Data Retention & Anonymization Policy (Draft)
Status: Draft — retain as living guidance until concrete windows are agreed and implemented.
Scope
Defines retention/anonymization rules for tenant-scoped data. All timelines are placeholders until confirmed.
Data Classes & Proposed Actions
| Data Type | Action | Placeholder Window | Notes |
|---|---|---|---|
| Users | Soft-delete → anonymize | 90 days after delete | Keep minimal audit trail; redact PII fields. |
| Submissions/results | Retain immutable snapshots | TBD (e.g., 1–3 years) | Needed for reporting/appeals; anonymize after window if required. |
| Delivery sessions/events | Retain until submission finalized + retention window | Align with submissions | Events may be pruned earlier once summarized. |
| Compliance artifacts (DSAR, ledger) | Retain per legal basis | TBD | DSAR exports kept for evidence; ledger is append-only. |
| Audit logs | Retain for forensics | TBD (e.g., 1 year) | Avoid PII in payloads; include requestId. |
Enforcement Mechanism (to build)
- Soft-delete columns (
deleted_at) on high-PII tables where not present. - Privacy jobs: enqueue
anonymize_*/delete_*jobs based on the above windows. - Retention worker: scheduled worker scans for expired records and enqueues privacy jobs; runs under TxManager with tenant scope.
- Ledger events: retention/anonymization actions emit
privacy.retention.anonymizewith receipt/hash metadata.
Open Items
- Finalize retention windows with legal/ops.
- Extend schema with
deleted_atwhere missing (and update queries to filterdeleted_at IS NULL). - Implement retention worker + scheduling.
- Add tests to prove expired records are enqueued/anonymized/deleted per policy.