# Data Retention Policy

**Version:** 1.0
**Effective:** January 2026
**Owner:** Johan Jongsma
**Review:** Annually

---

## 1. Purpose

Define how long inou retains user data and the procedures for data deletion.

---

## 2. Scope

All data stored in inou systems:
- User accounts (dossiers)
- Medical data (imaging, labs, genome, documents, vitals)
- Access logs
- Authentication tokens

---

## 3. Retention Periods

### User Data

| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Active user data | Indefinite while account active | User controls their data |
| Deleted user data | Immediately purged | User right to deletion |

### System Data

| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| HTTP access logs | 90 days | Security investigation window |
| Audit logs | 7 years | Regulatory compliance (HIPAA) |
| Error logs | 90 days | Debugging and monitoring |

### Authentication Data

| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Session tokens | 30 days or until logout | Session lifetime |
| API tokens | Until expiry (4 hours) + 24 hours | Cleanup buffer |
| Verification codes | 10 minutes | Security |
| OAuth authorization codes | 10 minutes | OAuth specification |
| Refresh tokens | 30 days or until revoked | OAuth specification |

### Backup Data

| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| Local ZFS snapshots | 30 days | Recovery window |
| Off-site backups | 90 days | Extended recovery option |

---

## 4. User-Initiated Deletion

### Account Deletion

When a user deletes their account:

**Immediate actions:**
- Mark dossier as deleted
- Revoke all active sessions and tokens
- Remove from search and listing

**Within 24 hours:**
- Purge all entries (imaging, labs, genome, documents)
- Remove access grants (given and received)
- Remove from active database

**Retained for compliance:**
- Audit log entries (7 years, anonymized)

### Individual Entry Deletion

When a user deletes a specific entry:
- Entry removed from database immediately
- Removed from local backups per snapshot rotation (30 days)
- Removed from off-site backups per retention schedule (90 days)

### Right to Erasure (GDPR Article 17)

Users may request complete erasure:

1. User submits request via security@inou.com
2. Identity verified
3. Deletion executed within 30 days
4. Confirmation sent to user
5. Request logged for compliance

---

## 5. Automated Retention Enforcement

### Daily Cleanup Jobs

```sql
-- Remove expired auth tokens
DELETE FROM oauth_tokens WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM auth_codes WHERE expires_at < datetime('now', '-24 hours');
DELETE FROM refresh_tokens WHERE expires_at < datetime('now', '-24 hours');

-- Remove expired sessions
DELETE FROM sessions WHERE expires_at < datetime('now');

-- Remove old rate limit entries
DELETE FROM rate_limits WHERE created_at < datetime('now', '-24 hours');
```

### Log Rotation

```bash
# Rotate logs older than 90 days
find /tank/inou/*.log -mtime +90 -delete
```

### Backup Rotation

- ZFS snapshots: Automatic rotation, 30-day retention
- Off-site (Google Drive): 90-day retention, older backups removed

---

## 6. Legal Holds

When litigation or investigation requires data preservation:

1. **Identify scope** - Which users/data affected
2. **Suspend deletion** - Exclude from automated purges
3. **Document hold** - Record reason, scope, authorizer, date
4. **Release hold** - When legal matter resolved, resume normal retention

**Current legal holds:** None

---

## 7. Data Export

Users may export their data at any time:
- Full export available via portal
- Formats: JSON (structured data), original files (DICOM, PDFs, images)
- Export includes all user-uploaded data and derived analysis

---

## 8. Backup Data Handling

Deleted data may persist in backups until rotation completes:

| Backup Type | Maximum Persistence After Deletion |
|-------------|-----------------------------------|
| ZFS snapshots | 30 days |
| Off-site backups | 90 days |

Users are informed that complete purge from all backups occurs within 90 days of deletion request.

---

## 9. Third-Party Data

### Proton (SMTP)

- Verification codes only (6-digit numbers)
- No health data transmitted
- Subject to Proton's retention policies

### Google Drive (Backups)

- Encrypted data only; Google cannot read contents
- Retention controlled by inou (90 days)
- Deleted per inou's backup rotation schedule

---

## 10. Compliance Mapping

| Regulation | Requirement | Implementation |
|------------|-------------|----------------|
| GDPR Art. 17 | Right to erasure | Immediate deletion on request |
| GDPR Art. 5(1)(e) | Storage limitation | Defined retention periods |
| HIPAA | 6-year record retention | 7-year audit log retention |
| CCPA | Deletion rights | Same as GDPR implementation |

---

## 11. Verification

### Monthly Review

- [ ] Verify cleanup jobs running
- [ ] Check for orphaned data
- [ ] Review pending deletion requests
- [ ] Confirm backup rotation operating

### Annual Review

- [ ] Review retention periods for regulatory changes
- [ ] Update policy as needed
- [ ] Verify compliance with stated periods

---

*Document end*