Guild

Guild · Data retention

Data Retention Policy.

GDPR Art. 5(1)(e) says personal data must be kept "no longer than necessary." This page is our public record of how long we keep each category of data and why.

Categories and retention periods

1. Application data (rejected applicants)

Retention: 90 days from rejection, then permanently deleted.
Why: short window to handle appeals or re-applications. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in abuse prevention and operational continuity).

2. Application data (approved applicants)

Retention: for the lifetime of your Guild account. Merged into your profile once approved.
Why: the application is the basis of your membership. Deleted when you close your account.

3. Profile and account data

Retention: until you request deletion or your account is closed for inactivity, then a 30-day soft-deletion window, then permanent purge.
Why: required to operate the service. Legal basis: Art. 6(1)(b) GDPR (performance of the membership contract).

4. Direct messages

Retention: 24 months from the date the message was sent. Older messages are permanently deleted from the server.
Why: active operational use; longer-term retention is not necessary. Message bodies are end-to-end encrypted in storage. Legal basis: Art. 6(1)(b) GDPR.

5. Forum posts and replies

Retention: as long as the thread remains useful to the community or until you request deletion of your posts. We do not auto-delete forum content but we anonymise it (replace the author with a tombstone) when the author's account is deleted.
Why: community knowledge value. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining a useful archive).

6. Job posts and applications

Retention: 24 months from the date the post expired or was filled.
Why: reasonable look-back for the operator and applicant; longer is not necessary.

7. Authentication and security logs

Retention: sign-in events 90 days; failed sign-in attempts and IP addresses 90 days.
Why: abuse and incident investigation. Legal basis: Art. 6(1)(f) GDPR.

8. Push notification tokens

Retention: until you sign out or uninstall the app. Tokens are rotated by the operating system; expired tokens are pruned on the next delivery attempt.

9. Subscription and billing records

Retention: ten years from the end of the calendar year in which the invoice was issued.
Why: mandatory under § 147 of the German Fiscal Code (Abgabenordnung). Legal basis: Art. 6(1)(c) GDPR (compliance with a legal obligation). Even if you delete your Guild account, invoice records that mention your name and address must be retained for tax purposes; access to them is restricted to the finance function.

10. Moderation and abuse reports

Retention: reports and the decisions taken on them are retained for 24 months. Where the report led to a permanent account termination for a serious or criminal breach, the underlying record is retained for as long as the ban remains in effect, plus 24 months.
Why: DSA accountability, evidence in case of appeal, and prevention of repeat offences. Legal basis: Art. 6(1)(c) and 6(1)(f) GDPR.

11. Support email correspondence

Retention: 36 months from the last reply, then permanently deleted.
Why: resolving recurring issues and documenting commitments made to members.

12. Anonymised analytics

Retention: raw events 12 months, anonymised aggregates indefinitely.
Why: product improvement. We do not run third-party analytics on the marketing site; in-app telemetry, where used, is aggregated and stripped of personal identifiers after 12 months.

What happens when you delete your account

  1. Your profile is immediately deactivated and removed from public listings.
  2. For 30 days the account is reversible by emailing hello@guild.guide — useful in case of mistake or compromised credentials.
  3. After 30 days the profile row, message bodies, forum-post author identity, push tokens, and other personal-data fields are permanently deleted.
  4. Forum posts are retained but reattributed to an anonymous tombstone author.
  5. Invoice and tax records continue to be retained for the periods set out above, under legal obligation.

Exceptions

Where data is subject to an active legal hold (litigation, regulatory investigation, or law-enforcement request), the retention periods above are extended until the hold is lifted. Where data has already been irreversibly anonymised it falls outside the scope of GDPR and is not subject to these periods.

Last updated: