Karan Saini, a security researcher, said he found a bug that shows direct messages stored in his Twitter archive, which include messages that were deleted and sent between accounts that have since been suspended or deactivated. Saini reported the bug through HackerOne, a bug bounty platform that works with Twitter to reward ethical hackers who disclose vulnerabilities.

A Twitter spokesperson said the latest report is “still open,” so they could not publicly comment on specifics. However, the spokesperson called the issue a “functional bug” rather than a “security bug.”

Saini told TechCrunch he has concerns about Twitter holding onto the messages for years, even after a user deletes their account. Twitter’s privacy policy states that an account disappears 30 days after it is deactivated. However, the company said it keeps log data for up to 18 months. That includes information such as IP address, browser type, operating system, the referring web page, pages visited, location, mobile carrier, and device information.

But think of it this way: Even if you delete an email, that means the other person still has a copy of it in their inbox. Twitter works the same way. The company’s Help Center warns that a user can delete their DM conversations, but the other person will still have a record in their inbox.

Any Twitter user who wants to take a walk down memory lane can download the entire history of their account to see what data Twitter stores on them.