All Docs
FeaturesCSI Teachable Replacement AppUpdated March 15, 2026

Data Retention Policy: Soft Delete & PII Cleanup

Data Retention Policy: Soft Delete & PII Cleanup

Available from: v1.0.82

The platform now includes a built-in data retention system that supports GDPR Article 17 (right to erasure) compliance. This document explains how soft deletion works, how the scheduled purge job operates, and how to configure the retention window for your organisation.

How It Works

Data retention is handled in two stages:

  1. Soft Delete — Records are marked as deleted and hidden from the product immediately, but are not yet removed from storage.
  2. Scheduled Purge — A background job runs on a schedule and permanently destroys all records (and their associated assets) whose retention period has expired.

This two-stage approach gives operators an auditable window between a deletion action and permanent destruction, and provides a consistent mechanism for responding to right-to-erasure requests.

Soft Deletion

When a course, lesson, or user record is deleted, the platform now performs a soft delete instead of immediately removing the row from the database.

  • The record is stamped with a deleted_at timestamp.
  • All standard queries automatically exclude soft-deleted records — they are invisible to learners, admins, and API consumers under normal operation.
  • The deleted_at timestamp is used by the purge job to determine when the record becomes eligible for permanent removal.

Affected Record Types

Record TypeSoft Delete Supported
Courses
Lessons
User records (including PII)

Scheduled Purge Job

A scheduled Inngest job runs automatically in the background. Its responsibilities are:

  1. Identify eligible records — Query for soft-deleted records where deleted_at is older than the configured retention period.
  2. Purge database records — Permanently delete the rows from the database.
  3. Remove Vercel Blob assets — Delete all associated files stored in Vercel Blob (uploaded images, documents, video attachments, etc.) to prevent orphaned assets accumulating in storage.

The job runs on a schedule and requires no manual intervention once configured.

Configuring the Retention Period

The retention window is configurable at the platform level, allowing you to set a period that aligns with your legal obligations or internal data governance policies.

  • For GDPR compliance, operators typically configure a short window (e.g. 30 days) to limit the time PII remains in the system after a deletion request.
  • For operational safety (e.g. accidental deletion recovery), a longer window may be appropriate for non-PII records such as course content.

Consult your legal team to determine the appropriate retention period for your jurisdiction and use case before configuring this value in production.

GDPR Right-to-Erasure Compliance

This feature is designed to support obligations under GDPR Article 17 — Right to Erasure ("right to be forgotten").

Typical Workflow for an Erasure Request

  1. An erasure request is received from a data subject.
  2. An admin soft-deletes the user record (and any associated courses or lessons created by that user, if applicable).
  3. The record is immediately hidden from all product surfaces.
  4. The scheduled purge job permanently destroys the record and all associated PII from the database and Vercel Blob storage once the retention period elapses.

What Gets Removed

When a user record is purged, the following data is permanently deleted:

  • All personal identifiable information (PII) stored on the user record in the database.
  • All files associated with the user record stored in Vercel Blob (e.g. profile images, uploaded documents).

Note: Audit logs and anonymised analytics data that do not contain PII are outside the scope of this purge process.

Operational Notes

  • No data is recoverable after the purge job runs. Ensure your retention window is long enough to handle any legitimate recovery scenarios before permanent deletion occurs.
  • The Inngest job will appear in your Inngest dashboard under your scheduled functions. You can monitor run history and failures from there.
  • Vercel Blob asset deletion is performed as part of the same job run. If the Inngest job fails mid-run, it will retry — asset deletion is handled safely to avoid double-delete errors.

Summary

CapabilityDetail
Soft deleteCourses, lessons, user records
Permanent purge triggerScheduled Inngest job
Asset cleanupVercel Blob (images, documents, attachments)
Retention windowConfigurable
ComplianceGDPR Article 17 (right to erasure)