Data Retention Policy

Effective Date: April 30, 2026
Policy Version: 1.0
Policy Owner: Chief Information Security Officer (CISO)
Next Review Date: April 30, 2027

1. Overview: Our Commitment to Data Minimization

At our organization, we believe that protecting your privacy starts with keeping only the data we need, for only as long as we need it. This policy explains how long we retain different types of information and what happens when we no longer need it.

Why This Matters:

• Your Privacy First: Less data stored means less risk to your personal information
• Security by Design: Smaller data footprint reduces exposure to potential breaches
• Regulatory Compliance: We follow Canadian, European, and international privacy laws
• Transparency: You deserve to know exactly what we keep and why

Our Core Principles:

1. Collect Only What's Necessary – We don't gather data "just in case"
2. Keep It Only As Long As Needed – Clear expiration dates for every data type
3. Delete It Securely – Permanent, irreversible removal when retention periods expire
4. Respect Your Rights – You can request deletion at any time (with some legal exceptions)

This policy applies to all personal data we process through our Google Cloud Platform infrastructure and integrated AI services (Anthropic Claude, OpenAI).

2. Retention Periods: What We Keep and For How Long

We've established specific retention periods based on legal requirements, security best practices, and operational needs. Here's a clear breakdown:

What "Hard Delete" Means

When we hard delete data, it's permanently and irreversibly removed from:

• ✅ Our primary databases (PostgreSQL on Google Cloud SQL)
• ✅ All backup systems (within the next backup cycle)
• ✅ Cloud storage (Google Cloud Storage)
• ✅ AI service caches (Anthropic, OpenAI)
• ✅ Vector embeddings and search indexes
• ✅ Log files and monitoring systems

We use cryptographic erasure for cloud storage – by destroying the encryption keys, the data becomes mathematically unrecoverable even if residual bits remain on physical disks.

What "Archive" Means

Archived data is:

• 📦 Moved to secure, access-restricted storage (Google Cloud Storage Archive class)
• 🔒 Stripped of direct identifiers (anonymized – IP addresses become 0.0.0.0, user agents become 'anonymized')
• 🔍 Retained only for compliance or security investigation purposes
• ⏰ Automatically deleted when the archive period expires

Automated Enforcement

We don't rely on manual processes. Our system automatically:

• 🔄 Scans for expired data daily via Cloud Scheduler
• ⚖️ Checks each item against legal holds before deleting
• 📝 Logs every deletion action in an immutable audit trail
• 🚨 Sends alerts if deletion fails for technical reasons

3. Legal Basis: Why These Retention Periods

Our retention schedule is designed to meet requirements from multiple regulatory frameworks that govern how we handle your data:

PIPEDA (Personal Information Protection and Electronic Documents Act)

Canada's federal privacy law

• Principle 4.5 – Limiting Use, Disclosure, and Retention
  "Personal information shall be retained only as long as necessary for the fulfillment of those purposes."

How we comply: We've defined specific purposes for each data category and set retention periods that match those purposes. For example, session data is only needed to maintain your login state, so we delete it after 30 days.

• Principle 4.3.8 – Consent Records
  Industry best practice: Retain consent records for 7 years to demonstrate accountability

How we comply: We keep your privacy consent decisions for 7 years but anonymize identifying information (IP address, user agent) after the retention period to protect your privacy while maintaining compliance evidence.

GDPR (General Data Protection Regulation)

European Union privacy law (applies when we process EU residents' data)

• Article 5(1)(e) – Storage Limitation
  "Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."

How we comply: Our retention schedule explicitly defines "necessary" periods for each data type. User account data, for instance, is deleted 90 days after you close your account – enough time to handle accidental deletions, but not indefinite storage.

• Article 17 – Right to Erasure ("Right to be Forgotten")
  "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay."

How we comply: You can request deletion of your data at any time (see Section 4 below). We've built a 30-day grace period for account deletions so you can cancel if you change your mind, then we permanently erase your data.

• Article 7(1) – Conditions for Consent
  "The controller shall be able to demonstrate that the data subject has consented to processing of their personal data."

How we comply: We keep consent records for 7 years to prove compliance during audits, but we anonymize your IP address and user agent to minimize privacy risk.

ISO 27001 (Information Security Management)

International standard for information security

• A.8.15 – Logging
  "Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed."

How we comply: We retain authentication logs for 90 days, data modification logs for 1 year, and security event logs for 2 years. These logs help us detect and investigate security incidents. After the retention period, they're permanently deleted (except where legal holds apply).

SOC 2 (Service Organization Control 2)

Security and privacy audit standard

• CC6.5 – Logging and Monitoring
  "The entity implements controls to log, monitor, and respond to security events."

How we comply: Our audit logs are immutable (cannot be altered or deleted manually) to maintain integrity. We retain them for periods appropriate to their purpose: operational logs for 30-90 days, compliance logs for 1-2 years.

4. Your Rights: How to Request Data Deletion

You have the right to request deletion of your personal data at any time. Here's how it works:

How to Submit a Deletion Request

Option 1: Self-Service (Fastest)

1. Log into your account
2. Go to Account Settings → Privacy & Data
3. Click "Request Account Deletion"
4. Confirm your decision
5. You'll receive an email confirmation with a 30-day cancellation window

Option 2: Email Request
If you can't access your account, email our Privacy Officer at hello@askbridgit.ca with:

• Your full name
• Email address associated with your account
• Reason for deletion (optional but helpful)

Option 3: Through Your Organization Admin
If you're part of an organization on our platform, your admin can initiate deletion on your behalf (you'll still receive confirmation and cancellation rights).

What Happens After You Request Deletion

Timeline: 30 Days from Verified Request

What Gets Deleted

✅ Permanently Removed:

• Your account (name, email, password, profile)
• All active and expired sessions
• Authentication credentials (including MFA secrets)
• Organization memberships and permissions
• Personal activity assignments and metadata

✅ Anonymized (Identity Removed, Data Preserved):

• Audit logs (we replace your user ID with an irreversible hash to maintain security records)
• Consent records (we keep the fact that consent was given/withdrawn, but anonymize your IP address and device info)

❌ Not Deleted (Legal Exceptions):

• Data under active legal hold (see Section 5)
• Aggregated/anonymized analytics that can't identify you
• Data required by law (e.g., tax records, if applicable)

Verification Requirements

For Self-Service Requests:
Your logged-in session automatically verifies your identity.

For Email Requests:
To protect your privacy, we need to confirm you're the account owner. Please:

• Reply from your registered email address, OR
• Provide two of the following:
• Account creation date
• Last login date
• Names of recent projects or activities
• Organizations you're a member of

High-Risk Deletions:
If you're an organization admin or have large data volumes, we may require additional verification (video call or government-issued ID) to prevent unauthorized deletion.

Response Time

• Standard requests: 30 days (GDPR/PIPEDA compliant)
• Complex requests: Up to 90 days (we'll notify you within the first 30 days if an extension is needed)
• Urgent requests: Contact our Privacy Officer to discuss expedited processing

If We Can't Delete Your Data

Sometimes we legally cannot delete your data (see Section 5). If this applies, we'll:

1. Email you within 15 days explaining the specific legal basis
2. Provide a reference to the applicable law or regulation
3. Estimate when the exception will expire (if known)
4. Delete any non-essential data even if some must be retained

5. Legal Holds: When Retention Periods Are Extended

In certain situations, we're legally required to preserve data beyond normal retention periods. This is called a "legal hold" or "litigation hold."

What Is a Legal Hold?

A legal hold is a formal directive to preserve all relevant information when:

• Litigation is pending, threatened, or reasonably anticipated
• Regulatory investigation is ongoing (e.g., by a data protection authority)
• Government audit requires data preservation
• Court order or subpoena mandates retention

Important: Legal holds override your right to deletion. We cannot erase data subject to a hold, even if you request it, until the legal matter concludes.

Types of Legal Holds

How Legal Holds Work

Automatic Blocking:
Our retention enforcement system checks every data item against active legal holds before deletion. If a hold applies, the system:

• Skips deletion automatically
• Logs the hold in our audit trail with reason code 'held'
• Preserves full data integrity (no modifications or anonymization)

Hold Scopes:
Legal holds can target:

• Specific users (e.g., "all data for John Smith")
• Projects or organizations (e.g., "all data for Project Alpha")
• Date ranges (e.g., "all data created between Jan-Mar 2024")
• Query-based (e.g., "all data mentioning 'contract dispute'")

Hold Duration:
Holds remain active until:

• The legal matter concludes (litigation settles, investigation closes)
• A system administrator explicitly releases the hold
• The hold's expiration date is reached (if set)

GDPR Article 17(3) Exceptions

Even without a formal legal hold, we may refuse deletion requests under GDPR Article 17(3) when processing is necessary for:

Legal Claims (Art. 17(3)(e)):

• Establishing, exercising, or defending legal claims
• Active or threatened litigation
• Insurance claims requiring supporting evidence

Compliance with Legal Obligations (Art. 17(3)(b)):

• Tax records (7 years under Canada's Income Tax Act)
• Financial records (7 years under securities regulations)
• Employment records (provincial requirements vary, typically 3-7 years)
• Anti-money laundering obligations (5 years under FINTRAC)

Public Interest & Research (Art. 17(3)(d)):

• Archiving in the public interest with appropriate safeguards
• Scientific research where erasure would impair research objectives

What This Means for You

If your deletion request is blocked by a legal hold:

1. We'll notify you within 15 days with:

• The type of hold (litigation, regulatory, etc.)
• The legal basis for the hold
• An estimated duration (if known)
• What data is affected

2. Your request stays on file – Once the hold is released, deletion proceeds automatically

3. We'll minimize retention – We only keep data directly relevant to the legal matter

4. You can appeal – Contact our Privacy Officer if you believe the hold is inappropriate

Compliance Alignment

PIPEDA Principle 4.5:
Permits retention beyond normal schedules when "required by law" (e.g., subpoena, court order) or "necessary for legal proceedings."

Quebec Law 25 (Section 12):
Allows retention for "serious and legitimate interest" including fraud investigation, security breach response, and contractual dispute resolution.

ISO 27001 A.18.1.3 (Protection of Records):
Requires records be protected from loss or falsification when needed for statutory, regulatory, or contractual requirements.

6. Third-Party Obligations: How Our Vendors Handle Your Data

We use trusted third-party services to operate our platform. These vendors are contractually bound to follow the same data retention and deletion standards we do.

Our Primary Vendors

Google Cloud Platform (GCP)

• Services Used: Cloud Storage, Cloud SQL (PostgreSQL), BigQuery, Cloud Functions, Compute Engine
• Data Processed: All platform data (user accounts, projects, activities, audit logs)
• Retention Control: We control all retention periods via GCP lifecycle policies and deletion APIs
• Compliance: Google maintains SOC 2 Type II and ISO 27001 certifications (reviewed annually)
• Data Location: Configurable by region; we use Canada and EU regions for Canadian/European users
• Deletion Guarantee: Google deletes data within contracted SLAs when we issue deletion commands

Anthropic (Claude API)

• Services Used: AI-powered content generation and analysis
• Data Processed: User prompts and responses containing project/activity content
• Retention Policy: As of this policy date, Anthropic retains API data for 30 days for abuse monitoring, then deletes (we verify this quarterly)
• Training Opt-Out: We have opted out of data use for model training
• Compliance: Data Processing Agreement covering GDPR and PIPEDA requirements
• Zero Retention Mode: We use Anthropic's enterprise configuration to minimize data retention

OpenAI (API Services)

• Services Used: AI-powered analysis via GPT models
• Data Processed: User prompts and responses for content generation
• Retention Policy: As of this policy date, OpenAI retains API data for 30 days for abuse monitoring, then deletes (we verify this quarterly)
• Training Opt-Out: We have opted out of data use for model training
• Compliance: Data Processing Agreement covering GDPR and PIPEDA requirements

Vendor Requirements

All our data processors must:

✅ Sign a Data Processing Agreement (DPA) covering:

• GDPR Article 28 processor obligations
• PIPEDA Principle 4.1.3 (accountability for data transferred to third parties)
• Data deletion within 30 days of our instruction
• Sub-processor authorization and management

✅ Implement equivalent security measures:

• ISO 27001 or SOC 2 compliance
• Encryption at rest and in transit
• Role-based access controls
• Annual third-party security audits

✅ Support data subject rights:

• Assist with access requests, deletion requests, and data portability
• Respond within our 30-day timeline
• Provide data in structured, machine-readable formats

✅ Notify us of breaches within 24 hours

✅ Submit to audits:

• Provide annual SOC 2 Type II reports or equivalent
• Complete our vendor security questionnaire
• Allow on-site audits if requested

✅ Delete data upon termination:

• Return all personal data in structured format within 30 days, OR
• Securely delete all personal data and certify deletion in writing
• Ensure all sub-processors also delete data

Sub-Processor Management

Our vendors may use their own sub-processors (e.g., Google Cloud uses underlying infrastructure providers). When this happens:

• We receive 30 days' notice before a new sub-processor is engaged
• We can object on reasonable data protection grounds within 15 days
• Same DPA terms apply to all sub-processors via written contracts
• Vendor remains liable for sub-processor compliance failures

Data Location & International Transfers

Primary Processing Location: Canada (Google Cloud North America regions)

International Transfers:
When we process data of EU residents, we use:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures per Schrems II requirements (encryption, access controls)
• Transfer impact assessments documented annually

We do not transfer data to new jurisdictions without explicit authorization and updated SCCs.

How to Verify Vendor Compliance

You can request:

• Current sub-processor list (updated quarterly)
• Vendor security certifications (SOC 2, ISO 27001)
• Data Processing Agreements (redacted for confidentiality)
• Vendor audit summaries (annual reports)

Contact our Privacy Officer at hello@askbridgit.ca for these documents.

7. Contact: Questions About This Policy

We're here to help. If you have questions about data retention, deletion, or your privacy rights:

Privacy Officer

Email: hello@askbridgit.ca
Response Time: Within 5 business days for general inquiries, 30 days for formal data subject requests

For General Questions:

• How long we keep specific types of data
• How to request deletion
• Understanding your privacy rights
• Vendor data handling practices

For Formal Requests:

• Data access requests (GDPR Article 15, PIPEDA Principle 4.9)
• Data deletion requests (GDPR Article 17, PIPEDA Principle 4.5)
• Data portability requests (GDPR Article 20)
• Objections to processing (GDPR Article 21)
• Complaints about data handling

Chief Information Security Officer (CISO)

Email: hello@askbridgit.ca
For Technical Questions:

• Security measures protecting your data
• Encryption and anonymization techniques
• Incident response procedures
• Legal hold procedures

Filing a Complaint

If you believe we've violated your privacy rights, you can file a complaint:

Internal Process:

1. Email our Privacy Officer (response within 5 business days)
2. We'll investigate and respond within 30 days
3. If you're unsatisfied, request escalation to Legal Counsel or CISO

External Authorities:

Canada (PIPEDA):

• Office of the Privacy Commissioner of Canada
• Website: https://www.priv.gc.ca
• Phone: 1-800-282-1376
• Complaint portal: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/

Quebec (Law 25):

• Commission d'accès à l'information du Québec
• Website: https://www.cai.gouv.qc.ca
• Phone: 1-888-528-7741

European Union (GDPR):

• Contact the Data Protection Authority in your country
• Directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Policy Review and Updates

This policy is reviewed annually (next review: February 19, 2027) or when:

• Privacy laws change
• We add new data categories or services
• Regulatory guidance is updated
• Security incidents require policy adjustments

How You'll Be Notified:

• Email notification to all active users
• Prominent notice on our platform dashboard
• 30-day notice period before changes take effect (unless legally required sooner)

Your Options:

• Review updated policy and continue using the platform
• Request deletion of your data before changes take effect
• Contact our Privacy Officer with concerns about changes

Appendix: Retention Schedule Summary

This table summarizes our complete retention schedule for quick reference:

Last Updated: February 19, 2026
Approved By: Matthew Bromwich, CISO

Sources:

• Best Practices for GDPR-Compliant Data Deletion - Reform.app
• A Useful Guide to Data Minimisation and Storage Limitation
• Less Data #2: New FTC Safeguards Rule requirements
• GDPR Data Minimization: Why It's Essential & How to ...
• Complying With the FTC's Amended Safeguards Rule
• What's a Data Retention Policy & How Does it Affect SOC 2?
• Guidelines for Developing Your Data Retention Policy
• SOC 2 Data Security and Retention Requirements - Bytebase
• Data minimization: An increasingly global concept - IAPP
• Federal Trade Commission (FTC) Safeguards Rule# Data Retention Policy

Bridgit Platform (askbridgit.ca)
Version 1.2 | Effective: April 30, 2026 | Next Review: October 30, 2026
Regulatory Mapping: ISO 27001 (A.8.2, A.8.3, A.18.1), GDPR (Art. 5, 17, 28), PIPEDA (P5)

1. Purpose

This policy defines data retention periods, deletion procedures, media disposal practices, and data subject erasure rights for all personal data processed through the Bridgit platform. It ensures compliance with GDPR Art. 5(1)(e) (storage limitation), PIPEDA Principle 4.5 (limiting retention), and ISO 27001 A.8.2/A.8.3 (data classification and media handling).

The organization is committed to retaining personal data only as long as necessary for its stated purpose, and to disposing of data and media securely when retention periods expire.

2. Scope

This policy applies to all personal data stored in Cloud SQL (PostgreSQL 15), Redis, Google Cloud Storage, and any local development environments. It covers all data categories: user account data, activity instance data (JSONB), session data, audit logs, consent records, AI conversation logs, and uploaded files. It applies to all personnel with access to platform data and all third-party processors (GCP, OpenAI, Anthropic, Google AI, Cohere, Stripe, Tavily, Apify).

3. Retention Schedule

User Account Data: 90 days post-account deletion. Hard delete. Legal basis: GDPR Art. 17, PIPEDA Principle 4.5.

Session Data: 30 days. Hard delete. Legal basis: security best practice.

View Audit Logs: 30 days. Hard delete. Legal basis: operational requirement.

Authentication Logs: 90 days. Hard delete. Legal basis: ISO 27001 A.8.15.

CRUD Operation Logs: 365 days. Hard delete. Legal basis: ISO 27001 A.8.15, SOC 2 CC6.5.

Security Event Logs: 730 days (2 years). Archive. Legal basis: ISO 27001 A.8.15, regulatory compliance.

Consent Records: 2,555 days (7 years). Archive. Legal basis: GDPR Art. 7(1), PIPEDA Principle 4.3.8.

Activity instance data, AI conversation logs, and uploaded files are retained per organization-configured settings and the retention schedule above.

Retention is enforced through automated Cloud Scheduler jobs (process-deletions, deletion-reminders) running daily in production.

4. Deletion Procedures

Hard Delete: Data is permanently removed from Cloud SQL via SQL DELETE commands. GCP handles physical media sanitization using cryptographic erasure (NIST 800-88 compliant). All data at rest is encrypted with AES-256 (Google-managed keys); deletion of encrypted data combined with key lifecycle management ensures unrecoverability. Deletion is logged in the audit trail with timestamp, data category, and authorization.

Anonymization: Where data is retained for statistical purposes, personally identifiable fields are replaced with salted hashes or removed entirely. Anonymization is verified to be irreversible per GDPR Recital 26.

Verification: Deletion is verified by confirming the data is no longer retrievable via application queries. Deletion logs are retained for audit purposes.

Documentation: All deletion activities are recorded with: what was deleted, when, who authorized, deletion method, and verification result.

5. Legal Holds

A legal hold suspends normal retention schedules when data must be preserved for litigation, regulatory investigation, internal investigation, audit requirement, or legal counsel directive.

Legal holds are initiated by the Platform Administrator. Affected data is flagged and excluded from automated deletion. Holds remain in place until released by the initiating authority. All hold events (initiation, scope, release) are documented in the audit trail.

Exceptions to the right of erasure under GDPR Art. 17(3) include: compliance with legal obligations, establishment or defense of legal claims, and archiving in the public interest.

6. Third-Party and Vendor Data Handling

All third-party processors are required to comply with data retention and deletion obligations per their Data Processing Agreements:

• GCP: data deleted when Cloud SQL instances, GCS objects, or Secret Manager versions are removed. GCP handles physical media destruction per SOC 2 and ISO 27001.
• AI providers (OpenAI, Anthropic, Google AI, Cohere): user data transmitted in prompts is transient and not retained per DPA terms.
• Stripe: billing data retained per Stripe's retention policy and PCI DSS requirements.

Vendor deletion is verified through review of DPA terms and vendor compliance documentation (SOC 2 reports). Data return procedures are defined in the Vendor Management Policy.

Backup and recovery specifications: Cloud SQL automated daily backups (7-day retention, GCP-managed). Manual pg_dump before each production deployment. Recovery Time Objective (RTO): 1 hour for database, 15 minutes for application. Recovery Point Objective (RPO): 24 hours (daily backup) or deployment-time (manual pg_dump). GCS provides regional redundancy with zero RPO for file storage.

7. Data Subject Rights

Users may request erasure of their personal data by contacting hello@askbridgit.ca or through the platform's account deletion feature. Requests are processed within 30 days of receipt of a verified request.

Erasure is carried out where: data is no longer necessary, consent has been withdrawn, the user objects and no overriding grounds exist, or data was unlawfully processed.

Exceptions: legal retention requirements, active legal holds, ongoing contractual obligations, and compliance with legal claims.

The platform provides a pre-deletion impact assessment and 90-day grace period with a 7-day warning email before permanent deletion.

8. Media Handling and Asset Disposal (ISO 27001 A.8.3)

Bridgit is cloud-native with no physical data center infrastructure. Media disposal is handled at two levels:

Cloud assets (GCP-managed):

• Cloud SQL: data deleted via SQL commands or instance termination. GCP handles physical media sanitization per SOC 2 Type II and ISO 27001 using cryptographic erasure and NIST 800-88 methods.
• Cloud Run: containers are ephemeral, destroyed and rebuilt on each deployment. Old revisions cleaned up per GCP retention.
• GCS: files deleted via API. GCP handles underlying storage sanitization.
• Redis: in-memory data, lost on container restart. No persistent sensitive data.
• Secret Manager: old secret versions disabled and destroyed per GCP lifecycle management.

Developer machines:

• Local database dumps (./backups/): deleted after use. On machine decommission, drive securely wiped.
• Local .env files: deleted when no longer needed. Never committed to source code.
• Git repository clones: removed from decommissioned machines.
• Docker volumes: pruned before machine reassignment.

Media reuse: Cloud Run containers are rebuilt from source on each deployment. Cloud SQL is single-tenant. Developer machines require data cleanup before reassignment (delete backups, .env files, git clones, Docker volumes).

Disposal verification: cloud asset disposal logged in GCP audit logs (timestamp, actor, resource). Internal verification and sign-off for developer machine offboarding.

No paper records containing personal data are maintained in standard operations. GCP maintains certificates of media destruction per their compliance program.

9. Complaint Procedure

Complaints about data retention practices may be submitted to hello@askbridgit.ca. Internal complaints are investigated and responded to within 30 days.

If unsatisfied with the response, individuals may lodge a complaint with:

• Office of the Privacy Commissioner of Canada (for PIPEDA): priv.gc.ca
• Relevant EU supervisory authority (for GDPR): based on the data subject's country of residence

10. Policy Administration

• Version: 1.1
• Effective Date: April 30, 2026
• Last Review: April 30, 2026
• Next Review: April 30, 2027
• Owner: Platform Administrator
• Review Frequency: Annually, or after significant changes to data processing or retention requirements
• Approved By: (signature / name / date)

This policy is maintained alongside the platform source code and is subject to version control. Changes require review and re-approval.