Data Deletion Policy & Callback — KORA Nexus
Effective date: 2026-05-24 Last updated: 2026-05-24
This document explains how to request deletion of your data from KORA Nexus and describes the technical deletion-callback URL that Meta Platforms requires for App Review.
1. What gets deleted
When you delete your data from KORA, the following are permanently erased within the timelines below:
| Data | When deleted | Timeline |
|---|---|---|
| Facebook user OAuth tokens | On disconnect or deauthorize callback | Immediate |
| Facebook Page-scoped tokens | On Page disconnect or deauthorize | Immediate |
| Cached Page metadata + posts list | On disconnect | Immediate |
| Audit logs related to your user_id | Full account erasure request | Within 7 days |
| Sentry error logs containing your user_id | Sentry auto-rotation | 30 days max |
After deletion, KORA cannot recover the data. If you reconnect later, KORA will re-fetch fresh data from Facebook with the new OAuth grant.
2. How to request deletion
You have three ways to delete your data:
2.1 Disconnect a single Page (immediate)
- Log in to KORA at
https://koranexus.cloud/private/monetize/fanpage - Find the Page in the list
- Click the trash icon on the right
- Confirm — the Page and all its tokens / cached data are erased immediately
2.2 Email request (full erasure, within 7 days)
Send an email to [email protected] with:
- Subject:
Delete my KORA data - Body: Your Facebook user ID (visible at the top of the KORA dashboard after login) or the email you used to log in
The Operator confirms by reply email within 7 days that all data has been erased.
2.3 Revoke from Facebook (auto-deletion within 48 hours)
- Open Facebook → Settings & privacy → Settings → Apps and Websites
- Locate KORA Nexus in the active apps list
- Click Remove
Facebook sends KORA a Deauthorize Callback webhook (technical detail below). KORA reacts by deleting all data associated with your Facebook user ID within 48 hours and you will see a confirmation if you log back in.
3. Technical: Meta Data Deletion Callback URL
Meta requires apps to expose two URLs for deletion handling:
3.1 Deauthorize Callback URL
URL: https://api.koranexus.cloud/api/connect/meta/oauth/deauthorize
What it does:
- Receives a
signed_requestPOST from Facebook when a user removes the KORA app from their Facebook account - Verifies the signed request using
META_APP_SECRET - Extracts
user_idand queues a deletion job - Deletes all
ExternalConnection,MonetizeChannel,MetaResource,PageInsight,Post, andConversationrows owned by that Facebook user_id - Responds 200 OK to Facebook
3.2 Data Deletion Request URL
URL: https://api.koranexus.cloud/api/connect/meta/oauth/data-deletion
What it does:
- Receives a
signed_requestPOST from Facebook when a user requests data deletion through Facebook's settings - Same verification + deletion flow as Deauthorize
- Returns a JSON body with
url(status check) andconfirmation_code:
{
"url": "https://koranexus.cloud/legal/data-deletion-status?code=ABC123",
"confirmation_code": "ABC123"
}
The User can visit the url to confirm deletion completed.
4. What KORA cannot delete
KORA cannot delete:
- Facebook's copy of your data — for that, use Facebook Settings → Your Information → Download Your Information / Delete Account
- Public posts that appear on the Page itself — KORA only deletes its cached copy. To delete the original post on Facebook, edit/delete it from Facebook directly.
- Backups already shipped to Sentry — Sentry retains error logs for up to 30 days then auto-purges. Personal data exposure in errors is minimised (KORA never logs tokens or message bodies).
5. Verifying deletion
After your deletion request completes, you can verify by:
- Logging back into KORA with the same Facebook account — you will see no connected Pages and no historical analytics
- Replying to the confirmation email asking for a JSON export ("no records found" response)
- Visiting the confirmation URL returned by the Data Deletion Callback (Section 3.2)
6. Retention exceptions
Even after deletion request, KORA may retain limited data only when required by law:
- Audit log entries showing the deletion event itself (timestamp, user_id, deletion type) — retained 365 days for compliance audit, then erased
- Anonymised aggregate counts ("X pages connected in May 2026") — these contain no personal identifiers
7. Contact
For deletion requests or questions about this policy:
Đào Mạnh Cường [email protected] Ho Chi Minh City, Vietnam
Response SLA: 7 days from request.