Data Retention
Data retention defines how long information is kept in Nairo and how deletion is handled.
This page describes Nairo’s current position on retention. It is intended for customer administrators, legal, security and compliance stakeholders reviewing Nairo’s data lifecycle.
For contractual retention, deletion and termination commitments, refer to the applicable agreement and data processing terms with Nairo.
Current state
Nairo does not currently provide a self-serve customer admin UI for configuring data retention policies.
Retention of data stored in Nairo is governed by:
- Platform-level retention practices managed by Nairo
- Contractual terms in the customer agreement
- Applicable legal and regulatory requirements
- Any agreed onboarding, pilot or termination process
If your organisation has specific retention requirements, discuss them with Nairo before uploading sensitive or regulated materials.
What data may be retained
Depending on the surfaces used, Nairo may retain several categories of workspace data.
| Data type | Examples |
|---|---|
| Uploaded files | Documents uploaded to Library, Projects or supported product surfaces |
| Document metadata | File name, status, storage references, processing state and workspace associations |
| Derived document data | Extracted text, structured values, chunks, embeddings or review outputs where created |
| Assistant conversations | Conversation history and messages where conversation history is supported |
| Project materials | Uploaded Project files, Project context and outputs where supported |
| Insight Table reviews | Reviews, columns, cell outputs and execution results |
| Library records | Folders, document references and sharing records |
| Expert configuration | Expert instructions, selected materials or settings where supported |
| Action data | Action inputs, run outputs or deliverables where supported |
| Operational records | Processing events, sharing events, audit-style records and logs where created |
Not every workspace uses every data type. Retention depends on the product surfaces enabled, the customer’s use case and the implementation scope.
Uploaded files and derived data
Uploaded documents may generate derived data during processing.
Derived data may include extracted text, structured fields, chunks, embeddings, review cell values or other intermediate outputs used for retrieval, analysis and AI-assisted review.
Deleting or removing a source document may not always be equivalent to immediately removing every related operational record, log, backup or derived record unless the deletion process explicitly covers those items.
Customer-specific deletion requirements should be confirmed with Nairo.
Application deletion
Users may be able to delete certain workspace objects through the application UI where deletion is supported.
This may include items such as documents, folders, Projects, reviews or other workspace records depending on the product surface and configuration.
Deletion behaviour is handled at platform level and may vary by object type.
For contractual deletion requests, including deletion after contract termination, customers should contact Nairo and follow the agreed data deletion process.
Backups and operational records
Retention and deletion of backups, operational logs, processing records and audit-style events may follow separate platform processes.
These records may be retained for security, operational, debugging, compliance or service integrity purposes, subject to the applicable agreement and data processing terms.
Customers should not assume that deleting an item from the UI immediately removes all related backups, logs or operational records.
Contract termination
Upon contract termination, deletion or return of customer data should follow the agreed contractual process.
The customer and Nairo should confirm:
- Which data types are in scope
- Whether data should be deleted, exported or returned
- Whether derived data is included
- Whether logs or operational records are excluded or retained for a defined period
- The expected deletion timeline
- Any legal, regulatory or dispute-related retention requirements
Capabilities not available today
The following are not available as self-serve capabilities in the current application UI:
- Configurable retention periods
- Automated deletion schedules
- Legal hold management
- Customer-managed retention rules by document type
- Self-serve data residency configuration
- Self-serve export and purge workflows for every data type
These requirements should be handled through contractual terms, onboarding decisions and agreed operational processes.
Organisational responsibility
Customer organisations should define their own retention approach before using Nairo for production workflows.
This should include:
- Which document types may be uploaded
- Which AI-assisted outputs must be retained
- Which outputs must be copied to a system of record
- Which users may delete workspace materials
- How long review outputs should be kept
- How deletion requests should be approved internally
- What should happen when a pilot or contract ends
Nairo should not be treated as the customer’s official records management system unless this has been agreed explicitly.
Related areas
- Data Handling
- Security Overview
- Tenant Isolation
- Library
- AI Usage and Human Review
- Subprocessors
- FAQ
Getting started
Review your contractual data processing terms with Nairo and document which Nairo data types fall under your organisation’s retention schedule.
Before a pilot, decide which materials can be uploaded, which outputs must be exported to systems of record and what should happen to workspace data when the pilot ends.