ACCOUNT & SECURITY

Data and privacy in Candor

This article covers what we store, how to export your data, how to schedule a deletion, and what gets retained vs removed. For the formal commitments, see the privacy policy and the subprocessors page.

Where to find these tools

Both data export and account deletion live under Settings → Security in the panel labelled data subject requests.

Exporting your data

Click Download my data. Candor builds a JSON file with your profile, workspace memberships, audit events, projects, personas, interview sessions, and conversation transcripts. If you joined the waitlist with the same email address before signing up, any waitlist row we hold (including publicly available enrichment we looked up against it) is included in the export. The file is uploaded to a temporary signed URL and emailed to you. The link is valid for seven days; after that it expires and you’d request a new one.

Only one export request can be in flight at a time. If you already have one running, the button stays disabled until it finishes.

Scheduling account deletion

Click Delete my account and a confirmation dialog asks you to type your email address to confirm. That schedules the delete for seven days from now and sends you a cancellation email. The email contains a link you can click any time within that window to call off the deletion. No login needed for the cancellation link; the token in the URL authenticates it.

The seven-day grace period is intentional. It protects against accidental clicks and gives you time to change your mind. After the grace period elapses, deletion runs automatically on the next cron tick (around 04:00 UTC).

What deletion actually does

Deletion removes you from every workspace you’re a member of. Your auth account is deleted, which cascades to sessions, identities, and MFA factors. Audit events keep their rows but the user reference is anonymised — the row still exists for compliance, but there’s no longer a link back to you.

If you joined the waitlist with the same email address, the waitlist row (and any enrichment we held against it) is deleted in the same step.

Projects you created keep existing inside the workspaces they live in (they belong to the workspace, not you personally). The created_by field on those rows is set to null. The team you were part of can continue working with that data; they just won’t see your name attached.

What never gets deleted

Two append-only tables persist indefinitely, regardless of account deletion or per-workspace retention settings:

  • Audit events — a tamper-evident log of every authentication, role change, and sensitive action. Required for security and compliance. User references in these rows are anonymised when an account is deleted.
  • Service usage — per-call records of external service spend (LLM tokens, web search, embedding calls). Used for billing and operational accounting. No interview content lives in these rows.

Workspace retention policies

Each workspace can configure how long it keeps conversation transcripts and uploaded documents (separately from individual deletes). When the threshold is reached, a nightly job removes data older than the cutoff. Short thresholds reduce blast radius if there’s ever a breach; long thresholds preserve research history. The tradeoff is yours.

How we use external services

Candor uses third-party services for LLM inference, web search, embeddings, transactional email, and infrastructure. The full list is on the subprocessors page. None of them get more data than they need to do their part of the work, and none of them retain it long-term except where required for service operation.

Where to go next

Common questions

No. Candor's underlying AI providers operate under contracts that explicitly prohibit training on customer inputs. Your uploaded documents, conversation transcripts, and persona outputs are used only to run your studies inside your own workspace. They never get pooled into a global training set, never used to improve any model another customer will see, and never shared between workspaces. The full list of providers and how each one handles data is on the subprocessors page.

Yes. Every row in Candor's database is scoped to a workspace ID, and database row-level security enforces that no query can read or write data outside the workspace it's authorised for. Workspace separation is enforced at the database layer, not just in application code. Storage buckets, signed upload URLs, and background processing jobs are also scoped per workspace. Cross-workspace access is structurally impossible without an explicit invitation. Platform administrators can access workspace data only through audited impersonation, which is logged immutably.

You can delete your account from Settings → Security, which schedules deletion with a seven-day grace period and emails you a cancellation link. After the grace period runs out, Candor removes you from every workspace, deletes your auth account (which cascades to sessions, identities, and MFA factors), and anonymises your references in audit events. Projects you created stay in the workspaces they belong to, since they're owned by the workspace, not by you. The team you were part of keeps using them with your name no longer attached.

Candor runs on managed infrastructure in North America. Your data (uploaded documents, persona profiles, conversation transcripts, audit logs) sits in those regions and is replicated across availability zones within them. Subprocessors that handle data temporarily (LLM inference, web search, embeddings) operate from their own regions, listed on the subprocessors page. If your organisation requires specific data residency that we don't currently support, get in touch before signing up.

Only platform administrators can read workspace data outside an invited account, and only through audited impersonation. Every impersonation event writes an immutable audit log entry with the administrator's identity, the target workspace, the time, and the actions taken. Those logs are append-only at the database level (no UPDATE or DELETE allowed) and survive account deletion. If you're an Owner or Admin in your workspace, you can review audit events for your workspace from the workspace settings. That's the accountability mechanism.

More FAQs →

Candor is in development.

Be the first to know when it launches.

No spam. Just a note when Candor is ready. Powered by Highline Beta.