Black Friday / Cyber Monday Alert: Due to increased traffic demand on mobile communication networks, we are expecting potential congestion for US carrier networks during the Black Friday and Cyber Monday period. Customers may experience intermittent SMS and MMS delivery delays. Please refer to our Black Friday / Cyber Monday FAQ page and our Twilio Status page for more information.

Data Retention and Deletion in Twilio Products

Twilio respects the interests and rights of our customers with respect to data retention and deletion. To that end, we provide controls for our customers to manage their own personal data, and also for our customers to delete the personal data relating to their downstream users (such as the recipients of their messages). This guide explains Twilio's policies and user controls for retaining and deleting data.

Data deletion

Generally speaking, you have the ability to manage your own data deletion requests in the following ways:

Twilio customers As a Twilio customer, you have the ability to delete the data you control through normal use of the Twilio services. This includes managing your own data subject requests. For example, you can use our REST API to delete messages or delete call recordings.

If you are unable to use our API, you can always use the API explorer (for example, for SMS messages or for voice calls).

If you would like us to delete all of your personal data, you can manage that through the console as well. We do require you to log in — we cannot delete data on your behalf because we cannot authenticate your request by email.
Twilio SendGrid customers If you’re using the SendGrid service, we delete most data automatically according to our retention schedule, and we provide UIs and APIs that allow you to manage or delete from our service (see “Twilio SendGrid Marketing Campaigns customers” below).

SendGrid does retain some data in pseudonymized form for up to a year. This data is capable of being reidentified with the recipient. We retain backup data for network protection, disaster recovery, and business continuity purposes. Please see the section on data retention below. For data in backups, we provide an automated process that will handle the deletion for you. Just email your request to datasubjectrequests@sendgrid.com. Please include your account ID (or subaccount if applicable), along with the recipient email address you would like us to delete. At your convenience, you can send this in the body of an email or in CSV (comma-separated value) format, such as by attaching a spreadsheet with two delineated columns. Your deletion request will be completed within 30 days.
Twilio SendGrid Marketing Campaigns customers If you’re using the SendGrid Marketing Campaigns service, SendGrid offers a number of self-service features that enable you to control your data, such as deleting a recipient or deleting an address on your contact list.

Please note: these tools will only delete content that you have uploaded to SendGrid, such as contact lists. Please use the email address above for other content.
Mailing lists If you are on Twilio’s mailing list and would like to opt out, please click the unsubscribe link or contact our Support team.

If you are on one of our customers’ mailing lists and would like to opt out, please contact the customer mailing you. All mail sent via SendGrid must contain a valid unsubscribe link. Because we are a processor, we are not able to remove you from our customers’ mailing lists, and we do not provide a way for you to opt out of receiving mail from SendGrid entirely. If you have received spam or abusive email through SendGrid, please report it to our abuse team.
Non customers We are a processor (or a service provider) for all communications content our customers send through Twilio. This means we’re not able to respond to deletion requests from individuals who aren’t our customers. If you are not a Twilio customer and would like us to delete the data we hold about you, please reach out to the Twilio customer with whom you have a relationship (the “controller” of your data) and ask them to delete data on your behalf.

We are unable to respond to requests sent by third party data subject request agents. If you’re a Twilio customer, please follow the process above.

Twilio does not sell personal data. Therefore, we do not provide a “Do Not Sell” link.

Data retention — Twilio services

What about the data that you cannot control via the tools we provide, or, when you self-delete data, or close your account, how long before the data is gone? That’s where data retention comes into play.

In general

How long we store data depends on the service, the type of data in question, and your configuration. For example, we provide storage for messages and media for up to 13 months by default. However, you’re able to configure that storage setting yourself, if you’d rather us keep it for less time, and you can even turn off backup storage.

If that’s not enough, and you’re looking for even more control over what we store — or you’d like us to store nothing at all — we provide Message Redaction, which prevents us from storing your recipients’ phone numbers and messages altogether.

After termination

After you close your account with us, we will delete any Customer Content remaining on our servers after 30 days. We hold Customer Account Data a little longer — generally speaking, we delete it 60 days after you close your account, unless there is a specific need to retain your information longer. We’ll anonymize or delete Customer Usage Data when we no longer require it for the purposes outlined in our Data Protection Addendum.

After deletion

Twilio will immediately process any data deletion requests. However, the timeline for the actual deletion of data will vary depending on several factors, including the type of data, the service you’re using, and any security or legal requirements. Our online documentation for each service provides a detailed list of the properties of each API function — for example, you can see this list for our SMS messaging service. Our documentation will identify, for each of these message properties, whether or not that property is classed as personal information (which we refer to as “PII” — this is personal data, but it’s easier to abbreviate!). We provide a flag: each resource has a flag of either “NOT PII” or “PII MTL: x DAYS.”

If a message property is PII, that “MTL” is the minimum time to live, or the minimum time we must hold that piece of data before deleting it. For the vast majority of our data, our MTL is 30 days.

Data retention — SendGrid service

If you’re using the Twilio SendGrid service, we only hold email message bodies for as long as it takes to send them. Other than your account data, we retain most other personal data, including email recipient data, for a maximum of 37 days (30 days, plus a little extra to finalize the deletion process), except for the purposes of fraud detection, security purposes, troubleshooting, or disaster recovery.

For fraud detection and security purposes, or for troubleshooting, we may take random content samples, which we hold for seven days. Those samples will include end users’ personal information.

For network protection and disaster recovery purposes, we will retain events associated with the email you have sent that can be reidentified with the recipient for up to a year.

As described above, when you ask us to delete your recipient’s data, it takes us about 30 days to complete that process (the data has a 30 day minimum time to live).

For more detail on how we retain and process SendGrid data please see the table below:

SendGrid Data type Retention period Why?
Email message bodies 72 hours* We retain email message bodies only as long as it takes for us to deliver the email. This can take up to 72 hours if we need to retry due to delivery failure.

* Please note that if you choose to use our Scheduled Sending features, we will retain email message bodies for as long as you tell us to (up to 6 days) based on your schedule. However, once the message is sent, we retain the message only as long as it takes to deliver the email.
Content samples 7 days SendGrid uses a process that takes random content samples of emails, which could include personal data such as recipient email address or the content of emails. We retain this information for 7 days, and we use it for both anti-fraud purposes and for troubleshooting.
SendGrid service, generally ~30 days Email message activity, email recipient data, and metadata automatically times out after around 30 days (specifically, it times out after 37 days; it takes a little while for the deletion to process).
Short links 60 days If you're using our Short Links product, the email addresses stored within the short link will be automatically deleted within 60 days.
Data in backups and email event data ~1 year Although most data times out after a maximum of 37 days, SendGrid does retain some data in pseudonymized form for up to a year. This data is capable of being reidentified with the recipient. We retain backup data for network protection, disaster recovery, and business continuity purposes. Additionally, SendGrid retains some email event data for up to a year for anti-abuse purposes.
Customer-controlled data As long as your account is active There is some data that we retain as long as your account is active, and we will not delete. For example, if you're using the Marketing Campaigns service, SendGrid will retain the contact lists you have uploaded for as long as your account is active, unless you use the tools we have provided to delete the information in those lists.

Additionally, we will not delete your suppression list (also known as your opt out or unsubscribe list), and we will not remove an individual's name or email from your suppression list. You are responsible for managing your own suppression list. This is because a suppression list tells an organization who not to email, and it might cause the organization to violate spam laws if they delete data from their suppression lists, just to start emailing individuals who have opted out.
Data we must retain for legal, security, or anti-fraud / anti-spam reasons Indefinite, or as required Additionally, we may retain data longer than these posted retention periods as needed for security, legal, and anti-fraud or anti-spam reasons. We won't be able to delete data that we're retaining for these purposes.

As above, if you would like us to delete the data we're holding in backups, please email datasubjectrequests@sendgrid.com. Note, again, that we cannot delete data we're retaining for anti-abuse or legal purposes.

Have more questions? Submit a request
Powered by Zendesk