1. Discuss Help Center
  2. Welcome to Discuss
  3. Security, Data & Privacy

Data Retention Policy

Updated
Nada
Have more questions? Submit a request

This article outlines how our automated data deletion policy works, including default and custom retention timelines, notification processes, and what data is excluded from purging.

Privacy and Security Overview

We are committed to:

  • Ensuring the confidentiality and integrity of customer data
  • Adhering to industry-leading compliance standards
  • Applying secure protocols across infrastructure, application design, and access controls

You can always review our current security posture, policies, and documentation at:

Default Data Retention Policies

At Discuss, we automate the deletion of projects and respondent data in line with our established data retention policies. This process is grounded in a simple principle: we retain data only as long as it’s needed for processing, and no longer.

As part of this commitment, we’ve reviewed all active MSAs to ensure our policies align with each customer’s data retention terms. While most data is subject to automated deletion, consent records are excluded from this process and will continue to be stored for the duration of recording processing.

Some organizations have customized data retention schedules outlined in their contracts, and those will continue to be honored.

Data Type Retention Period Details
Respondent Data 6 months - Data is deleted 6 months after a respondent’s scheduled session ends.
- For unscheduled respondents, deletion occurs 6 months after creation (when added to the project).
- Includes: Name, Email, Phone, Market, Screener data, Tech Check Data (Location, video, etc).
- Deletion occurs on the every Sunday.
Project Data 3 years - Retained for 3 years from project creation (if no sessions), or from the end of the last session.
- Includes: Recordings (with participant data), self-paced responses, transcripts, tags, summaries, clips, highlight reels, poll data, documents (including stimuli), discussion guides, takeaways, and AI data.
- Deletion occurs on the 3rd of each month.
Consent Records 3 years - Retained independently from respondent data.
- Ensures documented consent is maintained for all recordings.
Custom Retention Settings Up to 6 months (respondent)
Up to 3 years (project)		 - Maximum: 6 months for respondent data, 3 years for project data.
- Respondent retention must be less than or equal to project retention.
To increase or decrease the data retention period, please contact your customer success manager to discuss your options or write to us at customercare@discuss.io 

Customisation and Exceptions

  • Can people request extensions to data retention periods, and do we charge for that?
    Extensions are handled on a case-by-case basis. If you require additional time, you should contact your Account Manager. Fees may apply depending on the scope and duration of the request.
  • What’s the shortest amount of time we can retain respondent data?
    The minimum retention period is one month. It’s customizable in monthly increments (e.g., 1, 2, 3 months, etc.). Contact your Account Manager to set up a custom data retention period.
  • Can respondents’ data be manually deleted sooner than the configured retention period?
    Yes. Users can manually delete respondent data at any time, including immediately after a session.
  • Can custom retention settings be applied at the account level, or only per project?
    Yes. Custom retention policies are applied at the organization (account) level, not per individual project. Contact your Account Manager to set up a custom data retention period.

Deletion Schedule List

The Deletion Schedule page displays projects that are scheduled to be permanently deleted within the next 90 days, regardless of each project’s individual retention period.

  • Project data retention can be set as low as 30 days. Even in these cases, the deletion schedule view still includes the project once it falls within the 90-day deletion window.
  • Project members can view only the projects they belong to.
  • Organization admins can view all projects scheduled for deletion across their organization, regardless of membership.

Notifications

  • We send automated email reminders before deletion to ensure teams have time to download any data they want to keep.

    Recordings and transcripts can also be downloaded at the project level. For step-by-step instructions, see Bulk downloads for transcripts and recordings.

  • 30 Days Prior (T-30): Project owners receive an email on the 28th of each month with a list of upcoming deletions and instructions to export data.
  • 7 Days Prior (T-7): A reminder email is sent on the 22nd of each month.
  • Monthly Org Admin Digest: On the 1st of each month, Org Admins receive a summary of all projects scheduled for deletion within the next 60 days.

Visibility of Scheduled Deletion

  • Project members can see which projects will be deleted within the next 90 days. This only shows projects they are members of.
  • Org Admins will see all projects within that list, whether they are members of the project or not.

What is considered Personally Identifiable Information (PII) on Discuss?

PII refers to any data that can be used to identify a specific individual, either directly or when combined with other information. On the Discuss platform, this includes a range of data fields collected during respondent onboarding, session participation, and platform use.

Respondent-Level PII
  • Name
  • Email Address
  • Phone Number
  • Screener Responses (when linked to identity)
  • IP Address
  • City and Country Location (from tech checks)
  • Tech Check Video Recordings
  • Video and Audio Interview Responses (when tied to identity)
  • Uploaded Written Responses (e.g., pretasks containing identity)
  • Personal Demographic Data (e.g., age, gender, ethnicity) when associated with an identifiable individual
  • Programmatic Recruiting Data
System-Logged Data
  • User Login Email
  • IP Addresses
  • Device and Browser Information
  • Consent Signatures and Timestamps

Ongoing Compliance

We continuously review and improve our retention practices to ensure compliance with data privacy regulations and contractual agreements. Our platform is designed to support secure data lifecycle management at scale.

Terms of Service and Resources

Country-Specific Information

Market Research in China
Market Research in Germany

 

FAQ

In order to answer some of the questions you may have, we created this FAQ.

 

Who owns the data that the organizations put into Discuss?

To put it simply, Discuss.io does not own your data. We do not take a position on whether the data belongs to the institution signing up for Discuss.io, or the individual user (that’s between the two of you), but we know it doesn’t belong to us!

The data that you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

  1. We won’t share your data with others except as noted in our Privacy Policy.
  2. We keep your data as long as you require us to keep it.
  3. Finally, you should be able to take your data with you if you choose to use external services in conjunction with Discuss.io or stop using our services altogether

 

When can Discuss employees access my account? 

Discuss may only access data in your account in strict compliance with our Privacy Policy and your Customer Agreement. For purposes of providing technical support, an administrator may choose to grant the Support team permission to access accounts in order to resolve a specified issue.

 

Does Discuss give third parties access to my organization’s data?

Absolutely not.

 

Is my organization compliant with the European Commission Directive of Data Production if we use Discuss?

As described in our Privacy Shield certification, we comply with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively. Discuss has certified that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view Discuss.io's certification, please visit the Privacy Shield website.

Generally, an organization must decide whether its use of Discuss.io is compliant with any regulations it may be subject to.

 

Where is my organization’s data stored?

Your data is stored in Amazon Web Services network of data centers. Discuss.io maintains a number of geographically distributed data centers. Discuss.io computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.

 

Is my organization’s data safe from your other customers when it is running on the same servers?

Yes. Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user’s data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.

 

An end-user deleted a number of videos, how can I recover them?

Data is irretrievable once an end-user deletes a video asset or user account.

 

How do you protect your infrastructure against hackers and other threats?

Discuss.io, an established provider of web-based services, has gone to great lengths to protect against threats. Each of these systems has been optimized for security and performance. The Discuss.io Security Team is working with external parties to constantly test and enhance security infrastructure to ensure it is impervious to external attackers. And because Discuss.io controls the entire open source stack running our systems, we are able to quickly respond to any threats or weaknesses that may emerge.

Discuss maintains a number of geographically distributed data centers. Discuss.io computing clusters are designed with resiliency and redundancy in mind, eliminating single points of failure and minimizing the impact of common equipment failures and environmental risks. Access to our data centers is restricted to authorized personnel.

 

How do you prevent and resolve security flaws in your applications?

Discuss.io products and services go through a series of security reviews. If a security flaw is found in an application or infrastructure component, we evaluate the risk and respond accordingly. Because we are hosting the applications in our own systems, we can quickly deploy fixes to all our systems without requiring any action on your part.

 

Can my organization use our own authentication system to provide user access to Discuss?

Discuss integrates with standard web single sign-on systems using the SAML 2.0, OAuth, or Google standards. Organizations can work with Discuss to accomplish integration.  Contact us for more information.

 

Do you sign NDAs?

Discuss does sign non-disclosure agreements upon request. Discuss can provide a copy of our standard NDA/confidentiality agreement via email. If it meets with your approval, we will follow up with a scan of a signed copy. To use an NDA/confidentiality agreement of your choice, you can reach out to us through this support form with the required documents or any questions.

 

Data Privacy for Genie Summary

Was this article helpful?
0 out of 0 found this helpful