Data retention
Data retention tells you how long e-satisfaction keeps each type of your organization's data, and lets you turn on anonymization so personal and sensitive details are permanently hashed once they reach an age you choose. The result: you keep the long-term insights your analytics need, while reducing the personal data your organization actually holds. Admin only
How long data is kept
Your data doesn't live in just one place. It can sit in up to three storage layers at the same time, each kept for a different length of time:
- Application data — the live store you work with day to day. Kept the shortest time.
- Data warehouse — an analytical copy that keeps a longer history, so trends and year-over-year reporting still work.
- Cold storage — a long-term archive for compliance and recovery. Kept the longest.
A single record can exist in several layers at once, so the same survey response might still be in cold storage long after it has aged out of the application.
The table below shows the maximum retention period for each category of data, in each layer.
| Data category | What it covers | Application | Data warehouse | Cold storage |
|---|---|---|---|---|
| Configuration | Workspaces, monitors, questionnaires | Forever | Forever | Forever |
| Usage / Transactional | Surveys, alerts | 1 year | 3 years | 5 years |
| Catalog | Customers | Forever | Forever | Forever |
| Logs | Queue items | 60 days | 3 years | 5 years |
| Analytics | Usage metadata | N/A | 3 years | 5 years |
These are maximums
The figures above are the longest a record is kept in each layer. Anonymization, described below, can strip personal details from eligible data before it reaches the end of its retention period.
How data is classified
Separately from how long it's kept, every piece of data is classified by sensitivity. This classification is what decides how strongly the data is protected and, crucially, what gets anonymized:
- Public — no harm if seen.
- Internal — operational data that isn't personal.
- Confidential (PII) — anything that identifies a person: names, emails, phone numbers, linked IDs.
- Sensitive — regulated or high-risk data: financial details, health information, government IDs.
Only Confidential (PII) and Sensitive values are ever anonymized. Public and Internal data, and your Configuration and Catalog records, are left untouched.
Data anonymization
Anonymization hashes and hides personal and sensitive data once it reaches the age you set. It applies to every workspace in your organization at once.
It works as a one-way hash. The original value — say, an email address — is replaced with a fixed-length fingerprint that can't be turned back into the original. This permanently severs the link between the value and the person, and cannot be reversed or recovered. The rest of the record stays useful for analytics.
Because the same input always produces the same fingerprint, history-dependent features keep working even after anonymization. For example, frequency caps that stop you over-messaging the same contact still recognise that two hashed values came from the same person — without ever exposing who that person is.
Turn anonymization on
Enable data anonymization
Switch on the Enable data anonymization toggle. This is an organization-level setting — it applies to all your workspaces.
Choose the age
Under Anonymize data after, pick how old data must be before it's anonymized. Choose a preset of 1, 2, 3, 4 or 5 years, or select Custom to enter a value in months (minimum 1).
Confirm with your password
Saving requires your password to confirm. Once saved, anonymization runs in the background across all workspaces.
Anonymization is permanent
Anonymization is permanent — once data is anonymized it cannot be recovered. For large datasets, changes may take some time to fully apply.
What gets anonymized
Anonymization only touches Usage / Transactional and Logs data, and within those, only the Confidential (PII) and Sensitive values. A value is hashed only once two conditions are both true: its metadata is marked for anonymization, and the record is older than your retention age.
Here's what that means in practice once data passes your retention age:
- Survey responses — the personal values stored in each response's instance metadata are hashed.
- Responders — the personal values in each responder's metadata are hashed.
- Refer campaigns — the referrer and the referred contacts are hashed, once the referral emails have already been sent.
- Callback campaigns — the captured phone or contact value and the name are hashed, once the callback alert has been resolved. For example, a customer's phone number on a resolved callback is hashed once it's older than your retention window.
- Queue items — the queue metadata values and the recipient's contact identifier are hashed, once the item is no longer pending, processing or failed.
In short, the parts of a record that identify a person become fingerprints, while everything you rely on for reporting stays in place. To see the queue items this applies to, visit the Dispatch queue.