# Data Retention Policy **Version:** 1.0 **Effective:** February 2026 **Owner:** Johan Jongsma **Review:** Annually --- ## 1. Purpose Define how long Dealspace retains client data and the procedures for data deletion. --- ## 2. Scope All data stored in Dealspace systems: - Projects and deals - Deal data (requests, responses, documents) - Participant accounts and access grants - Access logs - Authentication tokens --- ## 3. Retention Periods ### Deal Data | Data Type | Retention Period | Rationale | |-----------|------------------|-----------| | Active deal data | Per client agreement | Deal lifecycle varies | | Closed deals | 7 years from close | Regulatory compliance | | Deleted deals | 30 days (soft delete), then purged | Recovery window | ### System Data | Data Type | Retention Period | Rationale | |-----------|------------------|-----------| | HTTP access logs | 90 days | Security investigation window | | Audit logs | 7 years | Regulatory compliance | | Error logs | 90 days | Debugging and monitoring | ### Authentication Data | Data Type | Retention Period | Rationale | |-----------|------------------|-----------| | Access tokens | 1 hour expiry | Security | | Refresh tokens | 7 days or until revoked | Session management | | Invite tokens | 72 hours or until used | Security | ### Backup Data | Data Type | Retention Period | Rationale | |-----------|------------------|-----------| | Daily backups | 30 days | Recovery window | --- ## 4. Client-Initiated Deletion ### Project Deletion When a client deletes a project: **Immediate actions:** - Mark project as deleted - Revoke all access grants - Remove from active listings **Within 30 days:** - Soft delete allows recovery - After 30 days: permanent purge **Retained for compliance:** - Audit log entries (7 years, anonymized) ### Individual Entry Deletion When a user deletes a specific entry: - Entry soft-deleted immediately - Removed from backups per rotation schedule (30 days) ### Right to Erasure (GDPR Article 17) Users may request complete erasure: 1. User submits request via privacy@muskepo.com 2. Identity verified 3. Deletion executed within 30 days 4. Confirmation sent to user 5. Request logged for compliance --- ## 5. Automated Retention Enforcement ### Daily Cleanup Jobs - Remove expired access tokens - Remove expired refresh tokens - Remove expired invite tokens - Process queued deletions past retention window ### Log Rotation - Rotate logs older than 90 days - Audit logs retained for 7 years ### Backup Rotation - Daily backups: 30-day retention --- ## 6. Legal Holds When litigation or investigation requires data preservation: 1. **Identify scope** - Which clients/deals affected 2. **Suspend deletion** - Exclude from automated purges 3. **Document hold** - Record reason, scope, authorizer, date 4. **Release hold** - When legal matter resolved, resume normal retention **Current legal holds:** None --- ## 7. Data Export Clients may export their data at any time: - Full export available via platform - Formats: JSON (structured data), original files - Export includes all project data and audit logs --- ## 8. Backup Data Handling Deleted data may persist in backups until rotation completes: | Backup Type | Maximum Persistence After Deletion | |-------------|-----------------------------------| | Daily backups | 30 days | Clients are informed that complete purge from all backups occurs within 30 days of deletion request. --- ## 9. Third-Party Data ### Hostkey (Hosting) - Encrypted data only - Subject to Dealspace's retention policies - Physical media destroyed per Hostkey procedures --- ## 10. Compliance Mapping | Regulation | Requirement | Implementation | |------------|-------------|----------------| | GDPR Art. 17 | Right to erasure | 30-day deletion on request | | GDPR Art. 5(1)(e) | Storage limitation | Defined retention periods | | FADP | Data minimization | Same as GDPR implementation | | CCPA | Deletion rights | Same as GDPR implementation | --- ## 11. Verification ### Monthly Review - [ ] Verify cleanup jobs running - [ ] Check for orphaned data - [ ] Review pending deletion requests - [ ] Confirm backup rotation operating ### Annual Review - [ ] Review retention periods for regulatory changes - [ ] Update policy as needed - [ ] Verify compliance with stated periods --- *Document end*