Billing, security, and what happens at end of cycle
This article covers the operational side of having an AthenAI account: payment, end-of-cycle behavior, cancellation, security, and data retention. None of it is exciting; all of it is stuff you want clear answers on before you ever need to find them.
- Billing runs through Stripe. Update your card in Settings → Billing.
- End of cycle: card auto-charges, tier rolls forward. No surprise upgrades, no surprise overages on standard tiers.
- To cancel today: email support@athenaigrowth.com. The self-serve “Settings → Billing → Cancel” button is on the near-term roadmap.
- After cancellation, your Free site stays live (de-facto today; engineered into the cancellation flow on the roadmap). Your paid features turn off at end of the current billing period.
- Auth: email + password, JWT-backed sessions. 2FA is on the roadmap.
- Data retention: matrix is rolling out (~1 athenai-platform dev-day). Defaults: Free 90 days, Solo+Growth 1 year, Scale 3 years, Custom bespoke. Tenants in regulated industries (healthcare, legal, financial services) get 7-year retention regardless of tier, automatically.
Updating your payment method
Section titled “Updating your payment method”Settings → Billing → Update card. The update flow takes you through Stripe Checkout for a card-update intent — you don’t enter card numbers in AthenAI; Stripe handles the form.
This is the same Stripe flow that powers the original signup checkout, so if you’ve used Stripe-backed checkout before, it’ll feel familiar.
If your card is declining at renewal, you’ll get an email from AthenAI within an hour of the failed charge. The grace period is 7 days — your tier features stay on, but you’ll see banner notifications in the dashboard. If the card still hasn’t been updated after 7 days, the tier downgrades to Free until the card is fixed.
What happens at end of billing cycle
Section titled “What happens at end of billing cycle”If your card is in good standing, nothing dramatic happens — your tier renews, you’re charged the monthly amount, and the next 30 days roll forward.
If you’ve upgraded mid-cycle (say, Solo → Growth), Stripe pro-rates the charge: you pay only the difference for the remaining days of the cycle, and the new tier kicks in immediately.
If you’ve downgraded mid-cycle, the change takes effect at the end of the current cycle (you keep the higher tier’s features until then; you don’t get a refund for the days you don’t use).
Canceling today
Section titled “Canceling today”Honest framing first: AthenAI is not yet self-serve cancelable. The Settings page has a “Delete Account” surface, but in code today that’s a soft-deactivate of your user row — it doesn’t cancel your subscription, doesn’t teardown your site, and doesn’t trigger an export. Don’t use it as a cancel mechanism.
The clean cancellation flow today:
- Email support@athenaigrowth.com with the subject “Cancel my account.”
- Tell us what you’d like to keep: Free tier (most people), or full account closure.
- We cancel your subscription on Stripe. Stripe stops charging. The next billing date shows $0.
- At end of current cycle, your tier downgrades to Free. Your paid features (workflow runs, GoHighLevel sub-account, custom domain) shut off.
- Your Free site stays live on
yourname.athenaigrowth.com. - If you asked for full closure: we email you an export package (CRM CSV, chat history JSON, site source zip from R2) and proceed to hard-delete after we’ve confirmed the export landed on your end. No retention call, no email gauntlet, no sales pitch.
The self-serve “Settings → Billing → Cancel” button — same flow, no email required — is on the roadmap. We’d rather ship it once it works end-to-end than ship a half-version that strands your data.
What stays, what goes
Section titled “What stays, what goes”When you cancel down to Free or fully:
| What | What happens |
|---|---|
Your Free yourname.athenaigrowth.com site | Stays live. We don’t take it down. |
| Your custom domain | Stops resolving to AthenAI a few hours after the billing-period end. DNS at your registrar still points at us; our side stops responding for that hostname. Re-point your domain at whatever you want next. |
| Your CRM data | Stays in your account if you go to Free; available for export if you fully close. |
| Your chat history | Same — preserved on Free; exportable on close. |
| Your brand kit | Stays in your account; survives a downgrade. |
| Your workflow configuration | Workflows turn off (Free can’t run any), but the configuration is preserved. If you upgrade again later, your old workflow setup comes back. |
| Your GoHighLevel sub-account | Closes when you drop below Solo. Contact data is exported to you if requested. |
Security
Section titled “Security”A short list of what AthenAI does on security, with honest scope:
- Authentication: email + password. Passwords are hashed with PBKDF2-SHA256 (industry standard; 100,000 iterations with a per-user 16-byte salt) before they hit the database. We don’t store plaintext anything.
- Sessions: JWT-backed. Session tokens are scoped to your tenant; revoking a session (sign out everywhere) takes effect on the next API call.
- Email verification: required at signup. The link is rate-limited to one per minute.
- 2FA: Roadmap. Not yet shipped. If 2FA is a hard requirement for your business, that’s a Custom-tier conversation today; we can offer SSO via Enterprise IdP for Custom contracts.
- Audit log: every meaningful action (workflow run, approval, login, settings change) is logged.
- Data isolation: every API call is tenant-scoped. Cross-tenant reads are blocked at the API layer (we use a
tenant_idfilter on every query, enforced via a middleware). - Encryption in transit: all traffic over TLS (Cloudflare-managed certs). No HTTP fallback.
- Encryption at rest: Cloudflare D1 + R2 — both encrypted at rest by Cloudflare’s infra defaults. We don’t add a second layer of envelope encryption today; if your compliance posture requires it, that’s a Custom conversation.
What we don’t do:
- We don’t sell your data. Ever. Not to advertisers, not to “partners,” not to AI training. Your data trains your account’s behavior only.
- We don’t surprise-charge. Tier upgrades are explicit. Overage charges are rare and only on Custom contracts; they’re flagged in the audit log before they post.
- We don’t lock the audit log behind a paid tier. Free, Solo, Scale, Custom — same log surface, just shorter retention on the lower tiers.
Data retention by tier
Section titled “Data retention by tier”Audit-log retention is rolling out (~1 athenai-platform dev-day of work). Once enforced, the tier defaults are:
| Tier | Audit log | CRM data | Chat history |
|---|---|---|---|
| Free | 90 days | Indefinite (until you cancel and request hard delete) | 90 days |
| Solo | 1 year | Indefinite | 1 year |
| Growth | 1 year | Indefinite | 1 year |
| Scale | 3 years | Indefinite | 3 years |
| Custom | Bespoke per contract | Bespoke | Bespoke |
Regulated-industry override. Tenants in healthcare, legal, or financial services automatically get 7-year retention on the audit log regardless of tier — that’s the industry compliance floor (HIPAA / financial recordkeeping / legal-hold norms). You don’t have to configure this; AthenAI detects the industry signal from your business profile and applies the override automatically. If you think you should be on the regulated-industry track and aren’t, email support.
If you need an export of any of this for compliance reasons, email support@athenaigrowth.com. Self-serve export (CSV for CRM, JSON for chat, zip for site source) is on the roadmap.
GDPR / CCPA / data deletion
Section titled “GDPR / CCPA / data deletion”You can request hard-deletion of your account data via support. We honor the request within 30 days (the cooldown gives us time to verify identity and stop any in-flight scheduled work that would otherwise re-create deleted rows).
Deletion includes:
- Your user row, your tenant row, all CRM contacts, chat history, audit log entries, brand kit, site snapshots, custom-domain attach.
- Stripe customer record retention follows Stripe’s policy; we close our reference to it.
- R2 site source + dist artifacts are removed as part of the same hard-delete pass (the automated R2 cleanup pipeline is on the roadmap; today, support handles the deletion manually after the export is confirmed).
What survives:
- Anonymized aggregate analytics (no identifiers, can’t be tied back to you).
- Stripe transaction records that Stripe retains for tax/financial-compliance reasons under their own policy.
When something goes wrong with billing
Section titled “When something goes wrong with billing”Common cases and the fix:
| Problem | Fix |
|---|---|
| Card declined at renewal | Update card in Settings → Billing. 7-day grace period before downgrade. |
| Charged the wrong amount | Email support — we’ll verify against your audit log and refund the difference if there’s an error. |
| Tier didn’t upgrade after upgrade-checkout | Wait 5 minutes (Stripe webhook can lag); if still wrong, email support with the Stripe charge ID. |
| Tier didn’t downgrade after canceling | Same — webhook can lag; if it’s been 24 hours and you’re still on the paid tier, email support. |
| Want to dispute a charge | Email support before going through your bank. Disputed charges via the bank usually result in account suspension; we’d rather refund directly. |
Related
Section titled “Related”- /help/account/pricing-and-tiers/ — what each tier includes
- /help/account/contact/ — how to reach support, response-time expectations
- /help/account/custom-domain/ — what happens to your custom domain when you cancel
- /help/account/approvals-and-control/ — what’s logged, what’s reversible, and how to think about it
[IMG-BILLING-PAGE: dashboard screenshot of the Settings → Billing page. Product surface.]