How Unison handles your data
What we store, where, for how long, and how to export or delete it.
Updated May 12, 2026·1 min read
A summary of every piece of data Unison touches and what we do with it.
What we store
| Type | Stored where | Encrypted at rest |
|---|---|---|
| Account email | Postgres | No (used as primary identifier) |
| Password hash | Postgres | bcrypt (cost 10) |
| OAuth tokens | Postgres | AES-256-GCM (enc:v1: prefix) |
| Post bodies | Postgres | No (needed in plaintext to publish) |
| Uploaded images | Object storage | Encrypted in transit and at rest |
| Inbox messages | Postgres | No (mirrors what is already public on each network) |
How long we keep it
- Active accounts: as long as the account exists.
- Deleted accounts: 30-day soft-delete window so you can change your mind, then a hard delete that removes everything except billing records (kept for 7 years per tax requirements).
Export
Settings → Privacy → Export my data kicks off a job that produces a JSON bundle of every post, draft, scheduled item, and inbox message tied to your account. You get an email with a signed download link when it's ready (usually under five minutes).
Delete
Settings → Privacy → Delete account initiates the 30-day soft-delete. You can cancel during that window by signing back in.
Need a redacted export, or a deletion outside the soft-delete window?
Email hello@unison.ink and we will handle it manually.
Was this helpful?