Data & Storage
Data lifecycle & retention
The best-protected data is data that no longer exists. Privex leans on time: most sensitive state is deleted by a protocol event or expires on its own — no human has to remember to clean up.
Privex doesn’t keep a “just in case” pile. Each kind of data has a built-in expiry — some measured in seconds, some in days — and a lot of it is deleted the instant it has done its job. A seized server mostly finds things that were already on their way out the door.
Retention is enforced structurally: Redis TTLs, Postgres UNLOGGED truncation, and
protocol-driven hard deletes (ACK, download, disable). A 10-minute sweeper purges expired queue rows and
blobs. Nothing relies on a human deleting logs later.
The retention ladder
from seconds in RAM to client-only-forever
ephemeral (RAM)
event / TTL delete
durable ciphertext
client-only
Figure. The further left, the shorter the life. Even the durable, right-hand data is only ciphertext, blinded values, or public keys — useless without a key held on a device.
Every lifetime, spelled out
Why this is the security story
Short retention is seizure resistance. UNLOGGED tables vanish on crash, Redis has no disk at all,
Sealed Sender means even a live queue row has no sender, and no IP/name/email/phone is stored anywhere. What
little is durable is encrypted with a key the server never holds.