Data Retention Policy

Effective date: July 9, 2026

Company/product
Cracken / https://cracken.ai
Legal entity
CrackenAGI Ltd.
Registered office
3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
Governing law for self-serve terms
England and Wales

1. Purpose

This Data Retention Policy defines how Cracken retains, deletes, exports, de-identifies and preserves data for self-serve services. It aligns with the Privacy Policy, Cookie Policy, DPA, Sub-processor List, Breach-Response Policy, Acceptable Use Policy, Rules of Engagement and Terms.

2. Principles

Cracken applies these retention principles:

  • retain data for the minimum period reasonably necessary for the relevant purpose and applicable law;
  • minimize secrets, regulated data and unnecessary personal data in evidence and logs;
  • provide customer deletion from main storage by request where legally and technically feasible;
  • preserve security, audit, billing, compliance and abuse-prevention records where necessary;
  • treat cybersecurity testing artifacts as sensitive confidential data;
  • de-identify or aggregate data where practical for long-term product analytics and model/system improvement;
  • suspend deletion where legally required, where a dispute or investigation is active, or where export/sanctions, prohibited reverse-engineering or abuse evidence must be preserved.

3. Data categories and retention approach

Data categoryExamplesPurposeRetention approachDeletion / de-identification actionNotes
Website visitor dataIP, cookie IDs, page views, referrer, campaign sourceAnalytics, marketing, securityMinimum period needed for analytics, consent, security and legal purposesDelete or aggregateMust align with Cookie Policy and consent settings
Essential and security logsIP, user agent, auth events, bot/security eventsSecurity, fraud, export/sanctions, abuse preventionRetained as needed for monitoring, investigations, legal defense, export/sanctions compliance and platform safetyDelete, aggregate or preserve for legal/security needLonger retention may be justified for an offensive-security platform
Account dataName, email, company, role, settingsAccount administrationRetained while the account or related legal, security, billing or support need existsDelete or anonymize after closure where feasibleAdmin audit history may be retained as needed
Billing recordsinvoices, payment metadata, tax/business infoSubscription, tax, accounting, disputesRetained for the minimum period required by finance, tax, accounting, dispute and legal obligationsRetain as legally required, then deletePayment card data should be handled by payment processor
Compliance screening recordsIP location, sanctions/export checks, supporting documents, verification outcomeEligibility, export/sanctions, anti-abuseRetained as needed to show compliance, prevent evasion and investigate restricted useRetain restricted evidence as legally justifiedSensitive; restrict access
RoE and authorization recordsaccepted RoE, target ownership proof, written authorizationProve lawful testing scopeRetained while service, claims, regulatory, abuse-prevention or legal-defense risk existsDelete when no longer neededCracken may request these ad hoc for risk users/features/actions/triggers
Customer testing targets and configurationsdomains, IP ranges, credentials metadata, scopesService deliveryRetained while needed to provide the service or until deletion is requested, subject to exceptionsDelete/export on request or termination where feasibleAvoid storing plaintext secrets where possible
Vulnerability evidence and reportsfindings, screenshots, logs, payload evidence, exploit tracesCustomer reporting, validation, remediationRetained while needed for service delivery, customer access, legal defense, security investigations and agreed reportingExport/delete/de-identifyHigh sensitivity; minimize production data
Prompts, agent traces and model contextuser prompts, LLM context, workflow chain tracesService delivery, debugging, safety, customer-specific adaptation and approved improvementRetained as needed for service operation, safety, debugging, customer-specific improvement and approved de-identified telemetry; optional improvement storage is enabled by default below Pro and opt-out may be available for Pro plan and higher subscriptionsDelete, redact, de-identify, honor applicable opt-out controls or include only in approved datasetsNo cross-customer customer-content training by default unless separately agreed or enabled
Support recordstickets, support portal submissions at https://crackenai.featurebase.app/, feedback, approval requests, comments, emails, attachmentsSupport, troubleshooting, customer success, high-risk target approval and product feedbackRetained while needed to support the customer, resolve issues, handle approvals and maintain legal/security historyDelete or anonymizeWatch for secrets uploaded by customers
Product analyticsfeature usage, events, aggregate metricsImprovement, reliability, marketing attributionRetained in identifiable form only as needed; aggregated/de-identified analytics may be retained longer where lawfulAggregate/de-identifyConsent may be required for some analytics
Backupssnapshots, replicated storesRecovery and resilienceRetained only as long as reasonably necessary for resilience, security, legal or operational purposesExpire through backup lifecycleDeletion from backups may occur through backup expiry rather than immediate purge
Legal holds and investigationspreserved account/content/security evidenceDispute, incident, law enforcement, complianceRetained until the hold, investigation or legal need is releasedPreserve securely, then apply ordinary retentionAccess strictly limited

4. Export and deletion after termination

Cracken will aim to make customer reports, findings and selected account data exportable where technically feasible. Customer data in main storage may be deleted by request, subject to legal, security, abuse-prevention, export/sanctions, backup and dispute exceptions.

Deletion may not immediately remove data from immutable backups, security logs, billing records, legal holds, compliance evidence or aggregated/de-identified datasets. Cracken will protect retained data and limit it to the applicable purpose.

5. Security-log and abuse-evidence retention

Cracken tracks user activity and reviews it through monitoring systems to detect violations of rules, unauthorized testing, unsafe activity, fraud, export/sanctions issues and other abuse. If a subscription is suspended or terminated for suspected or confirmed unauthorized hacking, RoE breach, export/sanctions issue, fraud, abuse, illegal conduct or other serious violation, Cracken may preserve relevant records, logs, evidence and communications for investigation, enforcement, legal defense, regulatory cooperation and prevention of repeat abuse.

6. Export/sanctions and abuse-evidence retention

Cracken's self-serve export/sanctions baseline restricts access from, for the benefit of, or in connection with: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas; and any other restricted party, end use, sector, transaction or territory under applicable EAR, ITAR, OFAC, EU, UK, UN or similar rules. Cracken may retain compliance screening records, security logs and abuse evidence as needed to demonstrate compliance, prevent evasion, investigate misuse and preserve legal rights.

7. Model/system improvement retention

Cracken's self-serve posture is aggregated/de-identified telemetry for self-serve product and system improvement, and separate negotiated permission or applicable customer setting for customer-content training for cross-customer model improvement. Customer content may be used during the subscription for customer-specific model adaptation and customer-specific service improvement.

For all plans below the Pro plan, storage for product, safety, abuse-prevention, model, agent and system improvement is enabled by default, subject to this policy, the Terms and applicable law. For Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available. Opt-out does not require Cracken to delete or stop retaining data needed for service delivery, security, billing, export/sanctions compliance, abuse prevention, incident response, legal obligations, disputes, backups or enforcement.

Data approved for model/system improvement should be governed by a separate pipeline:

  • intake eligibility check;
  • customer authorization/contract status verification where needed;
  • classification and sensitivity review;
  • removal of secrets, credentials and unnecessary personal data where practical;
  • de-identification or aggregation where feasible;
  • access restriction to approved personnel/systems;
  • traceability to customer permission status where required;
  • deletion or exclusion process when permission is withdrawn, where technically feasible and legally required.

8. Responsibilities

Data owner: Cracken product and engineering leadership

Security owner: security@cracken.ai

Privacy/legal owner: privacy@cracken.ai and legal@cracken.ai

Deletion request intake: privacy@cracken.ai

9. Review

This policy should be reviewed at least annually, ad hoc after material incidents, and after significant changes to product architecture, sub-processors, AI-training posture, legal requirements or self-serve subscription terms.