Data Retention Schedule
Last updated: May 31, 2026
Document owner: Privacy and Security Program Lead
Review cadence: Quarterly; immediate review after legal, product, or infrastructure changes impacting records handling
Effective date: 2026-05-31
Controller / Legal entity: EthicPages, Inc.
Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Primary contact: ethicpages+contact@invictosoft.com
Purpose and relationship to our privacy program
This Data Retention Schedule explains how EthicPages determines retention periods, applies deletion controls, responds to legal hold obligations, and manages backup lifecycles. It supports our Privacy Policy, Security Overview, and contractual commitments under our Data Processing Agreement.
Retention is managed using risk- and obligation-based principles:
- Keep data only as long as needed for defined legal or business purposes.
- Minimize over-retention that increases privacy and security exposure.
- Apply defensible, repeatable deletion processes.
- Preserve data when legal hold obligations require suspension of deletion.
- Ensure backup retention follows controlled lifecycle policies.
Scope
This schedule applies to personal data and business records processed in connection with:
| Data context | Examples |
|---|---|
| Account and identity data | User profile, login metadata, account settings |
| Billing and financial records | Subscription records, invoices, payment metadata |
| Product-generated content | Trust Center documents, hosted pages, exports |
| Support and communications | Email support threads, ticket notes |
| Security and operational logs | Access logs, audit trails, incident artifacts |
| Marketing and consent records | Campaign preferences, subscription status |
| Candidate and people records | Recruiting materials, employment-related records |
| Vendor and procurement records | Supplier onboarding and contractual records |
Retention governance model
Retention governance is embedded in policy, system controls, and operational processes:
| Role | Retention responsibility |
|---|---|
| Privacy lead | Maintains retention policy, legal interpretation, and approval matrix |
| Security lead | Oversees technical controls for lifecycle and deletion operations |
| Engineering | Implements storage lifecycle automation and deletion tooling |
| Finance | Owns tax and financial record retention obligations |
| People operations | Owns candidate and personnel retention obligations |
| Legal | Issues legal holds and release notices |
Detailed retention schedule
The table below provides default retention periods and deletion triggers. Actual retention may vary where law, active disputes, security incidents, or legal holds require preservation.
| Data category | Example data | Default retention period | Deletion trigger | Rationale |
|---|---|---|---|---|
| Account identity | Name, email, role, organization membership | Duration of active account + 30 days | Account closure, workspace deletion, or contract termination | Service operation and transition window |
| Authentication artifacts | Session metadata, MFA enrollment metadata, login timestamps | Up to 12 months rolling | Automated lifecycle expiration | Security monitoring and fraud prevention |
| Password-related records | Password hash and reset token metadata | Duration of account; reset token metadata short-lived | Account deletion; token expiration | Authentication continuity and security |
| Organization profile data | Company profile used for generation | Duration of service use + 30 days | Customer deletion request or account termination | Product functionality and customer continuity |
| Generated Trust Center content | Documents, published pages, markdown exports | Until customer deletion or account termination + 30 days | Customer deletion action; post-termination lifecycle | Customer-controlled service output |
| Product analytics (pseudonymous) | Usage events and feature interactions | Up to 24 months rolling | Automated analytics retention job | Product improvement and service reliability |
| Customer support tickets | Email/ticket body, troubleshooting context | 3 years after ticket closure | Lifecycle purge | Operational continuity and dispute handling |
| Billing subscription metadata | Plan history, invoice IDs, payment status events | 7 years after last financial event | Expiry of statutory financial retention | Tax, accounting, and audit obligations |
| Invoice and tax documentation | Issued invoices, tax IDs (if provided), credits | 7 years (or longer where required by law) | Statutory expiration | Legal and tax compliance |
| Refund and dispute records | Charge disputes, refund approvals, correspondence | 7 years after resolution | Statutory expiration | Financial and legal defense |
| Security event logs | Auth anomalies, access events, detection alerts | 12 months hot + 24 months archived (where required) | Automated lifecycle and archive expiry | Incident investigation and defense |
| Application and infrastructure logs | System logs without long-term business value | 90 days default | Automated rolling purge | Operational diagnostics with minimization |
| Incident response records | Incident timelines, forensic notes, communications | 5 years after incident closure | Retention window expiry unless legal hold | Security governance and legal preparedness |
| Consent and preference records | Marketing opt-ins/opt-outs, notices acceptance | Until consent withdrawal + 30 days (or legal requirement) | Unsubscribe and expiry window | Consent evidence and compliance |
| Cookie consent logs | Jurisdiction-specific consent state | Up to 24 months | Automated expiration | Regulatory defensibility |
| Candidate recruiting records | CV, interview notes, hiring decisions | 24 months after process closure (unless local law differs) | Expiry of recruitment retention window | Future hiring considerations and fairness review |
| Employee records (where applicable) | Contractual and HR records | Per applicable employment law | Statutory or contractual expiry | Labor law compliance |
| Vendor onboarding records | Due diligence and contractual records | 7 years after vendor offboarding | Contract expiry and legal window | Audit and risk management |
| Data processing agreement records | Executed DPAs, amendments, notices | 7 years after customer relationship ends | Expiry of legal/contract window | Contractual accountability |
| Audit trails and policy acknowledgments | Policy acceptance records and control evidence | 5 years | Automated lifecycle after period end | Governance evidence |
| Legal request records | Subpoena/regulatory correspondence | 7 years after closure or as legally required | Legal closure and expiry | Defensibility and compliance |
| Deletion operation logs | Deletion request receipt, execution evidence | 3 years after deletion completion | Lifecycle expiry | Accountability and auditability |
Data minimization and retention-by-design
Retention starts at data design. EthicPages applies minimization controls at collection and storage layers:
- Avoid collecting unnecessary personal data in free-text onboarding fields.
- Prefer identifiers and metadata over full-content retention where feasible.
- Segment retention classes by data category rather than one global retention period.
- Use environment-level lifecycle rules to reduce manual retention drift.
- Review new features for retention impact before general release.
Deletion request and execution procedures
Deletion can be triggered by customer actions, contract termination, policy lifecycle rules, or legal directives.
Standard deletion workflow
| Workflow step | Action |
|---|---|
| Request intake | Deletion request received via product controls or support channel |
| Identity and authority validation | Verify requester rights and scope |
| Scope definition | Identify systems, data categories, and dependent records |
| Hold/conflict check | Verify no active legal hold or unresolved statutory requirement |
| Execution | Run deletion routines across primary systems |
| Verification | Confirm completion and exception handling |
| Logging | Record outcome in deletion evidence trail |
| Notification | Confirm completion to requester where appropriate |
Operational deletion timeline
- Acknowledgement target: within 5 business days.
- Execution target: within 30 days for standard requests.
- Extension model: up to 45 days when legally permitted for complex requests, with notice.
Deletion methods by system type
| System type | Deletion method |
|---|---|
| Primary application database | Record-level delete/anonymize routines with referential integrity checks |
| Object/file storage | Object deletion with lifecycle confirmation |
| Search/index layers | Re-index and purge stale references |
| Log platforms | Rolling retention expiry and targeted purge where feasible |
| Support tooling | Ticket retention rules and selective data redaction where required |
| Analytics systems | Event lifecycle expiration and identity unlinking where applicable |
Where full deletion is not technically feasible in immutable logs, we apply minimization, retention expiry, and restricted access controls.
Backups and retention lifecycle
Backups are required for resilience but must not undermine retention commitments. EthicPages applies a layered backup policy:
| Backup class | Typical retention | Purpose |
|---|---|---|
| Daily operational backups | 30-35 days rolling | Restore from short-term incidents |
| Weekly snapshots | 8-12 weeks rolling | Recovery for delayed detection scenarios |
| Monthly archival backups | Up to 12 months (risk and legal dependent) | Business continuity and major incident recovery |
Backup handling controls
- Backups are encrypted at rest and in transit.
- Access is restricted to authorized personnel with operational need.
- Restore operations are logged and approval-gated.
- Backup media follows lifecycle expiration; expired backups are securely destroyed or overwritten per platform capabilities.
Backup deletion caveat
When data is deleted from primary systems, residual encrypted copies may persist in backups until backup rotation expires. Such data is logically inaccessible in normal operations and is not restored except for authorized disaster recovery purposes. If restored, deletion obligations are re-applied.
Legal holds and retention suspension
Legal holds temporarily suspend standard deletion for data that may be relevant to litigation, investigations, audits, or regulatory matters.
Legal hold process
| Stage | Description |
|---|---|
| Trigger | Legal team issues hold notice based on credible legal/regulatory need |
| Scope definition | Identify systems, custodians, date ranges, and data categories |
| Preservation action | Suspend automated deletion and notify control owners |
| Monitoring | Periodic validation that hold controls remain active |
| Release | Legal team issues documented hold release |
| Resumption | Standard retention/deletion lifecycle resumes with managed catch-up |
Legal hold responsibilities
- Legal determines hold scope and release.
- Security and engineering implement technical hold enforcement.
- Records owners ensure downstream systems honor hold state.
- Audit logs capture hold issuance, modifications, and release events.
Exceptions and jurisdictional variance
Retention periods in this schedule are defaults. Variations may apply due to:
- Local statutory obligations with longer retention requirements.
- Contractual terms agreed with enterprise customers.
- Active security incidents requiring evidence preservation.
- Regulatory inquiry timelines.
- Tax or employment law differences by jurisdiction.
Any exception must have documented rationale, owner approval, and a review date.
Cross-border processing and transfer implications
Data retention and deletion controls apply regardless of storage region. Where data is transferred cross-border, applicable safeguards and legal transfer mechanisms still apply as described in our Privacy Policy and DPA. Retention practices do not alter transfer safeguard obligations.
Quality assurance and control testing
EthicPages validates retention controls through:
| Test type | Frequency | Objective |
|---|---|---|
| Lifecycle rule validation | Quarterly | Confirm retention expirations run as intended |
| Deletion workflow drill | Semi-annual | Confirm request execution and evidence quality |
| Backup restore test | Periodic | Verify recoverability and controlled access |
| Legal hold simulation | Annual | Validate hold activation and release process |
| Policy-to-system mapping review | Quarterly | Ensure documented schedule matches implemented controls |
Findings are logged with owners and remediation deadlines.
Customer and data subject rights alignment
This schedule supports rights handling under applicable privacy laws, including access, deletion, and restriction requests. Where EthicPages acts as a processor, we support customer instructions under contractual terms.
For rights process details, see Privacy Policy. For processor obligations, see Data Processing Agreement.
Operational safeguards and incident considerations
Retention controls are linked to broader security posture:
- Access controls limit who can view, retain, or delete sensitive records.
- Change management governs modifications to retention rules.
- Security incident workflows preserve evidence while minimizing over-collection.
- Logging and audit trails provide accountability for retention-impacting actions.
Retention decisions during incidents are documented and reviewed post-incident.
Policy review and change management
This retention schedule is reviewed at least quarterly and whenever material changes occur, including:
- New data categories introduced by product features.
- Infrastructure migrations affecting storage or backups.
- Legal and regulatory requirement changes.
- Significant contractual commitments requiring tailored retention terms.
Material changes are documented with effective dates and owner approval.
Contact and retention requests
Questions about this retention schedule, deletion procedures, or legal hold handling can be directed to:
| Inquiry type | Contact |
|---|---|
| Retention policy inquiries | ethicpages+contact@invictosoft.com (subject: Data Retention) |
| Deletion requests | ethicpages+contact@invictosoft.com (subject: Deletion Request) |
| Legal hold questions | ethicpages+contact@invictosoft.com (subject: Legal Hold) |
| Postal correspondence | EthicPages, Inc., 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ |
Related documents: Privacy Policy · DPA · Security Overview · Corporate Governance · Terms of Service