The Problem with Content at Rest
Most secure sharing tools focus on access control: who can view, when, for how long. That's necessary, but for some content, it's not sufficient. The moment a document sits on a server—any server—it becomes a liability. It can be subpoenaed. It can be breached. It can show up in an audit you didn't anticipate.
For certain use cases, the only acceptable posture is ephemeral sharing: the content exists just long enough to be consumed, then it's gone. Not archived. Not soft-deleted. Purged.
HTMLvault's Data Retention window is designed for these scenarios. When configured, your HTML is permanently deleted from our infrastructure once your specified viewing constraints are met.
Who This Is For
The Data Retention window serves users who share content that's too sensitive to persist:
- M&A deal teams sharing term sheets or LOIs with outside counsel
- Sales reps sending custom pricing that includes confidential margin data
- HR and recruiting distributing compensation benchmarks or candidate evaluations
- Healthcare and legal teams sharing documents containing PII or PHI
- Security teams distributing incident reports or vulnerability disclosures
If your IT or legal stakeholder has ever asked "where does this data live after it's shared?"—this feature gives you a concrete answer: nowhere, once the window closes.
How It Works
When you create a link and configure the Data Retention window, HTMLvault stores your HTML encrypted at rest (AES-256) just like any other link. The difference is what happens after your viewing constraints are satisfied.
You define the constraint when creating the link. Options include:
- Expiration time — content purged at the scheduled expiry time (e.g., "delete after 72 hours")
- Both constraints — if you set both an expiration and another time-based window, whichever triggers first initiates deletion
Once the constraint is met, our system immediately and irreversibly deletes the HTML payload, the decryption key, and any cached renders. The link record remains (so your analytics persist), but the content is unrecoverable—by you, by us, by anyone.
How to Configure the Data Retention Window
The Data Retention window is a Pro feature, available in the link creation flow. Here's how to set it up:
- Create a new link from the dashboard, API, or any integration (Claude, Zapier, Clay, etc.)
- In the Security Settings panel, locate the Data Retention section
- Toggle the Retention Window on
- Set your desired constraint: an expiration time, or configure multiple time-based windows
- Complete link creation as normal
Via the API, include your expires_at parameter in your POST request body. When the constraint is satisfied, HTMLvault purges the HTML payload automatically—no additional call required.
Worked Example: Sharing a Compensation Proposal
A recruiting operations lead needs to share a custom compensation package with a candidate. The HTML includes base salary, equity grant details, and internal band comparisons—information that should never persist on external systems.
She creates an HTMLvault link with these settings:
- Data Retention window: enabled
- Expiration: 72 hours
- Password protection: enabled (shared via a separate channel)
The candidate views the proposal twice over the next day. At the 72-hour mark, the expiration constraint triggers. HTMLvault purges the HTML payload. The candidate can no longer access the content, and there's no data at rest for legal to worry about.
Limits and Caveats
Before configuring the Data Retention window, understand the tradeoffs:
- Irreversible — once purged, the content cannot be recovered. There is no undo, no backup. If you need the HTML again, you must re-upload it.
- Analytics persist, content doesn't — you retain view counts, geo data, scroll depth, time-on-page, and other analytics. You just can't retrieve or re-serve the original HTML.
- No caching guarantees downstream — HTMLvault deletes data from its own infrastructure. We cannot control browser caches, proxy caches, or screenshots taken by viewers.
- Pro plan required — this feature is not available on Free. Enterprise customers can enforce it as a policy default via admin settings.
- A constraint is required — links must have an expiration set. Links configured to never expire cannot use this mode.
Why This Matters
Sales and recruiting teams regularly share content that's sensitive enough to warrant access controls but not sensitive enough to justify a full secure data room. Without a defined retention window, that means accepting risk: the content sits on a server, and you hope nothing goes wrong.
Configuring a Data Retention window changes the calculus. The recruiting ops lead who sends a comp proposal now has a defensible answer when legal asks about data persistence. The sales rep sharing custom pricing doesn't have to wonder whether that margin data will surface in a breach three years from now. And IT has an auditable, policy-enforceable posture to point to—not just a verbal assurance.
Ephemeral sharing on its own isn't new. Getting it alongside analytics, password protection, PII scanning, and white-labeling—inside a tool that IT already approved—is what makes it practical at scale.
