Retention
File lifetimes
| Tier | Inputs | Outputs |
|---|---|---|
| Free | 24 hours | 24 hours |
| Pro | 24 hours | 7 days |
Files auto-delete when their expires_at timestamp passes. Two mechanisms enforce this:
- API cleanup cron — runs nightly, deletes expired MinIO objects and their database rows, and writes an audit log entry (
actor_type: 'system'). - MinIO bucket lifecycle — configured as a safety net on the bucket itself. Even if the cron fails, the object store eventually removes expired files.
You can always delete a file manually before it expires — from the Files page in the web app or via DELETE /v1/files/{id} in the API.
What "deleted" means
- The MinIO object is purged immediately (no soft-delete, no trash).
- The database row is hard-deleted.
- There is no undo.
Metadata stripping
By default, every conversion strips output metadata:
| Worker | What gets stripped |
|---|---|
| Image (sharp) | EXIF, XMP, IPTC, color profiles not needed for the target format |
| Audio (ffmpeg) | ID3 tags, Vorbis comments, chapter markers (-map_metadata -1) |
| Video (ffmpeg) | Stream metadata, chapters, container tags (-map_metadata -1 -map_chapters -1) |
| Document (LibreOffice/pandoc) | Author, creation date, revision history — engine defaults strip them |
| Archive (7z/tar) | Archives have no metadata layer to strip — pass-through |
Pro users can opt in to metadata preservation per-conversion (or globally in Settings). When enabled, the worker skips the strip step and passes the source's metadata through to the output where the target format supports it.
Not all formats carry metadata
Enabling "Preserve metadata" on a PNG → JPG conversion keeps EXIF, but enabling it on a TXT → PDF conversion has no effect — plain text has no metadata to preserve.
Quarantined files
If ClamAV flags an upload as infected during finalization:
- The uploaded object is deleted immediately.
- The file row is marked
kind = 'quarantined'. - The conversion is set to
status = 'failed'witherror_code = 'malware'. - An audit log entry is written.
- The user sees a "Malware detected" error in the UI or a
422in the API.
Quarantined rows are cleaned up by the same nightly cron alongside expired files.
Privacy
- Files are stored on encrypted ZFS-backed MinIO volumes.
- Object keys are scoped per user — one user cannot reference another's file ID.
- No PII is stored beyond email and display name.
- See Data handling for the full privacy breakdown.