How to handle data retention?


I’ll place this in the Anti-harassment category because the issue of harassment is where I would expect data retention to be most applicable.

Are there admins who have addressed the issue of how to handle deleted accounts / messages in light of the potential for a legal obligation to retain content in the event of legal request?

I know this is poorly phrased but essentially am seeking to proactively setup a data retention schedule which would discourage a user from engaging in some form of actionable behavior today and then deleting all relevant content tomorrow.

I know that one thing that I will do is add information about retention in the TOS for the instance so that users can make an informed decision but would really appreciate any lessons learned, best practices, etc.

If the instance were a small business I could refer to the procedures and laws used by many other businesses (e.g. keep IRS tax records and associated data for at least 7 years) but am unsure what to do here especially with respect to the technology. For example, nightly backups for an instance with less than 10 users is very different than nightly backups for an instance with 100k users (or is it?).

Any ideas, lessons learned, rules-of-thumb, etc are appreciated! To the extent it’s possible I’d like to address these issues before my instance is in use.


I’d say that under current EU law there is no general obligation to retain data. In certain local regulations may vary, as it is in the case of UK, but even under the now-defunct data retention regime I would say Mastodon instance admins were not affected.