Data Retention Policy
Last updated: April 11, 2026
This policy describes how SendStreak (Baryonix Kft) retains and deletes personal data in accordance with Art. 5(1)(e) of the General Data Protection Regulation (GDPR), which requires that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
Retention schedule
| Data category | Retention period | Legal basis | Deletion method |
|---|---|---|---|
| Server access logs | 7 days | Legitimate interest (Art. 6(1)(f) GDPR) - security and abuse prevention | Automatic deletion |
| Website analytics data (Google Analytics) | 14 months | Consent (Art. 6(1)(a) GDPR) | Automatic deletion by Google |
| Contact and inquiry data | Until resolved, then reviewed every 2 years | Legitimate interest (Art. 6(1)(f) GDPR) - customer relationship management | Manual review and deletion |
| Account data (name, email, settings) | Duration of service agreement + 30 days | Contract performance (Art. 6(1)(b) GDPR) | Automatic deletion after grace period |
| Email content and metadata | Duration of service agreement | Contract performance (Art. 6(1)(b) GDPR) - customer controls retention via API/dashboard | Deleted upon account termination or customer request |
| Delivery and engagement data (open, click, bounce events) | Duration of service agreement | Contract performance (Art. 6(1)(b) GDPR) | Deleted upon account termination or customer request |
| API credentials | Duration of service agreement | Contract performance (Art. 6(1)(b) GDPR) | Immediately revoked and deleted upon account termination |
| Billing and invoicing data | 8 years from the end of the financial year | Legal obligation (Art. 6(1)(c) GDPR) - Hungarian Accounting Act (2000. evi C. torveny, section 169) | Deletion after statutory retention period expires |
| Cookie consent preferences | 1 year (renewed on each visit) | Legitimate interest (Art. 6(1)(f) GDPR) - compliance with cookie consent requirements | Automatic expiry |
Deletion procedures
Automatic deletion
For data categories with defined retention periods (such as server logs and analytics data), automated processes ensure that data is deleted once the retention period expires. These processes run on a regular schedule.
Account termination
When a customer terminates their account or requests deletion:
- The account is deactivated immediately.
- All email content, metadata, delivery data, and API credentials are deleted within 30 days.
- Billing and invoicing data is retained for the statutory period (8 years) as required by Hungarian law, but is restricted from further processing beyond what is legally required.
- Backup copies containing the deleted data are purged through the regular backup rotation cycle.
Customer-initiated deletion
Customers can request deletion of their personal data at any time by:
- Using the account deletion function in the SendStreak dashboard
- Contacting us at [email protected]
- Exercising their right to erasure under Art. 17 GDPR
We will respond to deletion requests without undue delay and in any event within 30 days, in accordance with Art. 12(3) GDPR. Where deletion is not possible due to legal retention obligations, we will inform the customer of the specific reason and the expected duration of continued storage.
Data processed on behalf of customers (processor role)
When acting as a data processor on behalf of our customers (the controllers), we process and retain personal data in accordance with the customer’s instructions and our Data Processing Addendum. Customers may request the return or deletion of all personal data processed on their behalf at any time during or after the term of the service agreement, as specified in the DPA.
Backup and recovery
Backup copies of data are created regularly for disaster recovery purposes. Backups are encrypted and stored securely. When data is deleted from production systems, it is also removed from backups through the regular backup rotation cycle. During the rotation period, backed-up data is protected by the same access controls and encryption as production data and is not used for any purpose other than disaster recovery.
Review
This policy is reviewed at least annually and updated as necessary to reflect changes in our processing activities, legal requirements, or business operations. The last review date is indicated at the top of this page.
Contact
If you have questions about our data retention practices, please contact us:
Baryonix Kft (SendStreak)
Kokut utca 0835/16
Eger, Hungary 3300
E: [email protected]
W: www.sendstreak.com