This policy describes how to request deletion of data from the Govalta platform, what data is deleted, and the timeline for deletion. Govalta is committed to honoring deletion requests promptly and completely.
How to Request Deletion
To request deletion of your organization's data, contact Govalta at:
Please include in your request: your organization name, the email address associated with your Govalta account, and the scope of data you wish to have deleted (specific records, all organization data, or a specific user account).
What Gets Deleted
User account deletion
Removes user profile, authentication credentials, and session data. Audit trail entries associated with the user are anonymized (action preserved, identity removed) to maintain record integrity.
Organization data deletion
Removes all issues, action steps, evidence documents, validation records, closure records, and user accounts associated with the organization. This is irreversible.
Specific evidence deletion
Removes a specific uploaded evidence file and its extracted text. Validation records that referenced the evidence are retained but the evidence link is removed.
Specific issue deletion
Removes a specific issue and all associated action steps, evidence, and validation records. Cannot be undone.
Deletion Timeline
Exceptions and Limitations
Govalta may retain data beyond the requested deletion date in the following circumstances:
- Where retention is required by applicable law or regulation
- Where data is subject to a legal hold or active legal process
- Where deletion would compromise the integrity of audit trails required by applicable regulatory standards
- Backup copies — retained for up to 30 days on a rolling rotation schedule
Where an exception applies, Govalta will inform the requester of the exception and the expected timeline for deletion once the exception no longer applies.
Sub-processor Data
Govalta's deletion process covers data held in Govalta's primary systems (Supabase database and file storage). Govalta will also request deletion from relevant sub-processors where their policies and data processing agreements permit.
Residual data in Vercel request logs (anonymized request metadata) and WorkOS authentication logs is subject to the retention policies of those sub-processors. See the Sub-processor Disclosure for links to each sub-processor's privacy policy.
Automatic Deletion on Access Termination
When organizational access to the Govalta platform terminates (by mutual agreement, at the end of a design partner engagement, or otherwise), Govalta will retain organization data for 60 days to support administrative continuity. At the end of this period, all organization data will be deleted automatically unless the organization has requested early deletion or extended retention in writing.
For the complete retention schedule by data category, see the Data Retention Policy.