Effective date: May 12, 2026 · Last updated: May 12, 2026
Applies to: buy.attestlayer.com direct-buyer purchase paths.
This page governs buy.attestlayer.com and the direct-buyer purchase paths reachable from it. Companywide AttestLayer policies may apply separately where expressly referenced, but this buy-site page controls for direct-buyer purchases made on buy.attestlayer.com.
Buy site retention
Data retention — buy.attestlayer.com
Default retention periods for data processed through buy.attestlayer.com. Written agreements can specify different periods that override the defaults below.
1. What this page covers
This page describes the default retention periods AttestLayer applies to data processed through buy.attestlayer.com for direct-buyer purchases. A written agreement (for example, a counter-signed DPA or master agreement) can specify different periods that override the defaults below.
| Category | Default retention | Basis |
|---|---|---|
| Supplied records uploaded into a workspace | For the active term of the purchased offer plus 90 days, then deleted unless a written agreement states a longer period. | Deliver the purchased offer; allow re-export and packet support. |
| Issued evidence packets, manifests, receipts, signatures | Durable; retained for the verification window stated in the purchased offer (commonly 24 months from issuance) so reviewers can validate the packet. | Verification path integrity. |
| Billing and tax records | Retained per applicable tax and accounting law (commonly 7 years). | Legal obligation. |
| Contact form, intake, and demo-preview submissions | Retained for up to 24 months after last contact, then deleted unless the contact converts into an account. | Sales and support follow-up. |
| Access logs and operational telemetry | Retained for up to 13 months, then rotated. | Security and operations. |
| Backups | Retained on a rolling window of up to 35 days, then overwritten. | Disaster recovery. |
2. Deletion
On termination of a purchased offer, AttestLayer deletes supplied records within the period stated in the written agreement, subject to legal preservation and dispute-hold obligations. Customers can request earlier deletion by emailing privacy@attestlayer.com; some records (such as completed billing transactions) may need to be retained to satisfy legal obligations.
3. Verification path integrity
Issued evidence packets carry manifests, receipts, and signatures that buyers and reviewers rely on long after intake. Deleting an issued packet before the verification window ends would invalidate the verification path. Customers can request earlier purge for specific packets in writing; the verification page for that packet will then resolve to a deletion notice rather than the original manifest.
4. Contact
Privacy: privacy@attestlayer.com