuse | Retained as needed to show compliance, prevent evasion and investigate restricted use | Retain restricted evidence as legally justified | Sensitive; restrict access |
| RoE and authorization records | accepted RoE, target ownership proof, written authorization | Prove lawful testing scope | Retained while service, claims, regulatory, abuse-prevention or legal-defense risk exists | Delete when no longer needed | Cracken may request these ad hoc for risk users/features/actions/triggers |
| Customer testing targets and configurations | domains, IP ranges, credentials metadata, scopes | Service delivery | Retained while needed to provide the service or until deletion is requested, subject to exceptions | Delete/export on request or termination where feasible | Avoid storing plaintext secrets where possible |
| Vulnerability evidence and reports | findings, screenshots, logs, payload evidence, exploit traces | Customer reporting, validation, remediation | Retained while needed for service delivery, customer access, legal defense, security investigations and agreed reporting | Export/delete/de-identify | High sensitivity; minimize production data |
| Prompts, agent traces and model context | user prompts, LLM context, workflow chain traces | Service delivery, debugging, safety, customer-specific adaptation and approved improvement | Retained as needed for service operation, safety, debugging, customer-specific improvement and approved de-identified telemetry; optional improvement storage is enabled by default below Pro and opt-out may be available for Pro plan and higher subscriptions | Delete, redact, de-identify, honor applicable opt-out controls or include only in approved datasets | No cross-customer customer-content training by default unless separately agreed or enabled |
| Support records | tickets, support portal submissions at https://crackenai.featurebase.app/, feedback, approval requests, comments, emails, attachments | Support, troubleshooting, customer success, high-risk target approval and product feedback | Retained while needed to support the customer, resolve issues, handle approvals and maintain legal/security history | Delete or anonymize | Watch for secrets uploaded by customers |
| Product analytics | feature usage, events, aggregate metrics | Improvement, reliability, marketing attribution | Retained in identifiable form only as needed; aggregated/de-identified analytics may be retained longer where lawful | Aggregate/de-identify | Consent may be required for some analytics |
| Backups | snapshots, replicated stores | Recovery and resilience | Retained only as long as reasonably necessary for resilience, security, legal or operational purposes | Expire through backup lifecycle | Deletion from backups may occur through backup expiry rather than immediate purge |
| Legal holds and investigations | preserved account/content/security evidence | Dispute, incident, law enforcement, compliance | Retained until the hold, investigation or legal need is released | Preserve securely, then apply ordinary retention | Access strictly limited |
4. Export and deletion after termination
Cracken will aim to make customer reports, findings and selected account data exportable where technically feasible. Customer data in main storage may be deleted by request, subject to legal, security, abuse-prevention, export/sanctions, backup and dispute exceptions.
Deletion may not immediately remove data from immutable backups, security logs, billing records, legal holds, compliance evidence or aggregated/de-identified datasets. Cracken will protect retained data and limit it to the applicable purpose.
5. Security-log and abuse-evidence retention
Cracken tracks user activity and reviews it through monitoring systems to detect violations of rules, unauthorized testing, unsafe activity, fraud, export/sanctions issues and other abuse. If a subscription is suspended or terminated for suspected or confirmed unauthorized hacking, RoE breach, export/sanctions issue, fraud, abuse, illegal conduct or other serious violation, Cracken may preserve relevant records, logs, evidence and communications for investigation, enforcement, legal defense, regulatory cooperation and prevention of repeat abuse.
6. Export/sanctions and abuse-evidence retention
Cracken's self-serve export/sanctions baseline restricts access from, for the benefit of, or in connection with: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas; and any other restricted party, end use, sector, transaction or territory under applicable EAR, ITAR, OFAC, EU, UK, UN or similar rules. Cracken may retain compliance screening records, security logs and abuse evidence as needed to demonstrate compliance, prevent evasion, investigate misuse and preserve legal rights.
7. Model/system improvement retention
Cracken's self-serve posture is aggregated/de-identified telemetry for self-serve product and system improvement, and separate negotiated permission or applicable customer setting for customer-content training for cross-customer model improvement. Customer content may be used during the subscription for customer-specific model adaptation and customer-specific service improvement.
For all plans below the Pro plan, storage for product, safety, abuse-prevention, model, agent and system improvement is enabled by default, subject to this policy, the Terms and applicable law. For Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available. Opt-out does not require Cracken to delete or stop retaining data needed for service delivery, security, billing, export/sanctions compliance, abuse prevention, incident response, legal obligations, disputes, backups or enforcement.
Data approved for model/system improvement should be governed by a separate pipeline:
- intake eligibility check;
- customer authorization/contract status verification where needed;
- classification and sensitivity review;
- removal of secrets, credentials and unnecessary personal data where practical;
- de-identification or aggregation where feasible;
- access restriction to approved personnel/systems;
- traceability to customer permission status where required;
- deletion or exclusion process when permission is withdrawn, where technically feasible and legally required.
8. Responsibilities
Data owner: Cracken product and engineering leadership
Security owner: security@cracken.ai
Privacy/legal owner: privacy@cracken.ai and legal@cracken.ai
Deletion request intake: privacy@cracken.ai
9. Review
This policy should be reviewed at least annually, ad hoc after material incidents, and after significant changes to product architecture, sub-processors, AI-training posture, legal requirements or self-serve subscription terms.
