Data Retention & Deletion Policy

Effective Date: January 1, 2023
Last Updated: December 11, 2024

1. Purpose

This Data Retention & Deletion Policy outlines how Coropos Web Services collects, stores, retains, and deletes personal and business data. This policy ensures compliance with privacy regulations including GDPR, CCPA, and other applicable data protection laws.

2. Scope

This policy applies to all data collected, processed, or stored by Coropos Web Services, including:

Client account information
Website visitor data
Project files and assets
Communications and support tickets
Payment and billing information
Analytics and usage data
Backup and archived data

3. Data Categories and Retention Periods

3.1 Account and Profile Data

Type: Name, email, phone, company information, login credentials
Retention Period: Duration of account existence + 7 years after account closure
Legal Basis: Contract fulfillment, legal obligations (tax, accounting)
Deletion: 7 years after account closure or upon written request if no legal obligation exists

3.2 Billing and Payment Data

Type: Invoices, payment history, credit card tokens (tokenized only - we never store full card numbers)
Retention Period: 7 years from transaction date
Legal Basis: Tax and accounting compliance, fraud prevention
Deletion: 7 years after final transaction (required by tax laws)

3.3 Project Files and Deliverables

Type: Website code, design files, logos, images, content
Retention Period: 90 days after project completion for active clients; 1 year after account closure
Legal Basis: Contract fulfillment, legitimate business interest
Deletion: Automated deletion after retention period unless extended storage is purchased

3.4 Website Backups

Type: Full website backups including database and files
Retention Period:
- Daily backups: 30 days
- Weekly backups: 90 days
- Monthly backups: 12 months (premium plans only)
Legal Basis: Legitimate business interest, service provision
Deletion: Automatic rolling deletion per backup schedule

3.5 Support and Communication Data

Type: Support tickets, emails, chat logs, phone call notes
Retention Period: 3 years from last communication
Legal Basis: Legitimate business interest, quality assurance
Deletion: Automated deletion after 3 years; redaction of personal details after 1 year

3.6 Marketing and Analytics Data

Type: Website analytics, email campaign metrics, cookie data
Retention Period: 26 months maximum (Google Analytics default)
Legal Basis: Consent, legitimate business interest
Deletion: Automatic deletion after 26 months; immediate deletion if consent withdrawn

3.7 Email Data (Google Workspace)

Type: Emails stored in client Google Workspace accounts
Retention Period: Under client control; our backups retain 30 days
Legal Basis: Contract fulfillment
Deletion: Client-managed; our backups follow standard backup retention

3.8 Security and Access Logs

Type: Server logs, access logs, security event logs
Retention Period: 90 days for routine logs; 2 years for security incidents
Legal Basis: Legitimate business interest, security, legal compliance
Deletion: Automated rolling deletion; security incident logs retained for investigation

4. Data Deletion Procedures

4.1 Automated Deletion

We employ automated systems to delete data according to retention schedules:

Daily automated scans identify data past retention periods
Secure deletion processes remove data from active systems
Backup systems are purged according to backup retention schedules
Deletion logs are maintained for compliance auditing

4.2 Manual Deletion Requests

Clients may request early deletion of personal data by:

Emailing privacy@coroposws.com with deletion request
Providing account verification information
Specifying which data should be deleted
Acknowledging that deletion may affect service availability

4.3 Deletion Timeline

Active Systems: Within 30 days of request
Backup Systems: Up to 90 days (next backup rotation cycle)
Archived Data: Up to 180 days
Legal Hold Data: Cannot be deleted until legal obligation expires

4.4 Secure Deletion Methods

Database records: Permanent deletion with no recovery option
File systems: Secure overwrite using industry-standard algorithms
Backups: Removal from backup sets with verification
Cloud storage: Cryptographic erasure and account removal
Physical media: Destruction following NIST 800-88 guidelines (when applicable)

5. Right to Erasure ("Right to be Forgotten")

5.1 GDPR Rights

Under GDPR, EU residents have the right to request deletion of personal data when:

The data is no longer necessary for the purpose it was collected
Consent is withdrawn and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Deletion is required for compliance with legal obligations

5.2 Exceptions to Right to Erasure

We may refuse deletion requests when data retention is required for:

Compliance with legal obligations (tax records, financial reporting)
Defense against legal claims
Exercise of freedom of expression and information
Public interest or official authority tasks
Archiving purposes in the public interest

6. Data Portability

Before deletion, clients have the right to receive their data in a structured, commonly used format:

Account Data: Exported as JSON or CSV
Website Files: Provided as ZIP archive
Database: Exported as SQL dump
Emails: Exported via IMAP or provided as PST/MBOX files
Delivery Time: Within 30 days of request

7. Account Closure and Data Deletion

7.1 Voluntary Account Closure

When you close your account voluntarily:

Immediate: Account access disabled, services suspended
30 days: Active data archived
90 days: All backups purged except long-term retention items
7 years: Financial records deleted (per legal requirements)

7.2 Involuntary Account Closure

If we close your account for Terms of Service violations:

Immediate access suspension
Data retention for investigation purposes (up to 2 years)
Standard deletion schedules apply after investigation period
Financial records retained per legal requirements

7.3 Inactive Accounts

Definition: No login or service activity for 24 months
Notification: Email notice 30 days before account deactivation
Deactivation: Account suspended, data enters deletion schedule
Recovery: 90-day grace period to reactivate before permanent deletion

8. Third-Party Data Processing

8.1 Subprocessor Data Retention

Third-party services we use have their own retention policies:

Google Workspace: Client-controlled retention
Payment Processors: Minimum 7 years per PCI-DSS requirements
Analytics Providers: 26 months (Google Analytics)
CDN Services: 90 days for logs

We ensure all subprocessors comply with applicable data protection laws.

8.2 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all subprocessors that:

Define retention and deletion obligations
Require secure deletion upon contract termination
Mandate compliance with data protection regulations
Include audit rights for compliance verification

9. Legal and Compliance Retention

9.1 Legal Hold

Data subject to legal proceedings or investigations:

Placed on "legal hold" - automatic deletion suspended
Retained until legal obligation expires
Secured separately from active data
Access restricted to authorized personnel only

9.2 Regulatory Requirements

We comply with retention requirements including:

IRS: 7 years for tax-related records
PCI-DSS: Minimum 7 years for payment records
State Laws: Varying requirements (longest period applied)
GDPR: Storage minimization principle

10. Breach Response and Data Deletion

In the event of a data breach:

Compromised data is immediately isolated
Affected users notified within 72 hours (GDPR requirement)
Unauthorized copies deleted wherever possible
Breach response documented and retained for 5 years
Post-breach review may lead to early deletion of affected data types

11. Employee and Contractor Data

Data related to employees and contractors follows different retention schedules:

Employment Records: 7 years after employment termination
Payroll Data: 7 years per IRS requirements
Performance Reviews: 3 years after termination
Access Logs: 2 years after termination

12. Data Minimization

We practice data minimization by:

Collecting only data necessary for service provision
Regularly reviewing data categories for necessity
Implementing "privacy by design" in new features
Anonymizing data when personally identifiable information is not required
Automatically purging temporary data (caches, session data) within 24 hours

13. Client Responsibilities

Clients are responsible for:

Managing data retention settings in their own systems
Downloading backups before account closure if needed
Understanding that deleted data cannot be recovered
Notifying us of any data subject requests from their users
Complying with retention requirements for their own industry/jurisdiction

14. Audit and Compliance

14.1 Internal Audits

Quarterly review of retention compliance
Annual comprehensive data inventory
Verification of automated deletion processes
Review of subprocessor compliance

14.2 Documentation

We maintain records of:

Data categories and retention periods
Deletion requests and completion dates
Legal holds and their justifications
Subprocessor agreements and DPAs
Data breach incidents and responses

15. Policy Updates

This policy is reviewed annually and updated as needed for:

Changes in applicable laws
New service offerings
Technology updates
Best practice evolution

Material changes will be communicated 30 days in advance.

16. Contact Information

For data retention, deletion, or portability requests:

Privacy Email: privacy@coroposws.com
Data Protection Officer: dpo@coroposws.com
General Inquiries: info@coroposws.com

This Data Retention & Deletion Policy is part of our Privacy Policy and Terms of Service. By using our services, you acknowledge and agree to these data retention and deletion practices.