Data Retention Policy | Flowtriq
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance
Trust Center

Data Retention Policy

Last updated April 28, 2026

This page documents how long each category of data collected by Flowtriq is retained, the reason it is kept for that period, and when it is permanently deleted.

Retention Principles

Flowtriq retains personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. When a retention period expires, data is permanently deleted or irreversibly anonymised. There is no indefinite or open-ended retention.

Customers may request early deletion at any time by emailing [email protected]. Requests are fulfilled within 30 days, subject to any legal hold obligations.

Retention Schedule

Data Category Retention Period Reason & Notes
Network telemetry — raw (PPS/BPS per-second samples) 25 hours High-resolution metric data used for real-time detection. Automatically purged after the rolling 25-hour window.
Network telemetry — aggregated (5-minute, hourly, daily summaries) 90 days Rolled-up metrics retained for trend analysis, historical incident review, and dashboard charts.
PCAP (packet capture) files 7 days (standard plans); up to 365 days (enterprise plans) Stored outside the web root. Automatically deleted at end of the plan's retention window. Downloadable via time-limited tokens (24-hour expiry) during the retention window.
Incident records Lifetime of account DDoS incident history is a core product feature. Records remain available until account deletion.
Audit log entries 90 days (standard plans); 1 year (enterprise plans) SHA-256 hash-chained audit trail covering all user and system actions. Purged automatically per plan retention window.
Account data (name, email, workspace, role) Active account; deleted immediately on confirmed account deletion Permanently deleted upon account deletion confirmation. Billing records retained separately for 7 years.
Hashed passwords Active account; deleted immediately on confirmed account deletion bcrypt hashes only — plaintext passwords are never stored. Deleted with account data.
API keys (hashed) Until revoked or account deleted Stored as one-way hashes. Revocation is immediate. All keys deleted with account.
Session data 30-day idle timeout Sessions expire after 30 days of inactivity. Immediately invalidated on logout or password change.
Billing records (Stripe customer ID, subscription history) 7 years Retained to comply with financial reporting and tax obligations. Card data is held by Stripe, not Flowtriq.
Login and access logs 90 days IP address, timestamp, and outcome of authentication events. Used for security monitoring.
Newsletter subscriptions (email address) Until opt-out Retained until the subscriber unsubscribes. Opt-out is immediate via the unsubscribe link in any email.
Contact form submissions 1 year Used to respond to enquiries and maintain support records.
Notification channel credentials (webhook URLs, Slack tokens, PagerDuty keys) Until removed by customer Stored and retained until the customer deletes the integration. Deleted with account closure.
Agent registration tokens Until revoked or account deleted One-time registration tokens are consumed on use. Long-lived agent identity tokens are revoked on demand.

Deletion on Account Closure

When an account is deleted or subscription is cancelled, Flowtriq initiates a permanent deletion sequence:

  • All network telemetry, PCAP files, incident records, and audit logs are queued for deletion.
  • Account data (name, email, workspace settings) is deleted immediately upon confirmed deletion.
  • Billing records are retained for 7 years as required by financial law.
  • A deletion confirmation is available on request.
Data export before deletion: Customers may request a JSON or CSV export of their data before account closure. Submit requests to [email protected] at least 7 days before closing the account.

Legal Basis for Retention

Retention periods are set under the following legal bases (GDPR Article 6):

CategoryLegal Basis
Network telemetry, incident records, PCAP files Performance of contract (Art. 6(1)(b)) — necessary to deliver the DDoS detection service.
Audit logs, login logs Legitimate interests (Art. 6(1)(f)) — security monitoring and tamper-evidence.
Billing records Legal obligation (Art. 6(1)(c)) — financial reporting and tax compliance.
Newsletter subscriptions Consent (Art. 6(1)(a)) — opt-in only, revocable at any time.

Contact

To request early deletion, a data export, or information about how your specific data is retained, contact [email protected]. We respond within 30 days as required by GDPR Article 12.

Related: Data Processing Agreement · Privacy Policy · Data Flow Document

Flowtriq, a brand of traztech · flowtriq.com · Last updated April 28, 2026
Trust Center