Red Stet
← Back to Help
Help · For admins & teachers · Tier 5 — Admin & account

Data retention & deletion

Red Stet records writing process for a long time on purpose — a recording with receipts is only useful if it can still be checked a year, a term, or a transfer-of-record later. But "long time" isn't "forever and silently." This doc is the map of what lives where, how long it survives, what a student / teacher / admin can delete, and what stays put for FERPA-compliant export.

In this doc
  1. Why Red Stet keeps writing records
  2. What's stored, and where
  3. End-of-year cleanup — archive vs. delete
  4. Student-initiated deletion
  5. Friction-wipe — full account deletion
  6. Close account, keep record
  7. Teacher class-level purge
  8. Admin org-wide export
  9. Backups & recovery windows
  10. FERPA, GDPR, state windows
  11. What Red Stet doesn't do
  12. Asking for help

Why Red Stet keeps writing records

Red Stet keeps two things for the lifetime of the account: the voice profile and the provenance record on every submitted paper. The voice profile is an aggregate signature of how the student writes — rhythm, vocabulary, revision habits. The provenance record is the keystroke-by-keystroke account of how each paper was written. Here's why both stay.

The voice profile is the student's baseline

When a new submission lands, Red Stet compares it to the student's existing profile to ask: does this look like the student's other work? The comparison needs history to mean anything. A fresh-wipe profile has no signal for the first weeks — every submission reads as alien, including the student's own legitimate writing. The profile defends the student from being wrongly flagged at least as often as it helps the teacher catch a real outlier.

The recording on a submitted paper is the receipt

Integrity questions don't always arrive the week a paper is turned in. A grade gets appealed in October for a paper submitted in March. A transfer school asks in the fall about a portfolio piece written the previous spring. An admissions reader follows a verifier link three years after a senior project. All of those need the recording to still exist. If it's gone, the only honest answer to "how was this written?" is "we can't tell anymore" — and that's rarely the answer the student wants. Most contested papers are legitimate. The recording is what proves it.

The student owns the wipe

Lifetime by default isn't permanent. Settings → Privacy has a friction-wipe path that removes recordings, voice profile, and document history in one cascading delete. The wipe takes a seven-day cooldown and a typed confirmation — the exact phrase "wipe my Red Stet history" — because the choice is consequential. For transfer cases, close-account-keep-record anonymize is the quieter path: identifying fields are stripped, but the records stay under a synthetic ID so the prior school keeps the integrity history without the student's name on it.

The same default applies to documents, submissions, marks, notes, grades, and messages: nothing expires unless someone removes it. Archiving a class hides it from dashboards but deletes nothing. Data accumulates, and cleanup is the school's or the student's call. Auto-expiration is opt-in — mechanics in the next section.

Why these two are kept
Voice profile
Baseline for "is this submission different?" — protects against false-positive flags
Lifetime
Provenance on submitted papers
The receipt — the only artifact that survives the question "how was this written?" months later
Lifetime
Friction-wipe path
7-day cooldown + typed confirmation — the student's choice, deliberately consequential
Student-initiated
Close-account-keep-record
Anonymize identifying fields; preserve records under synthetic ID for transfer scenarios
Student-initiated

What's stored, and where

Two storage zones: the browser while the student is composing, and Convex once the paper is submitted.

While the student is composing

The provenance event stream — every keystroke timing, paste position, focus change, scroll snapshot — buffers in browser memory. Nothing leaves the device during writing. The teacher can't see the work in flight. Closing the tab without saving leaves the buffer local; reopening picks it back up.

At submission (and at autosave checkpoints)

The buffered events get wrapped in a signed envelope and uploaded to Convex File Storage as a single blob. The signature covers the whole envelope, so any post-hoc tampering invalidates the chain. From submission forward, the recording lives on the server, readable by the document owner, the assignment teacher, and — once the doc is published as a verifier link — by anyone the owner shares the link with. This is the receipt.

The voice profile

Aggregate statistics across the student's documents: rhythm histograms, vocabulary distribution percentiles, revision-density slugs. No raw keystroke timings, no document text. The profile can answer "is the rhythm of this submission inside the student's normal range?" without exposing the timings themselves. See What's recorded for the field-by-field breakdown.

Documents, marks, notes, grades, messages

All in Convex from the moment they're created. Documents keep their 50 most recent versions for owner-side restore. Marks, notes, grades, and message threads are tied to their assignment or classroom. The owner deletes them; nobody else can.

Auto-expiration is opt-in. Settings → Privacy has an "Auto-expire archived classrooms" field where the owner sets a retention window in days — 548 (about 18 months) is the district-mode suggestion. When set, archived classrooms get purged once now − archivedAt > retentionWindowDays. A reminder email and bell entry land seven days before each expiration so the window can be extended or cleared. Per-class override sits next to the field, for the senior project that needs to live ten years or the one-off workshop that can be purged after thirty days.
Where each kind of data lives
Events while composing
Keystroke timing, paste positions, focus changes
Browser buffer
Recording (post-submit / autosave)
Signed envelope — whole stream uploaded as one blob
Convex File Storage
Voice profile
Aggregate histograms + percentiles; no raw events, no text
Server
Document body + 50 versions
Owner-restorable; older versions purged on rolling basis
Server
Grades, marks, notes, messages
Tied to assignment or classroom
Server

End-of-year cleanup — archive vs. delete

Archive at end of term, not delete. One is reversible; the other isn't.

Archive (reversible)

Class kebab (⋯) → Archive class. The class disappears from your dashboard and every student's. Assignments, submissions, recordings, gradebook, roster all preserved. Flip Show archived on to bring it back.

Delete (one-way)

No "Delete class" button. To delete a class and its records, the admin or owning teacher emails us with the class name and date; we walk through what will be removed before doing it.

Below the class level — single document, mark, assignment — owners delete from in-app menus.

Rule of thumb: archive every term. Records cost nothing and the one time you need them — contested grade, integrity follow-up, transfer record — you'll be glad they're there.
AP Lit · Period 4
English · Fall 2026 · 24 students
Active
AP Lit · Period 4
Spring 2026 · archived May 28 · 22 students
Retained
Edit class details…
Change color
Rotate invite link
Archive class
Note: there is no "Delete class" item in the menu. Deletion is by request only.

Student-initiated deletion FERPA §99.31

Lifetime by default, frictional wipe path for users who want out. The voice profile and recordings accumulate into a portable proof-of-authorship trail — college admissions, employers, grants.

Lifetime is the default

Recordings and voice profile persist indefinitely. Red Stet doesn't auto-purge them regardless of inactivity.

The friction-wipe path

Settings → Privacy → Wipe everything. Non-school-provisioned accounts can initiate a full wipe. Gated:

  • Cost disclosure — what you'll lose (voice profile, every recording, the account). Marked irreversible.
  • Typed confirmation — type "wipe my Red Stet history" before the cooldown starts.
  • 7-day cooldown — cancellable from any signed-in device. Blocks impulse deletes and account takeovers.
  • Final notification on execution.

See Friction-wipe for the per-table inventory.

Account anonymization (alternative to wipe)

Settings → Privacy → Close account, keep record. Removes auth identity; keeps recordings and the writing-rhythm profile tied to the now-disconnected user row. You can't log in; the work stays. See Close account, keep record.

School-provisioned accounts

SSO accounts (Google Workspace / Microsoft / Clever / ClassLink) hide the wipe button. The school is the FERPA records custodian; deletion goes through the school's records officer.

What students can't unilaterally delete

A submitted assignment belongs to the assignment. The student can delete their post-submit personal copy, but the version on the teacher's grading view is the classroom's record — only the teacher (or admin) removes it. Friction-wipe strips the recording from those submissions; the submitted text stays.

Settings → Privacy
Close account, keep record
Removes your auth identity; recordings and writing-rhythm profile stay in place, identity severed.
Wipe everything
Permanently deletes your voice profile, all recordings, and your account. 7-day cooldown. Typed confirmation required.
Wipe is the disaster button; account-anonymization is the gentler option for users who want out but want to preserve the record.

Friction-wipe — full account deletion Settings → Privacy → Wipe everything

The all-the-way-off button. Self-serve for non-school-provisioned accounts — no "contact support" step.

What it deletes:

  • Every provenance recording — event streams, storage files, recording rows
  • Writing-rhythm profile (authorProfiles)
  • Cross-doc provenance chains (provenanceChains)
  • Classroom enrollments and staff memberships
  • The account row, blanked to a tombstone

The 7-day cooldown

Hitting the button schedules the wipe; doesn't run it. Cancel from any signed-in device — request flips to cancelled, nothing is removed. Catches "wait, I have grades to pull first" on day three.

The typed confirmation

Before the cooldown starts, type wipe my Red Stet history exactly. Button stays disabled until match.

What stays on the classroom record

Submitted assignments stay — the gradebook continues to resolve — but the recording is stripped. Work-as-submitted persists for the school as records custodian; the behavioral sidecar is gone.

School-provisioned accounts

Accounts launched from Canvas, Schoology, Moodle etc. hide the wipe button. The school is the records custodian — deletion runs through the district's records officer. The settings panel shows a note pointing there.

One-way. After the cooldown runs, the data is gone. Within the 30-day backup window we may still hold tape; a friction-wipe counts as right-to-be-forgotten and we honor it through backups too if you specify. Ask before initiating if unsure.
Wipe everything
Delete every recording, your writing profile, and the account itself. 7-day cooldown; cancellable from any signed-in device.
Wipe my Red Stet history
Type wipe my Red Stet history to confirm. The button below is disabled until the phrase matches.
wipe my Red Stet history
Cancel Start 7-day countdown
Provenance recordings
Files purged, rows deleted
Removed
Writing-rhythm profile
Aggregate baseline cleared
Removed
Submitted assignments
Stay on classroom record; recording stripped
Retained
Account row
Tombstone; sign-in blocked
Wiped

Close account, keep record Settings → Privacy

Leave Red Stet but preserve past authorship claims. Recordings and the writing-rhythm profile stay live, disconnected from sign-in identity.

What anonymization does

  • Clears email, name, and Clerk auth tokens
  • Clears teacher status, role preset, Stripe customer id, dev flag
  • Flips accountStatus to anonymized
  • Soft-leaves every classroom enrollment and staff role (row stays; leftAt set to now)
  • Cancels any pending friction-wipe — can't be on both paths

What anonymization keeps

  • Provenance recordings, tied to the now-disconnected user row
  • Author profile (rhythm baseline)
  • Submission history on classrooms

One-way

Irreversible. The sign-in binding is gone — you can't sign back in. To return, sign up fresh; the new account doesn't inherit the anonymized recordings.

School-provisioned accounts can't self-anonymize. The LMS owns the identity; severing it locally would break the next launch. Same records-officer route as friction-wipe.
Close account, keep record
Sever sign-in identity; keep recordings and writing-rhythm profile in place. One-way; less destructive than full wipe.
Email + name + auth token
Cleared from row
Removed
Provenance recordings
Stay in place, identity severed
Retained
Classroom enrollments
Soft-leave; row preserved
Soft-removed
Anonymization severs identity, not record. Both paths are one-way.

Teacher class-level purge

To remove a class entirely (not archive), use the export-then-purge flow. Nothing leaves until records are preserved.

Step 1 — Export the class

Owners click Export class next to Archive in the classroom toolbar. Compiles a JSON bundle with every assignment, submission, recording reference, announcement, enrollment, grade snapshot, and the audit log. CSV mirrors of submissions, grades, and the audit log come along for Excel.

The bundle uploads to secure storage; the owner gets an email with a download link. audit/log.json is the canonical "who did what" history.

For account-wide exports — every doc, mark, note, recording reference, assignment, grade, rubric — use Export my account in Settings → Privacy.

Step 2 — Purge

Confirm the bundle and a second email triggers the hard delete of server-side records. Recordings on student devices are unaffected — those belong to the student. The class disappears from active and archived dashboards.

ap-lit-period-4-spring-2026.zip
gradebook.csv
roster.csv
submissions/
chen-ava/essay-1.red.md
chen-ava/essay-2.red.md
kowalski-ben/essay-1.red.md
… 119 more files
Open any .red.md in the verifier to confirm the chain still resolves after export.
The export bundle is the system of record. The server delete only runs after you confirm receipt.

Admin org-wide export

For FERPA records requests, district transfers, contract ends, compliance audits — one bundle of every record tied to the org.

  • users.csv — every user (teachers, students, staff), join date, last activity
  • classrooms.csv — every class, owner, term, archive state
  • assignments.csv + submissions.csv — assignment metadata and gradebook
  • docs/ — per-user document bodies and version history as .red.md
  • provenance-summaries.json — server-side aggregate profile data (no individual keystrokes; those live on student devices)

Delivered through a time-limited signed URL. 14 days to download; not retained server-side after delivery.

Request by emailing us from your district admin address. Two business days to bundle or clarifying question.

org-pinecrest-usd-2026-05-29.zip
users.csv
classrooms.csv
assignments.csv
submissions.csv
docs/
provenance-summaries.json
Signed URL expires 14 days after delivery. Bundle is not retained server-side.

Backups & recovery windows

Convex runs continuous point-in-time backups with a 30-day recovery window. Catch a wrong deletion inside 30 days and we can almost always restore it.

The caveat: restore is manual, by request. No self-serve undo. Email us with class name, user, and deletion date.

Outside the backup window

  • localStorage isn't on backup tape. Recordings a student cleared aren't recoverable — never on our servers.
  • District-instructed hard-deletes may be removed from backups too when the request used right-to-be-forgotten language. Ask before deleting if unsure.
District best practice: archive in May, request hard-delete in August if still needed. The summer gap catches most "wait, we needed that" requests.
Server records (docs, submissions, classes)
30-day point-in-time recovery
Recoverable
Archived classroom
No recovery needed — still live
Retained
Hard-deleted records (RTBF)
May be purged from backups too
Not recoverable
localStorage recordings
Never on our servers
Not recoverable

FERPA, GDPR, state windows

Red Stet operates as a "school official" under FERPA §99.31(a)(1)(i)(B). The district is the data controller; Red Stet acts on the district's instructions.

FERPA records requests

Parent or eligible student requests records through the district; the district forwards to us; we deliver the bundle from Admin org-wide export. Under five business days typical; regulation allows 45.

GDPR / UK GDPR

EU and UK users: Articles 15 (access), 16 (rectification), 17 (erasure) honored when routed through the school. Erasure within 30 days. Where Article 17 conflicts with school recordkeeping, the school decides; we follow.

State-specific windows

Several states have shorter windows: California SOPIPA, New York Education Law §2-d, Illinois SOPPA, Connecticut P.A. 16-189. Shorter state windows win.

A district DPA on file overrides the defaults here.

No DPA? Email us and the template lands the same day.
FERPA records request
Under 5 business days (45-day regulatory ceiling)
Standard
GDPR Article 17 (erasure)
Within 30 days, routed via school
Standard
California SOPIPA
Per district DPA
State
New York §2-d
Per district DPA
State
Illinois SOPPA
Per district DPA
State

What Red Stet doesn't do

Not retained — so "delete X" can't be honored because X was never collected.

  • Clipboard content. Paste records offset and length, never the pasted text.
  • Other browser tabs. The recorder only watches the Red Stet editor.
  • Screen recordings, screenshots, microphone, camera. Not accessed.
  • Geolocation, device fingerprints, IP indexing. Standard Convex / Clerk audit logs exist; no IP analytics.
  • Browsing history outside Red Stet. Other tabs are invisible to us.

Authoritative list: What's recorded and the privacy policy.

Why this matters for deletion: "delete everything Red Stet has about my child" answers to a finite, inspectable bundle. No shadow store.
Clipboard content
Position + length only
Not collected
Other browser tabs
Out of scope
Not collected
Screenshots / screen recording
Never accessed
Not collected
Mic / camera
Never accessed
Not collected
Geolocation / IP indexing
Not joined or queried
Not collected

Asking for help

Class-level purge, org-wide export, hard delete — all email-driven. A human reviews every destructive request before running it.

[email protected]. Include org / district, user or class, what you want done. Two business days typical.

New to Red Stet at your district? Same channel for a DPA template or privacy-policy walkthrough.

Send a deletion request
To: [email protected]
Subject: Retention & deletion — Red Stet

Include:
  • District / school name
  • Class or user identifier
  • What you want done — export, archive, purge, restore
  • The deadline you're working against (if any)
Cancel Send