Hexolus Login

Data Deletion Instructions

Last updated: 2026-05-30

You can request deletion of your personal data from Hexolus at any time. This page describes the process, scope, and limitations.

How to request deletion

  1. Send an email to support@hexolus.com from the email address associated with your Hexolus account.
  2. Include in the subject line: Data deletion request.
  3. In the body, list which categories of data you want deleted:
    • All personal data (full account erasure)
    • Specific data (e.g. only past invoices, only contact info)
  4. If you used Hexolus through a hosting partner who issued you a sub-account, you may also contact that partner directly — they have admin access to your tenant.

What happens next

  • We verify your identity (typically by replying to your email).
  • We respond with a confirmation within 7 business days.
  • We complete the deletion within 30 calendar days of verification.
  • After deletion, you receive a final confirmation email.

What gets deleted

  • Account profile: name, email, phone, address, password hash, sessions, 2FA secrets.
  • Tenant data: if you are a hosting client — your client record + portal user records.
  • API keys: all hxk_* tokens issued to your account are revoked.
  • Webhook endpoints: URLs + encrypted signing secrets.
  • Server logs older than 30 days: any logs referencing your account.

What we MUST retain (and why)

Some categories are retained beyond deletion due to legal or regulatory requirements:

  • Financial transaction records (7 years) — Indonesian tax law (UU KUP) and AML regulations require us to retain records of completed payments, settlements, and invoices. After deletion, these records are de-identified where possible (your name + email are replaced with deleted-user-<id>), but transaction amounts + timestamps + payment method references remain.
  • Webhook delivery audit log (1 year) — required for dispute resolution with downstream clients.
  • Security incident logs — if your account was involved in (or affected by) a security incident, related logs may be retained until the incident is fully closed.

These retention periods follow the same schedule documented in our Privacy Policy §7.

What we cannot delete

  • Data already shared with third-party processors (e.g. payment gateway transaction records, domain registrar registrant info). You may need to contact those processors directly. We will provide their contact info on request.
  • Backups — our database backups have a 30-day rolling retention; deleted data may persist in backups until the backup itself ages out.

Facebook / Social login users

If you registered using a third-party authentication provider (e.g. Facebook Login) and that provider notifies us of an account deletion event via their data-deletion callback, we will treat the notification the same as a direct request: confirm receipt, complete deletion within 30 days, and notify you at the email associated with your account.

Note: Hexolus does not currently offer Facebook Login. This section is included to satisfy Facebook app review requirements should that capability be added in future.

Questions

Email support@hexolus.com. We respond within one business day.