Messenger.xyz Data Deletion & Retention Policy
Last updated: 08 October 2025
1) Scope
This policy explains how Messenger.xyz (“Messenger,” “we,” “us”) retains and deletes personal data collected through our apps, web services, and related APIs. It applies to all users, including account holders, message recipients, group participants, and visitors.
2) What counts as “personal data”
Account data: name/handle, phone/email, profile photo, password hashes, settings.
Message content & media: texts, voice notes, images, videos, files, reactions.
Message metadata: sender/recipient IDs, timestamps, delivery/read status.
Device & technical data: IP addresses, device identifiers, app version, crash logs.
Payments & subscriptions (if used): billing name, purchase history (processed by payment partners).
Support content: tickets, recordings, attachments.
3) How long we keep things (default retention)
| Data category | Default retention | Notes |
|---|---|---|
| Account profile & credentials | Kept while the account is active | Deleted within 30 days of confirmed account deletion, except for legal holds. |
| Message content (1:1 & groups) | User-controlled | Deleted immediately on user action where supported (e.g., “Delete for me” or “Delete for everyone” features). If not deleted earlier, content is removed within 30 days after account deletion. |
| Message metadata | 12 months | Minimal metadata retained for spam/fraud prevention and abuse monitoring; may be extended on legal hold. |
| Media on CDN | Up to 30 days after unlink | Or sooner on explicit delete; cached copies may persist briefly in edge caches. |
| Logs & security events | 12–24 months | For security, rate-limiting, troubleshooting. |
| Payments/receipts | 7 years | Financial recordkeeping requirements (jurisdiction dependent). |
| Backups | Up to 90 days rolling | Point-in-time encrypted backups; data ages out and is not restored for normal ops. |
| Support tickets | 24 months | Shorter on request unless required for compliance. |
Important: If a message is deleted “for me,” it disappears from your view only. “Delete for everyone” removes it from recipients’ view where technically possible (e.g., within a feature’s allowed time window). Recipients may still retain copies (e.g., screenshots, exports, device backups) that we do not control.
4) Triggers for deletion
User-initiated: account deletion; message/media deletion; chat clear; revocation of permissions.
Policy-driven: inactivity thresholds; expiry of business purpose; expiry of legal basis.
Compliance/legal: request to erase (where applicable); end of legal hold.
5) How to request deletion (access/erasure)
You can delete data in three ways:
In-app: Settings → Privacy → Delete Account (permanently removes your account and associated content per the schedule above).
Item-level: Long-press message/media → Delete (choose for me or, where available, for everyone).
Privacy request: Email privacy@messenger.xyz or submit the form at messenger.xyz/privacy-request with:
Account identifier (email or phone used to register)
Country of residence
Request type (access, delete, correct, restrict, object, portability)
Identity verification
We may ask you to verify control of the account (e.g., email/phone challenge). For authorized agents (e.g., under CPRA), provide signed permission and proof of identity.
Response timelines
We aim to respond within 30 days (may extend once by up to 60 days for complex requests; we’ll tell you why).
6) What deletion means in practice
Active systems: Data is removed or irreversibly pseudonymized.
Backups: We do not edit historical backups. Your data will age out within the 90-day backup window and will not be reintroduced to active systems except for disaster recovery.
Third parties: We instruct processors (e.g., cloud, analytics, payments) to delete corresponding data, subject to their legal obligations.
Irreversibility: Deletion is permanent and cannot be undone.
7) Exceptions (when we may delay or deny deletion)
We may retain limited data where reasonably necessary to:
Comply with law, court orders, or enforceable government requests.
Detect, investigate, and prevent fraud, spam, abuse, or security incidents.
Establish, exercise, or defend legal claims.
Meet accounting/tax recordkeeping duties.
When an exception applies, we minimize what we keep and how long we keep it.
8) Special notes on messaging features
“Delete for everyone”: Available within product-defined windows and contexts; not guaranteed if recipients are offline, on older app versions, or have already saved/exported the content.
Groups & channels: Deleting your message removes it for others only if the feature supports it; deleting your account may leave previously posted content behind if required for the integrity of the thread (e.g., placeholders) but disassociates it from your profile where possible.
Read receipts & presence: Turning off a feature is prospective; historical signals may persist as metadata per the retention table.
End-to-end encryption (if enabled in a chat): We cannot read encrypted message content. Deletion still removes server-stored copies and keys per feature design; recipients may retain local copies.
9) Children’s data
Messenger.xyz is not directed to children where parental consent is required by law. If you believe a child has used the service without required consent, contact privacy@messenger.xyz and we will promptly remove the account/data as appropriate.
10) Region-specific rights
GDPR/UK GDPR (EEA/UK): You may have rights to access, erase, correct, restrict, object, and portability. Our legal bases include consent, contract performance, legitimate interests, and compliance with legal obligations. You can lodge a complaint with your local DPA.
CCPA/CPRA (California): You may request deletion, know/access, correct, and opt out of sale/share. We do not sell personal information. Sensitive personal information is used only for permitted purposes.
NDPR (Nigeria): You may request access, correction, deletion, and withdrawal of consent.
We apply equivalent protections globally where feasible.
11) Our processors & transfers
We use reputable processors for hosting, storage, analytics, content delivery, and payments. Cross-border data transfers use approved safeguards (e.g., SCCs/UK IDTA). A current list of core processors is available at messenger.xyz/subprocessors.
12) Security & irreversible deletion
We use encryption in transit and at rest (for supported data types), strict access controls, and secure key management. Deletion jobs are authenticated, logged, and monitored. We validate success by sampling and automated checks.
13) Appeals & complaints
If you disagree with our response, reply to the original ticket to appeal. You may also contact your regional regulator (see Section 10).
14) Changes to this policy
We may update this policy to reflect product or legal changes. Material changes will be notified in-app or by email. The “Last updated” date will change accordingly.
15) Contact
Messenger.xyz Privacy Team
Email: privacy@messengr.xyz
Internal Deletion SOP (for Staff/Processors)
Purpose: Ensure consistent, auditable deletion across systems.
Intake & Verify
Confirm requester identity/authority.
Classify request (account deletion vs. item-level vs. rights request).
Check for legal holds or fraud/security investigations.
Queue & Execute
Trigger account-wide purge job (users, messages, media links, tokens).
Invalidate sessions, revoke API tokens, wipe push notification endpoints.
Issue deletion webhooks to sub-processors (attach unique request ID).
Backups & Caches
Mark for non-restoration; ensure CDN purge for associated media.
Confirm aging-out schedule (≤90 days for backups; ≤30 days for CDN caches).
Verification & Logging
Run post-delete checks across microservices (user index, search, media store, analytics).
Record request, actions taken, timestamps, systems touched, operator ID.
Close & Notify
Send completion notice to the user (or agent).
Document any exceptions (and next review date if retention continues under an exception).
Audits
Quarterly sampling of deletion jobs; report findings to Security & Privacy leads.
Update data maps and retention schedules when products change.