Feature Request: Configurable GDPR-Compliant Log Retention

[cfrietschy]

Hi RustDesk team

First of all, thanks for the great work on RustDesk Server Pro—it's an amazing self-hosted solution!

I’d like to propose a feature request related to log management and GDPR compliance. Currently, it seems that log retention policies are not configurable via the UI or configuration files, which poses challenges when operating in regions with strict data protection laws like the EU.

Feature Request

Implement a configurable log retention policy for RustDesk Server Pro, allowing administrators to:

• Set custom retention durations (e.g., 7, 30, 90 days)
• Enable automatic log rotation and purging
• Optionally anonymize or pseudonymize logs
• Disable certain logging categories if needed

Motivation

In many jurisdictions (e.g., under the GDPR), operators must ensure that personally identifiable information (PII) is:

• Only retained for as long as necessary
• Properly deleted upon user request or after the retention period
• Securely handled with limited access

Providing these settings would make it much easier to stay compliant and build trust with users.

Security & Compliance Benefits

• GDPR / ISO27001 alignment
• Data minimization
• Easier audit readiness
• Improved transparency for users

Possible Implementation Ideas

• YAML config option for log_retention_days
• Log rotation mechanism (e.g., via built-in scheduler or external cron)
• Command-line tools to purge old logs manually
• UI visibility for current log policy

Before I forget, these rules should also apply to the client if it was “baked” using the Pro version

Let me know if there’s anything I can contribute to help make this happen (docs, testing, etc). Would love to hear your thoughts!
Thanks again

[jschaufuss]

That sounds great!

[rustdesk]

We will add this log retention policy.

[rustdesk]

which poses challenges when operating in regions with strict data protection laws like the EU.

This is a self-hosting solution, the data is your own, still limited by GDPR?

[cfrietschy]

Yes, even for self-hosted solutions, GDPR can still apply. Especially when the server is used by a company to provide services to its customers.
If a company self-hosts RustDesk Server to support its clients (e.g. remote IT support), then it may be collecting or processing personal data (such as device identifiers, session logs, or metadata related to user activity). Under GDPR, the company becomes either a data controller or data processor, depending on the relationship.

In such cases, the company is responsible for ensuring compliance with GDPR obligations, which includes:

• Ensuring data minimization and retention limitations
• Providing transparency and access rights to users
• Enabling secure deletion or archiving of logs after a defined period

Having configurable log retention and deletion policies would support companies in fulfilling these obligations and reduce legal risk, especially during audits or data access/deletion requests from users.

This feature would also benefit organizations operating under similar data protection laws, like CCPA or LGPD.

[leitwerk-ag]

I'd love to see this implemented - would really help us a lot.

[rustdesk]

Got it, will be ready soon in next version.

[rustdesk]

@21pages let add this first. Default is 0 days (no retention). add here, below session expire time editbox.

[rustdesk]

https://github.com/rustdesk/rustdesk-server-pro/releases/tag/1.6.1