Privacy and data retention for DigitizingFlow.
DigitizingFlow stores only the operational data needed to process embroidery digitizing runs, keep evidence available for review, and support safe launch access. This page describes the current pre-customer policy draft.
What we store
Account identity, uploaded source artwork, generated PES/DST candidates, previews, reports, run settings, gate results, support notes, and bounded product analytics can be stored while a workflow is active.
Where it lives
Runtime records live in Railway Postgres, generated and uploaded files live in Railway object storage, transactional email uses Resend, and public-web measurement is optional through configured analytics tools.
Current operating windows
These windows are conservative launch defaults until customer plans and legal terms replace them.
| Data | Retention window |
|---|---|
| Uploaded artwork and generated files | 90 days by default for trial and internal accounts unless a customer plan or support case sets a different window. |
| Run, job, gate, and audit records | 13 months for troubleshooting and quality review, with production approval states kept explicit. |
| Admin notes and security events | 24 months for support, security, and production-honesty audit trails. |
| Waitlist and launch-access requests | 18 months or until a verified deletion request. |
Deletion and export
Verified account requests can export or delete account-scoped metadata and artifact objects. Minimal audit or security metadata may be retained when needed to prove the request, prevent abuse, or satisfy legal obligations.
Production boundary
Customer artwork and sewout evidence are never committed to Git. Software-ready files remain separate from sewout-approved production files, even when a run's metadata is retained for audit.
Review the software-ready versus sewout-approved boundary
The product policy and the engine policy both require physical sewout evidence before a generated file can be called production approved.