Skip to main content

Data Deletion Rights

Last updated: February 14, 2026

You have the right to request deletion of your personal data at any time. This page explains what data we hold, how to request deletion, and what happens when you do.

Legal Basis

Your right to data deletion is protected under:

  • GDPR Article 17 — Right to Erasure ("Right to be Forgotten")
  • CCPA §1798.105 — Right to Deletion
  • Colorado Privacy Act §6-1-1306 — Right to Delete Personal Data

What Data We Hold

Account Data

  • Email address
  • Name (if provided)
  • Organization name (if provided)
  • Authentication credentials

Assessment Data

  • Compliance assessment responses
  • Generated reports and evidence
  • AI security scan results
  • Governance check results

Usage Data

  • Feature usage logs
  • Session timestamps
  • API usage records

Billing Data

  • Subscription status
  • Payment history (via Stripe)
  • Invoice records

How to Request Deletion

Submit a Deletion Request

1

Send an email

Email privacy@haiec.com with subject line "Data Deletion Request"

2

Include your details

Include the email address associated with your HAIEC account so we can locate your data.

3

Specify scope

Tell us whether you want complete account deletion or specific data deletion (e.g., only assessment data).

4

Receive confirmation

We will confirm receipt within 3 business days and complete deletion within 30 days.

Deletion Timeline

Day 1-3
Acknowledgment email sent confirming receipt of request
Day 3-7
Identity verification (if needed) and scope confirmation
Day 7-25
Data deletion from primary systems and databases
Day 25-30
Backup purge and final confirmation email sent

What Gets Deleted

Deleted

  • Your account and profile data
  • All compliance assessment data
  • Generated reports and evidence
  • AI security scan results
  • External AI snapshot data
  • API keys and integrations
  • Usage logs tied to your account

Retained (Legal Obligation)

  • Financial transaction records (7 years — tax law)
  • Audit logs required by compliance frameworks
  • Data needed to resolve pending disputes
  • Anonymized, aggregated analytics (non-personal)

Third-Party Data Deletion

When you request deletion, we also instruct our subprocessors to delete your data:

  • Stripe: Payment data is retained by Stripe per their retention policy. Contact Stripe directly for payment data deletion.
  • Resend: Email delivery logs are purged within 30 days of our request.
  • Vercel: Application logs containing your data are purged per Vercel's retention policy.
  • Neon: Database records are permanently deleted as part of our deletion process.

Related Policies

Privacy Policy Opt-Out Mechanism Subprocessors Data Sharing

Questions?

For questions about data deletion or to submit a request, contact us at privacy@haiec.com.