Offboarding & data deletion
How to leave Nightjar, get your data out, and have it deleted. Most of this works today and is listed below; honesty up front — a one-click, self-serve deletion of an entire organisation is not built yet, so whole-org deletion is handled out-of-band (see the last section). Everything is labelled so you know what’s a Today capability and what isn’t.
Leaving the Service
You can leave at any time — there is no lock-in step. To wind down cleanly, use the capabilities below to revoke access and remove data.
Revoke access (Today)
Immediate revocation is available for an API key, an OAuth client, or a grant. Revoking one force-closes any live session bound to it, so an agent loses access right away — not at the next token refresh.
The daemon join token is different: it is a pairing secret you hold locally and that the platform does not retain, so platform-side revocation does not apply to it. If you think it is compromised, re-pair the daemon and rotate the token on your side.
Export your data (Today)
Organization data export is available, so you can take your data with you before you delete it. (An org export is an operational capability — it is not the same as an individual data-subject request; see Data-subject requests below.)
Delete data (Today)
- Per-session deletion removes an individual session.
- Reversible soft-delete lets you remove data with a recovery window, and can be escalated to a hard-delete that destroys the organization’s encryption key — after which the organization’s journals and artifacts are cryptographically unrecoverable (crypto-erase).
- A value-free audit record survives deletion: it records that a credential fill occurred, with the identity and credential name — not the secret value (the secret value is not part of the audit).
- Backups expire within 90 days. [JULIAN-CONFIRM: the exact maximum backup-retention figure to state — the system applies a ≤ 90-day mechanism; the policy sets the duration.]
Deleting an entire organisation (out-of-band today)
A self-serve, owner-reachable deletion of a whole organisation is not yet built — the org:delete capability is excluded from every human role today. It is a Target (see the build status). Until it ships, deleting an entire organisation is handled as an
out-of-band procedure: email privacy@nightjar.cloud to request it, and the operator runs the
soft-delete → crypto-erase path above on your behalf.
Data-subject requests
If you are an individual whose personal data Bitspark holds as a controller (account/identity, usage, or operational data), you can make a data-subject request — access, rectification, erasure, portability, restriction, objection — by emailing privacy@nightjar.cloud. Where Bitspark acts only as a processor on your behalf (your session/browsing content, network logs, credential material, tunnel traffic), data-subject requests about that data are directed to you as the controller. The Terms and the Privacy Policy describe this split and the retention periods in full.
Retention periods per data class are a business decision stated in the Privacy Policy; the deletion mechanisms above exist today.