Are Deleted Videos
Really Deleted in AI Systems?

The Gap Between "Deleted" and Gone

In everyday language, "deleted" means gone. The file ceases to exist. No one can access it. No copies remain. This understanding — intuitive, reasonable, and completely wrong for most cloud systems — is the source of a significant amount of misplaced confidence in the privacy of AI video platforms.

In a cloud system, "deleting" a file typically means something considerably more limited: the file is removed from the index of accessible files, so that normal queries and API calls can no longer find it. The underlying data blocks on disk are not immediately overwritten. Backup copies taken before the deletion still exist. Disaster recovery snapshots still contain the file. Training data pipelines may have already copied the file to a separate archive. Log systems may have recorded every API call that referenced the file.

For most users and most use cases, this gap does not matter. A deleted social media clip does not need to be forensically unrecoverable. But for professionals uploading confidential footage — lawyers with client evidence, investigators with sensitive surveillance, healthcare workers with patient-identifiable video — the gap between "deleted from the index" and "actually gone from all systems" is exactly the gap that creates compliance risk, breach exposure, and potential liability.

The Layers Where Deleted Data Can Persist

To understand why deletion is complex in cloud systems, it helps to think of data as existing in layers, each with its own lifecycle and deletion logic:

Primary storage layer: This is the cloud object storage — the AWS S3 bucket, Google Cloud Storage bucket, or equivalent — where your uploaded video and processed output actually live. When a platform "deletes" your file, this is typically what gets deleted. But even here, the deletion may be logical (marking the object as deleted in the storage metadata) rather than physical (overwriting the disk blocks). Most major cloud storage providers do not guarantee immediate physical deletion of object data.

Backup layer: Most cloud infrastructure operators run regular backups of their storage systems. These backups are often retained for 30, 60, or 90 days for disaster recovery purposes. A file that was uploaded and then deleted may remain in backup storage for months after the primary deletion. When a platform says it deleted your file, its backup policy may not have changed.

Disaster recovery snapshots: Separate from regular backups, many platforms maintain point-in-time snapshots for disaster recovery. These snapshots capture the entire state of the storage system at a given moment. A snapshot taken while your file was in primary storage still contains that file, even after the primary copy is deleted.

Training data archives: If the platform uses uploaded content for AI model training, copies of uploaded files may exist in a separate training data archive. These archives are typically managed on a completely different retention schedule from operational storage and may not be included in user-facing deletion operations.

Log systems: Every API call that touches your video — upload, processing, download, delete — is typically logged by cloud infrastructure for security and operational purposes. These logs may not contain the video content itself but may contain metadata, signed URLs, or temporary access credentials that could be used to locate or reconstruct information about the upload.

CDN caches: If a platform uses a content delivery network to serve video files, those files may be cached at CDN edge nodes around the world. CDN caches are typically short-lived (minutes to hours) but their expiry policies vary, and some content may be cached longer than expected.

Legal Processes and Deleted Data

Cloud storage providers can be compelled by legal process to produce data — including data that has been "deleted" at the application layer. If a storage provider maintains disaster recovery snapshots, those snapshots may be producible in response to a subpoena even if the platform's users believe the data was deleted. This is particularly relevant in legal proceedings where the existence of footage — even footage believed to be deleted — could be material.

The implications run in both directions. A lawyer who uploaded client footage and believes it was deleted may find that it still exists in backup systems and is discoverable. An investigator who processed surveillance footage through a cloud platform may find that deleted footage is still accessible through legal process directed at the vendor.

For professionals handling sensitive footage, this means that the relevant question is not "did I delete the file?" but "has the vendor confirmed that all copies — primary storage, backups, snapshots, training archives, logs — have been purged?"

How to Evaluate a Vendor's Deletion Policy

A meaningful deletion policy should specify: the maximum time between deletion request and removal from primary storage; the backup retention policy and when deleted files are purged from backups; whether disaster recovery snapshots are included in deletion; whether training data archives are separate from operational deletion; and the process for confirming that deletion is complete.

Vague statements like "we delete files when you ask us to" or "we take your privacy seriously" are not meaningful deletion policies. A policy that says "files are deleted from primary storage immediately upon user request; backup systems purge deleted files on a 30-day cycle; we do not maintain training data archives that include user uploads" is a meaningful one.

• Ask for the specific retention period for primary storage, backups, and disaster recovery snapshots separately
• Ask whether training data archives are subject to user deletion requests
• Ask whether deletion from primary storage also propagates to backup systems automatically or requires a separate process
• Request a confirmation mechanism that indicates when deletion has propagated to all relevant systems
• For enterprise use, negotiate contractual guarantees of complete deletion across all systems within a defined timeframe

What GDPR and Privacy Laws Require

Under the GDPR's right to erasure (Article 17), controllers of personal data must delete personal data upon a valid erasure request "without undue delay." The law does not define "without undue delay" precisely, but regulators have generally interpreted this as requiring deletion within 30 days. Importantly, the GDPR requires deletion from all processing systems, including backups — though it allows that backup deletion can occur on the backup's normal purge schedule if the backup is not actively used for processing.

CCPA provides California residents with a right to deletion that is similarly comprehensive. Under HIPAA, covered entities and business associates must ensure that PHI is disposed of in ways that render it "unreadable, indecipherable, and otherwise cannot be reconstructed" — a standard that may be difficult to meet if backup systems retain unencrypted copies.

The practical implication: for regulated industries and GDPR-subject organizations, a vendor's deletion policy must be evaluated not just against user experience expectations but against the legal requirements applicable to your use case.

How BetterVideo Handles Deletion

BetterVideo's deletion model is designed around a single principle: when a video is deleted, it should be gone from all systems where BetterVideo is responsible for it. When you delete a video from your dashboard, it is removed from Supabase Storage immediately. Our automated 30-day expiry removes files at the storage layer regardless of user action — this is enforced by a database-level expires_at column, not a manual process.

We do not maintain backup copies of user video files. Backups of our operational database contain metadata records but not video content — the video files live in object storage, which is not included in our database backups. Our GPU processing infrastructure uses ephemeral containers that are destroyed after each job — there is no persistent GPU-side storage that contains video data after a job completes.

We do not maintain training data archives that include user uploads. Our AI models are pre-trained and the processing infrastructure has no mechanism to archive user footage for training purposes. The combination of no backup retention for video files, automated 30-day expiry, and no training archive means that when BetterVideo says a video is deleted, it is deleted across all systems we control.