HEADSDOWN TRUST
Retention
This page states the conservative retention posture for HeadsDown trust launch. HeadsDown learns from outcomes, not your code. Final retention periods, export workflows, and customer-managed retention controls are not claimed as live here.
Draft trust page
This trust page is counsel-ready draft content, not a final published policy. It must stay draft-labeled until legal, security, product, subprocessor, and cookie/analytics reviews are complete.
The privacy boundary described here applies to implemented metadata-only agent-run event and outcome-reporting surfaces, and to the routing-decision API boundary when it ships. Older or user-entered product surfaces may store text deliberately submitted through those surfaces.
Prior versions are archived manually in source control before publication changes, following `docs/legal/archive/README.md`.
- Draft version
- 0.1
- Effective date
- Pending counsel review
- Last updated
- May 2, 2026
What we can say today
Account and rule state
Account settings, standing rules, connected-tool settings, and user state are kept while needed to provide the service and honor the user’s configuration.
Agent-run events and outcomes
Metadata-only event and outcome records support the decision feed, intervention receipts, value evidence, debugging, and calibration substrate.
Rejected submissions
When agent-run ingestion fails validation, HeadsDown records privacy-safe rejection metadata such as reason code and field path. Rejected payload contents are not stored.
Operational records
Operational logs, billing records, support records, and security events are kept as needed for service operation, compliance, dispute resolution, and abuse prevention.
Controls not claimed as live
HeadsDown is not claiming automatic deletion after a fixed number of days, user-configurable retention settings, customer-managed deletion, immutable audit export, or enterprise retention controls on this page. Those controls need final product, legal, security, and backend verification before they become public claims.
Deletion and export posture
Users can contact HeadsDown for privacy requests. Exact deletion/export workflows, service-level commitments, backup purge timing, and de-identification details are being finalized with the legal and enterprise package. Until that work is complete, this page does not promise self-serve export, hard deletion timelines, or customer-managed retention.