Help center Data & GDPR

Data, privacy and cleanup in a data room

How the data room cleans up: trash empties after 30 days, archived rooms can be GDPR-deleted after 1-120 months (default Never), and all guest access is named via a one-time code and NDA log.

Updated 16 June 2026

The data room is built to keep confidential material gathered, traceable and cleaned up again once a deal ends. This covers three things: a trash with an undo window, a GDPR deletion of archived rooms, and named guest access where every view and NDA acceptance is logged.

Note

The data room is an add-on module. Cleanup and GDPR options are set per room under SettingsClean-up & GDPR.

1Trash: a 30-day undo window

When you delete a file in Files, it goes to Trash instead of disappearing. From there you can Restore a file or Delete permanently.

Trash

Lease_2023.pdf — Deleted 14 June 2026 Restore Delete permanently Emptied automatically after 30 days.

If you delete permanently, the dialog warns: "The file and all its versions are permanently deleted and can NOT be restored." This cannot be undone.

Tip

The trash empties automatically after the period you set under Empty trash after. The default is 30 days, and you can choose between 1 and 365 days.

2Permanently delete archived rooms (GDPR purge)

Once a room is archived it is read-only, but the content is still there. Under SettingsClean-up & GDPR you set Permanently delete archived rooms after to a number of months between 1 and 120. The default is Never.

When the period expires, the GDPR cleanup runs:

1Room archived2Period expires (e.g. 12 mo.)3All content permanently deleted4Activity log kept

The setting's hint is precise: "GDPR clean-up: all content (documents and versions) is permanently deleted — the activity log is kept as documentation." So you keep the record of who saw what and when, while the documents themselves are removed. The event is logged as "The content was permanently deleted (GDPR clean-up)".

Important

The purge deletes documents and all versions irreversibly. Choose a period that matches your own deletion obligation in the transaction — set Never if the material must stay.

3Named guest access and the NDA log

Guests never enter anonymously. On a share link, the visitor must verify their email with a one-time code (OTP) before content is shown — the hint reads: "Visitors must verify their email with a one-time code, so all activity is named." The code expires after 10 minutes.

If the room requires terms acceptance (NDA), the guest meets Accept terms to access with the checkbox "I have read and accept the terms" and the button Accept and continue.

One-time code (OTP): Makes every view named
NDA acceptance: Logged with timestamp + email
Digital signing: Adds email code + name signature

The acceptance is recorded with timestamp and email in the activity log — and if Require digital signing is enabled, also with the guest's name signature. The event is logged as "Accepted terms (NDA)".

4Daily cleanup cron

The cleanup runs automatically. A daily background job empties expired trash files and performs the GDPR purge on archived rooms that have reached their deletion date. You do not need to do anything manually — just set the periods and the room keeps itself tidy.

Note

Want a full audit trail before a room is closed? Use Close the deal (closing), which builds a zip with all documents, the activity log, the index and NDA acceptances before the room is archived.

Next steps