Data, privacy and cleanup in a data room
How the data room cleans up: trash empties after 30 days, archived rooms can be GDPR-deleted after 1-120 months (default Never), and all guest access is named via a one-time code and NDA log.
The data room is built to keep confidential material gathered, traceable and cleaned up again once a deal ends. This covers three things: a trash with an undo window, a GDPR deletion of archived rooms, and named guest access where every view and NDA acceptance is logged.
The data room is an add-on module. Cleanup and GDPR options are set per room under .
1Trash: a 30-day undo window
When you delete a file in Files, it goes to Trash instead of disappearing. From there you can Restore a file or Delete permanently.
Lease_2023.pdf — Deleted 14 June 2026 Restore Delete permanently Emptied automatically after 30 days.
If you delete permanently, the dialog warns: "The file and all its versions are permanently deleted and can NOT be restored." This cannot be undone.
The trash empties automatically after the period you set under Empty trash after. The default is 30 days, and you can choose between 1 and 365 days.
2Permanently delete archived rooms (GDPR purge)
Once a room is archived it is read-only, but the content is still there. Under you set Permanently delete archived rooms after to a number of months between 1 and 120. The default is Never.
When the period expires, the GDPR cleanup runs:
The setting's hint is precise: "GDPR clean-up: all content (documents and versions) is permanently deleted — the activity log is kept as documentation." So you keep the record of who saw what and when, while the documents themselves are removed. The event is logged as "The content was permanently deleted (GDPR clean-up)".
The purge deletes documents and all versions irreversibly. Choose a period that matches your own deletion obligation in the transaction — set Never if the material must stay.
3Named guest access and the NDA log
Guests never enter anonymously. On a share link, the visitor must verify their email with a one-time code (OTP) before content is shown — the hint reads: "Visitors must verify their email with a one-time code, so all activity is named." The code expires after 10 minutes.
If the room requires terms acceptance (NDA), the guest meets Accept terms to access with the checkbox "I have read and accept the terms" and the button Accept and continue.
The acceptance is recorded with timestamp and email in the activity log — and if Require digital signing is enabled, also with the guest's name signature. The event is logged as "Accepted terms (NDA)".
4Daily cleanup cron
The cleanup runs automatically. A daily background job empties expired trash files and performs the GDPR purge on archived rooms that have reached their deletion date. You do not need to do anything manually — just set the periods and the room keeps itself tidy.
Want a full audit trail before a room is closed? Use Close the deal (closing), which builds a zip with all documents, the activity log, the index and NDA acceptances before the room is archived.