Legal

Data Residency & Retention Policy

Adaptive Agentic Platform LLC · Last updated: April 16, 2026 · Version 1.0

Paired with: Terms of Service v1.0 · Privacy Policy v1.1 · Data Processing Agreement v1.0

This Data Residency & Retention Policy ("Policy") supplements the Adaptive AI Terms of Service v1.0 ("ToS"), Privacy Policy v1.1 ("Privacy Policy"), and Data Processing Agreement v1.0 ("DPA"). It describes where Customer Data is stored, how long it is retained, and how deletion is handled.

In the event of conflict: (1) the Order Form controls; (2) then the DPA; (3) then the ToS; (4) then this Policy; (5) then the Privacy Policy (ToS §13.2). All capitalized terms not defined herein have the meanings given in the ToS.

1. Data Residency

1.1 Default Residency: United States

By default, all Customer Data is stored and processed in the United States. Adaptive AI's primary infrastructure providers and their default regions are:

Provider	Service	Default Region	Data Types
Railway	Application hosting (single-tenant)	US regions	AI Worker compute, application logic, session state
Supabase	Authentication and database (PostgreSQL)	US East	Account data, conversation transcripts, configuration, session metadata
Cloudflare R2	Object storage	US	Knowledge base files, voice recordings, uploaded documents
Cloudflare Vectorize	Vector database	US	Embedding vectors for knowledge base search
LiveKit Cloud	Real-time communications (WebRTC)	US regions	Voice and video media streams (transient; not stored by LiveKit)

1.2 EU Data Residency (Available on Request)

For Customers who require data residency within the European Economic Area ("EEA"), Adaptive AI offers EU-resident deployment on request. EU residency is available on qualifying Order Forms and includes:

Provider	EU Region	Notes
Railway	EU regions	Dedicated single-tenant compute in EU
Supabase	EU (Frankfurt)	Dedicated PostgreSQL instance in EU
Cloudflare R2	EU	Object storage with EU jurisdiction hint
Cloudflare Vectorize	EU	Vector storage in EU region
LiveKit Cloud	EU (Frankfurt)	Real-time media processed in EU

When EU data residency is specified in an Order Form, Adaptive AI will not store or process Customer Data outside the EEA without Customer's prior written consent, except: (a) where required by Applicable Data Protection Law; or (b) for transient processing that is covered by the Standard Contractual Clauses in the DPA (DPA §9; DPA Annex C).

1.3 UK Data Residency

UK data residency is available under the same terms as EU data residency, using UK-based or EEA-based infrastructure. The UK International Data Transfer Addendum to the EU SCCs applies (DPA Annex C).

1.4 Custom Residency Requirements

For Customers with residency requirements beyond US and EU (e.g., Australia, Canada, Japan), Adaptive AI will evaluate infrastructure availability and provide a custom residency addendum to the Order Form. Contact admin@adaptiveap.com.

1.5 Data Residency for AI Model Inference

When AI Workers process conversations, inference requests are sent to large language model (LLM) providers. By default, inference requests may be processed outside the Customer's configured data residency region.

BYOK (Bring Your Own Keys): Customers who require inference within a specific region may use their own API keys to route requests through their own provider agreements, giving them direct contractual and jurisdictional control over inference processing (ToS §5.7; Privacy Policy §10.2).

Adaptive AI configures all LLM providers to prohibit training on submitted data, regardless of whether BYOK is used (ToS §5.2).

2. Sub-processors and Data Flow

2.1 Sub-processor List

A current list of Sub-processors, including their locations and processing activities, is maintained at legal.adaptive.ai/subprocessors.

2.2 Sub-processor Changes

Adaptive AI will notify Customer account administrators via email at least 30 days before adding any new Sub-processor. Customers may object to new Sub-processors under the terms of DPA §6.4 and ToS §5.6.

2.3 Data Flow Summary

End User ──► [LiveKit Cloud / Channel Provider] ──► [Railway: AI Worker Compute]
                                                         │
                                                         ├──► [LLM Provider: inference]
                                                         ├──► [Supabase: transcripts, config, metadata]
                                                         ├──► [Cloudflare R2: recordings, files]
                                                         └──► [Cloudflare Vectorize: knowledge vectors]

All data flows are encrypted in transit (TLS 1.2+). All stored data is encrypted at rest (AES-256). Single-tenant isolation applies at every layer (ToS §5.10; Privacy Policy §4; DPA §5.2).

3. Retention Schedule

3.1 Default Retention Periods

Adaptive AI retains data only as long as necessary to provide the Platform, meet legal obligations, or as configured by Customer (Privacy Policy §9; ToS §5.8).

Data Type	Default Retention	Configurable	Minimum	Maximum	Legal Basis for Retention
Account and billing records	Contract term + 7 years	No	N/A	N/A	Tax and financial compliance (26 USC §6501; IRS Rev. Proc. 98-25)
Conversation transcripts	90 days	Yes (per Order Form)	7 days	365 days	Contractual necessity; Customer configuration
Voice recordings	30 days	Yes (per Order Form)	7 days	365 days	Contractual necessity; Customer configuration
Session telemetry and logs	30 days	No	N/A	N/A	Security and performance diagnostics; legitimate interest
Support tickets	3 years	No	N/A	N/A	Legitimate interest; dispute resolution
Website analytics	13 months	No	N/A	N/A	Legitimate interest (GDPR Art. 6(1)(f))
Security and audit logs	1 year	No	N/A	N/A	Security, legal compliance, and audit requirements
Deletion audit logs	1 year	No	N/A	N/A	Compliance and audit requirements (DPA §10)
PHI (when BAA in effect)	6 years	Yes (up to 10 years)	6 years	10 years	HIPAA (45 CFR §164.530(j)); see BAA §6
BYOK API credentials	Active subscription term	No	N/A	N/A	Contractual necessity; deleted within 7 days of key removal

3.2 Custom Retention Periods

Customers may request shorter retention periods for conversation transcripts and voice recordings via their Order Form or by contacting admin@adaptiveap.com. Custom retention periods must be at least 7 days (to support operational diagnostics and dispute resolution).

Customers who require longer retention periods (e.g., for regulatory compliance in financial services or healthcare) may request extensions via their Order Form, up to the maximum periods listed above.

3.3 Legal Holds

Adaptive AI may be required to preserve data beyond the configured retention period in response to a valid legal hold, subpoena, or court order. Where legally permitted, Adaptive AI will notify Customer of any such preservation requirement (Privacy Policy §10.3).

4. Automated Retention Enforcement

4.1 Automated Deletion

Retention periods are enforced automatically. When data reaches the end of its configured retention period, it is queued for deletion and permanently removed within 7 days of the retention expiry date.

4.2 Deletion Method

Database records (Supabase/PostgreSQL): Hard delete from all tables; no soft-delete or tombstone retention beyond the 7-day processing window.
Object storage (Cloudflare R2): Objects permanently deleted; bucket versioning is not enabled for Customer Data.
Vector storage (Cloudflare Vectorize): Embedding vectors permanently deleted.
Backups: Customer Data is purged from backup systems within 30 days of deletion from primary storage.
Log systems: Retained per the security and audit log retention period (1 year), after which they are permanently deleted.

4.3 Deletion Verification

Adaptive AI maintains deletion audit logs confirming the date and scope of each automated deletion operation. These logs are retained for 1 year and are available for Customer audit upon request (DPA §10).

5. Customer Self-Service Deletion

5.1 Platform UI

Customers may delete the following data types at any time through the Platform's account settings:

Individual conversation transcripts and voice recordings
Knowledge base content and files
AI Worker configurations
BYOK API keys

5.2 API

Customers may programmatically delete data using the Adaptive AI API. The following endpoints support deletion:

DELETE /api/v1/conversations/{id} — Delete a specific conversation and associated transcript/recording

DELETE /api/v1/knowledge/{id} — Delete a knowledge base entry

DELETE /api/v1/workers/{id} — Delete an AI Worker and its configuration

POST /api/v1/account/delete-all-data — Request deletion of all Customer Data (requires confirmation)

API documentation is available at docs.adaptiveap.com.

5.3 Bulk Deletion on Termination

Customer Data remains available for export for 30 days (ToS §10.5(d); Privacy Policy §9; DPA §11.2).
Export requests must be submitted within this 30-day window.
After the export window closes — or upon Customer's earlier written request — Adaptive AI permanently deletes Customer Data within 30 days.
Account and billing records are exempt from this deletion to the extent required by law (retained for contract term + 7 years).
Upon request, Adaptive AI will provide written certification of deletion (DPA §11.3).

5.4 Right to Erasure (GDPR Article 17)

For requests related to individual Data Subject erasure rights under the GDPR, contact admin@adaptiveap.com. Adaptive AI will assist Customer in fulfilling erasure requests within the timeframes required by Applicable Data Protection Law (DPA §7; Privacy Policy §13).

6. Data Export

6.1 Export Formats

Customer Data is exportable in the following formats:

Data Type	Export Format
Conversation transcripts	JSON, CSV
Voice recordings	WAV, MP3
Session metadata	JSON, CSV
AI Worker configurations	JSON
Knowledge base content	Original file format
Analytics and telemetry	JSON, CSV

6.2 Export Methods

Platform UI: Export individual records or bulk export via account settings.
API: Programmatic export via GET /api/v1/export/{data_type} endpoints.
Termination export: Full data export available for 30 days post-termination (ToS §10.5(d)).

6.3 Data Portability (GDPR Article 20)

Where Applicable Data Protection Law grants Data Subjects the right to data portability, Adaptive AI will provide Personal Data in a structured, commonly used, machine-readable format (JSON) (Privacy Policy §13; DPA §7).

7. Healthcare Data (HIPAA)

7.1 Protected Health Information (PHI)

Adaptive AI does not process Protected Health Information ("PHI") by default. Customers who deploy AI Workers in contexts where PHI may be processed must:

Execute a Business Associate Agreement ("BAA") with Adaptive AI before processing PHI. See BAA.
Ensure that AI Worker configurations comply with HIPAA minimum necessary standards.
Enable appropriate technical safeguards (encryption, access controls, audit logging) as specified in the BAA.

7.2 HIPAA Retention

Where a BAA is in effect, Adaptive AI will retain PHI in accordance with HIPAA requirements (minimum 6 years for designated record sets, or as specified in the BAA), which may override the default retention periods in Section 3.

8. Changes to This Policy

Adaptive AI may update this Policy periodically. Material changes will be notified to Customer account administrators via email at least 30 days before taking effect. For changes that materially restrict Customer's rights, the amendment process in ToS §13.3 applies.

9. Contact

Data residency questions

admin@adaptiveap.com

Retention configuration

Deletion requests

Security disclosures

BAA execution

Mailing Address

Adaptive Agentic Platform LLC, 254 Chapman Rd, Ste 208 #26210, Newark, Delaware 19702, United States