Consultant Login

Data Retention and Deletion Policy

Purpose and Scope

This Data Retention and Deletion Policy defines how HGA manages the lifecycle of all data in its custody. The purpose of the policy is to ensure that data is retained only for as long as necessary to fulfill business needs and legal obligations, and that data is securely deleted or anonymized when no longer required. This policy applies to all systems and data repositories within HGA, including the HGA Consultant Portal (https://app.humanicsgroup.com), internal databases and email systems, backups, and third-party services integrated with the HGA digital platform (such as Stripe, Amazon S3, and others). It covers all categories of data collected, processed, or stored by HGA – including personal data of consultants and clients, business records, and system logs – in both electronic and physical formats. HGA is committed to compliance with applicable data protection laws (e.g. GDPR in the EU, CCPA/CPRA in California) and global best practices for data lifecycle management.

Roles and Responsibilities

HGA designates specific internal roles responsible for implementing and enforcing this policy across our data ecosystem[1]. Each role’s responsibilities are aligned with their access permissions and area of expertise, ensuring proper oversight and segregation of duties:

  • System Manager: The System Manager is responsible for technical enforcement of retention and deletion controls. This includes configuring systems for automated data purging, managing backup routines, and executing secure deletion or anonymization processes. The System Manager maintains data storage and backup infrastructure and ensures that when data must be deleted, it is purged from live databases, file storage (e.g. S3 buckets), and archives in a secure manner[2][3]. They also implement access controls so that only authorized personnel can delete or modify data in accordance with this policy. In the event of a security incident or data breach, the System Manager leads technical efforts to analyze, contain, and support notification processes (in coordination with Legal/Compliance) per Section 7. The System Manager maintains audit logs of data access and deletion activities (see Section 8) and ensures these logs are protected and retained per policy. Finally, the System Manager oversees integration with third-party systems (Stripe, AWS, etc.), ensuring that data flows to these services are documented and that retention/deletion commitments are upheld in those platforms as well.
  • Business Developer: The Business Developer oversees the lifecycle of consultant and client data on the HGA platform. They are responsible for managing consultant profiles, CVs, and AI-generated applications throughout their useful life. This role ensures that consultant data is kept up-to-date and relevant while the consultant is active, and that it is reviewed for deletion when it becomes obsolete[4]. For example, the Business Developer must periodically review consultant profiles or CVs that have been inactive for a prolonged period (as defined in the retention schedule) and arrange for their archival or deletion. The Business Developer also manages data relating to project listings, proposals, and communications with consultants. They ensure that any AI-generated application materials or supporting documents are retained for only as long as needed for the application or project process, and are deleted or anonymized afterward per Section 4. When a consultant engagement ends or a candidate is not selected for a project, the Business Developer coordinates the timely removal of personal data associated with that opportunity, in line with the retention timelines in Section 3 (e.g. removing an unsuccessful candidate’s CV after the defined period)[4]. This role serves as a point of contact for consultants exercising data subject rights (e.g. if a consultant requests their data be deleted or updated, the Business Developer facilitates the request in coordination with the System Manager).
  • Receivables Officer: The Receivables Officer is responsible for data related to incoming payments and financial records from clients. This includes customer invoices, contracts, payment transactions (including those processed via Stripe), and related accounting records. The Receivables Officer ensures that financial data is retained for the legally required period (e.g. tax records for 7 years)[5][6] and then deleted or archived securely. They must enforce that payment card data or sensitive financial information is not stored longer than necessary in accordance with PCI DSS and privacy laws (for instance, credit card details handled by Stripe are tokenized and not stored on HGA systems beyond the transaction). The Receivables Officer works with the System Manager to delete or anonymize customer billing records once the retention period lapses, except where required to maintain for legal compliance (such as audit or tax obligations). If a client or customer exercises their right to erasure or deletion under applicable law, the Receivables Officer verifies which financial records can be lawfully deleted (versus what must be kept for tax/regulatory reasons) and ensures appropriate actions are taken. This role also keeps documentation of retention justifications for financial data (e.g. citing tax law requirements for 7-year retention) to demonstrate compliance during audits[7][6].
  • Payables Officer: The Payables Officer handles data related to payments to consultants and vendors. This includes consultant fee records, payables invoices, expense reimbursements, and associated financial records. The Payables Officer must ensure that personal data in payment records (such as consultants’ bank details or tax ID information in invoices) is protected and retained only as long as needed. Typically, consultant payment records will follow similar retention to financial records (e.g. 7 years for accounting/tax evidence)[6]. The Payables Officer is responsible for purging or anonymizing payables data after the retention period, in coordination with Finance and IT. They also coordinate with the System Manager to ensure that any payment data stored in third-party systems (e.g. records of payouts via Stripe or banking systems) are handled according to this policy. If a consultant requests deletion of their personal data, the Payables Officer confirms that any payout records can be anonymized (for example, removing personal identifiers but keeping transaction amounts for bookkeeping) once legal retention requirements are met. Like the Receivables role, the Payables Officer maintains documentation of the retention schedule for payable records and ensures access controls are in place so that only finance personnel can view or handle detailed payment data.

Access Controls and Training: All roles above must adhere to the principle of least privilege – they only have access to the data necessary for their duties. They are trained on this Data Retention and Deletion Policy and are accountable for compliance. Each role is responsible for reporting any obstacles or issues in executing the policy (e.g. inability to delete certain data due to technical limitations) to HGA management so that remedial action can be taken. The responsibilities and procedures outlined for each role ensure a cross-functional approach[1]: IT (System Manager), business operations (Business Developer), and finance (Receivables/Payables) collaborate to enforce retention rules consistently across all data types.

Data Categories and Retention Schedules

HGA classifies its data into defined categories and assigns a retention period to each category based on legal requirements and business needs. In line with GDPR’s storage limitation principle and CCPA/CPRA requirements, HGA does not keep data indefinitely without justification[8]. Instead, we establish maximum retention periods for each data category and document the rationale. Data will either be deleted or anonymized once its retention period expires, unless an exception applies (such as an ongoing legal hold or explicit legal requirement to retain longer). The major data categories and their retention schedules are as follows:

  • Consultant Profiles and CVs: This category includes personal data submitted by consultants in their profiles (e.g. resumes/CVs, education and work history, skills, references, and any identity or certification documents uploaded). Active consultants (those currently engaged or actively seeking opportunities via HGA) will have their profile data retained for the duration of their active participation in the platform. Profile information should be reviewed and updated regularly by the consultant and the Business Developer to ensure relevance. If a consultant becomes inactive, HGA will retain their profile data for up to 2 years from their last login or last project, after which it will be deleted or anonymized. For unsuccessful candidates who submitted CVs for a specific opportunity and were not selected, HGA will retain their CV and application data for 6 months after the close of that recruitment, unless the individual consents to a longer retention (e.g. to be considered for future roles). This limited retention is consistent with EU guidance that unsuccessful candidate data should not be kept as long as hired candidates, and not indefinitely without purpose[4]. Successful candidates who become HGA consultants will have their data retained as part of their consultant profile as noted above. All CVs and personal documents are deleted from the system (and associated storage like S3) at the end of their retention period. Prior to deletion, HGA may anonymize certain data for analytics (e.g. aggregate skill statistics) but will remove or irreversibly de-identify personal identifiers. Justification: 6 months covers typical periods to resolve any hiring disputes or keep a talent pipeline, without unduly prolonging data retention, and 2 years of inactivity for account profiles balances business interest in re-engaging past consultants with the storage limitation principle.
  • AI-Generated Applications: HGA’s platform can generate application materials (such as cover letters or proposal text) on behalf of consultants for project opportunities. These AI-generated application documents, which may contain personal data about the consultant (name, qualifications) and information about the target opportunity, are retained for the short term needed to fulfill their purpose. An AI-generated application and its associated data will be stored until the relevant consultancy listing is filled and the recruitment process is closed, plus a brief buffer period for record-keeping. By default, HGA retains AI-generated application records for 6 months following the application submission, allowing for analysis of success rates and potential reuse in that timeframe[9]. After 6 months (or immediately if the consultant requests erasure sooner), the content of AI-generated applications will be deleted or anonymized. In practice, anonymization may involve stripping out personal identifiers and retaining only non-personal metrics (e.g. whether the AI application led to an interview) for improving our services. If an AI-generated application is part of a proposal that led to a project, it is retained as part of the project record (see next category) but the personal data within can be minimized if not needed. Justification: These applications are essentially transient aids for securing work; keeping them beyond a few months is not necessary once their purpose (securing a project) is either achieved or not. This schedule aligns with data minimization principles, while providing HGA a short window to review and learn from the AI’s performance[9].
  • Consultant Documents and Project Deliverables: Consultants may upload or generate various documents through the platform, including contractual documents, proposals, project deliverables, reports, timesheets, and other work product. For documents that are part of contract administration or work delivery (e.g. signed contracts, work orders, deliverables to clients), HGA retains these records for at least 6 years after the completion of the relevant project or contract. This period is chosen to cover common statutes of limitation for contract claims or disputes (often 6 years) and to meet record-keeping practices for contractual files[10][11]. In some cases, where applicable law requires a longer period or for important project archives, retention may be extended to 7 years or longer, but any extension must be justified (e.g. a donor requirement to keep project records for 10 years, or an ongoing legal issue). Consultant work products that do not contain personal data (or contain minimal personal data like the author’s name) may be archived for HGA’s knowledge management beyond 6 years, but personal data within such documents should be removed or redacted if not needed. Internal consultant documents (e.g. a copy of a consultant’s diploma or ID used for vetting) should be retained only as long as necessary for verification. For example, an ID scan used to verify identity can be deleted once verification is complete, or retained for a short period (no more than 1 year) in case of audit, then purged. Consultant certifications or licenses may be kept on file during the consultant’s active period and updated or removed when expired. Justification: Contractual and project documents often must be kept to fulfill legal obligations and defend against any disputes – 6 to 7 years is a common business practice for such records[6]. However, any personal data in these records that is not needed (e.g. a consultant’s personal contact info in an old report) should be minimized or anonymized when feasible, especially after the active use period.
  • Financial Records (Invoices, Transactions, and Accounting Data): Financial records encompass all billing and payment information – client invoices, consultant invoices, records of payments (receivables and payables), expense records, tax documents, and associated financial correspondence. HGA retains financial and accounting records for a minimum of 7 years from their creation date or last use[5][6]. This retention period aligns with U.S. IRS guidelines and many accounting regulations that require businesses to keep financial records for 7 years for auditing and tax purposes[5]. In some jurisdictions, financial record retention may extend to 10 years; HGA will comply with any local laws that mandate a longer retention for specific financial documents. After the 7-year period (or applicable mandated period), HGA will dispose of financial records securely (see Section 4 for deletion methods). Disposal will include deletion of digital financial data from databases and secure shredding of any physical financial records containing personal or sensitive data. Notably, credit card information and payment details are largely handled by Stripe (a PCI-compliant payment processor); HGA itself does not store full card numbers. Stripe’s records of transactions will also adhere to retention limits – HGA’s policy is to delete or anonymize any personal payment information we control once it is no longer needed (e.g. removing a saved payment method when an engagement ends, or after a refund window closes), unless retention is required for financial compliance. Justification: Retaining financial records for 7 years ensures compliance with tax and corporate record-keeping requirements (e.g. Sarbanes-Oxley for audit papers, general accounting best practice)[7]. It also supports HGA’s legitimate interests in having historical financial data for audits or potential legal claims, while not keeping data indefinitely. All such retention is documented to meet the accountability principle under GDPR (ability to justify retention periods for each data type)[12][3].
  • Support Tickets and Customer Support Data: HGA maintains a support ticket system (and related email communications) for technical support, inquiries, or issue resolution on the consultant portal. Support tickets often include user-identifying information (name, email) and the content of their query. HGA will retain support tickets and support-related communications for 2 years from the date of ticket closure by default. This allows the company to analyze support trends over time and reference past issues if a user has follow-up inquiries[13]. After 2 years, support tickets will be deleted or archived in anonymized form. Anonymization in this context means removing personal identifiers of the requester, leaving behind only generic information about the issue for statistical purposes. If a support ticket contains information that must be retained longer for legal reasons (for example, evidence of compliance with a user’s data request or a dispute), it may be tagged for extended retention with approval from the System Manager and Business Developer. However, even in such cases, personal data should be stripped out if feasible and the retention should not exceed what is necessary. Justification: Two years for support data is a best-practice baseline for SaaS companies to document product usage trends and maintain service quality[13]. It balances utility (having historical support context) with risk (older personal data in support logs that is no longer needed should be purged). It also aligns with the expectation under privacy laws that personal data used for customer service should not be kept longer than needed once the issue is resolved.
  • Email Communications: This category covers business emails sent or received by HGA staff that may contain personal data or business record information (including internal emails and communications with consultants, clients, or partners via company email accounts). HGA implements an email retention policy to automatically archive and/or delete emails that exceed a certain age, to avoid indefinite storage. Business-critical emails that constitute official records (e.g. communications confirming contract terms, approvals, or important project decisions) should be saved to an appropriate record-keeping system (or exported and stored in project files) and then can be deleted from the live email system. Routine communications not needed for ongoing purposes will be purged after 5 years. By default, HGA will retain emails for up to 5 years, after which they will be automatically deleted from mailboxes, unless flagged for archival. This timeframe sits within the typical 3-7 year range mandated by many regulations for retaining business correspondence[14], leaning toward a proactive cleanup approach to minimize data held. Any email that qualifies as a business record (for example, an email with a client confirming a contract or an important policy decision) should be transferred to a secure archive or document management system and retained according to the relevant category (e.g. contract-related correspondence could be kept 6-7 years as part of the contract file). All other emails (especially those containing personal data like personal discussions, HR communications, etc.) will be deleted after 5 years. HGA’s email servers or cloud service will be configured with retention rules to enforce this automatically when possible. Justification: Email can easily accumulate vast amounts of personal and sensitive data. Retaining everything indefinitely exposes HGA to unnecessary risk and cost. A 5-year retention strikes a balance between business needs (many legal or project references in email would surface within a few years) and compliance, considering that North American regulations generally require 3-7 years retention for business communications[14]. Users are instructed to store any emails that must be kept longer (due to legal hold or ongoing relevance) in designated archive folders that are managed per this policy, rather than in personal mail folders.

Retention Schedule Exceptions: In all categories above, if a legal requirement or official regulation demands a longer retention, HGA will comply with those laws. For instance, if European healthcare data or specific government contract data requires 10-year retention, such data will be retained as required (with documented justification)[15]. Conversely, if a data subject exercises their right to erasure (see Section 7) and no exemption applies, HGA may delete their personal data earlier than the schedule dictates. Furthermore, any data subject to a litigation hold or investigation will not be deleted as scheduled until the hold is lifted (see Section 8 on legal holds). All retention periods are counted from the end of the calendar year in which the record was created or last active, unless specified otherwise (some financial records use tax year plus X years as noted). HGA reviews these schedules regularly to ensure they remain aligned with current laws and business needs, and updates the policy accordingly[16][17].

Data Deletion and Anonymization Methods

When data reaches the end of its retention period or is no longer needed, HGA will either securely delete or appropriately anonymize the data. The method chosen depends on the data category and whether there is a possibility that non-personal insights can be retained without compromising privacy. Below are the standard deletion and anonymization practices by data type:

  • Permanent Deletion (Erasure): For most personal data, the primary method is complete erasure from HGA systems. This involves removing the data from active databases and file storage, and ensuring it cannot be reconstructed. The System Manager uses secure deletion procedures in line with industry standards. For database records (e.g. user profiles, transactions), deletion means either executing a database delete command to remove the record entirely or, where direct deletion could compromise referential integrity, overwriting personal fields with blank or dummy values after export. File-based data (documents, images, CV files on S3, etc.) are deleted using the storage provider’s secure delete function. In AWS S3, for example, objects are deleted via API calls, and lifecycle rules are in place to permanently remove deleted objects after any versioning or retention period. Where supported, cryptographic erasure is used (for instance, if data is encrypted at rest, deletion might be accomplished by destroying the encryption key, rendering the ciphertext irrecoverable). HGA ensures that deletion from cloud services is executed in all regions where the data resides. Additionally, if any personal data is stored on local devices or removable media for operational reasons, those are securely wiped (using tools that follow DoD 5220.22-M or NIST 800-88 guidelines for data sanitization) or physically destroyed. For paper records, HGA uses cross-cut shredding or incineration for any documents containing personal or sensitive information[2].
  • Anonymization and Pseudonymization: In cases where HGA has a legitimate need to retain certain information for longer (e.g. analytical data, historical performance metrics) but does not need personally identifiable information, we will anonymize the data at the end of the retention period instead of outright deletion. Anonymization involves altering or removing personal identifiers so that the data can no longer be linked to an individual. This might include hashing or scrambling names, removing contact info, and aggregating or generalizing specific details. For example, instead of keeping a consultant’s full profile after they leave, we might retain that “Consultant X had 10 years experience in Sector Y” without any name or contact info attached, purely for statistical reporting. It is HGA’s policy that true anonymization is irreversible; once data is anonymized, the identifying elements are deleted and it is not possible to re-identify the individual from the anonymized dataset. If full anonymization is not feasible but the data is still needed, pseudonymization (replacing identifying fields with codes kept separately) may be used as an interim step, but ultimately the goal is either deletion or anonymization. We follow guidance such as GDPR Recital 26 to ensure that anonymized data contains no identifiers that can reasonably be used to single out a person. Example: After a support ticket is closed for 2 years, instead of keeping the user’s email and name with the ticket text, we might replace the name with “User1234” and strip out any personal details in the text, retaining just the nature of the issue and resolution for support quality analysis.
  • Archiving (Cold Storage): Certain data nearing the end of its retention period may be moved to a secure archive (with restricted access) before final deletion. Archiving is typically used for data that must be kept for legal reasons or because it still holds business value but is not actively used. Archived data is encrypted and stored offline or in low-cost cloud storage, with access limited to the System Manager or authorized personnel. During archiving, HGA reviews if any personal data can be pruned out. For instance, contract files could be archived with personal contact info redacted if not necessary. The archives themselves have defined retention – e.g. backups are a form of archive with their own schedule (see Section 6). Archiving is not used to prolong retention indefinitely; it is simply a way to securely keep data for the remainder of its required period in a less accessible form. Once an archived record hits its deletion date, the System Manager will delete it from the archive as well.
  • Third-Party Deletion Requests: For data stored in third-party services (Stripe, S3, etc.), deletion may involve using the third-party’s API or interface to remove the data. HGA’s System Manager will ensure that when we delete a user or record in our system, any redundant copy in external systems is also deleted (unless that third party is independently obligated to retain it). For example, if a consultant’s profile is deleted from our database, we will also delete their documents from the S3 bucket and instruct Stripe to delete any customer data (assuming no active transactions need it). Stripe allows deletion of customer profiles; we will utilize such features to erase personal data like saved payment methods when no longer needed. We include contractual clauses in Data Processing Agreements (DPAs) with all processors that they must delete or return personal data upon our instruction or contract termination[18]. Thus, our deletion procedures extend to all locations where the data resides, to truly fulfill a “right to be forgotten” request or end-of-life cleanup[3]. We maintain records of deletion requests sent to third parties and their confirmations, as part of our audit trail (Section 8).
  • Verification of Deletion: HGA keeps a deletion log as evidence of data erasure actions. Each deletion or anonymization event (whether automated or manual) is logged with the date, the user or process that initiated it, the data or record affected, and the method (deleted vs anonymized). This log is itself a record with minimal information (it may reference a user ID or record ID but not the full content) and is retained to demonstrate compliance. For privacy reasons, the deletion log will not contain sensitive personal data, just identifiers sufficient to show what was removed. We regularly audit these logs to ensure data is indeed being deleted per schedule, and the logs help in demonstrating to regulators that, for example, “personal data is deleted once it’s no longer necessary”[19].

Overall, HGA’s deletion and anonymization methods are designed to be secure and irreversible. By having clear workflows for deleting data across live systems, backups, and archives[3], we mitigate the risk of data persisting beyond its time. We also reduce breach exposure – as a reminder, data that doesn’t exist cannot be compromised[7][20]. In summary, each type of data will either be purged or stripped of personal elements at the appropriate time, and the process will be executed in a manner that protects the confidentiality of the data during destruction (for example, ensuring no unauthorized party can recover a deleted file from an S3 bucket or a retired hard drive).

Data in Third-Party Systems (Stripe, S3, and Other Integrated Services)

HGA’s digital platform relies on several third-party providers (sub-processors) for various functionalities – notably Stripe for payment processing and Amazon Web Services (S3) for cloud storage, as well as APIs for communications (email/SMS) and AI services. This section outlines how data residing in these external systems is governed in terms of retention and deletion:

  • Stripe (Payment Processor): Stripe is used to handle credit card payments and payouts. The categories of data held in Stripe could include customer profiles (with name, email, possibly billing address), payment method tokens (card details in tokenized form or bank account info for payouts), and transaction records (invoices, charge details, timestamps, amounts). HGA does not store full credit card numbers or sensitive payment data on our own servers – such information is entered directly into Stripe via secure tokens, in compliance with PCI DSS guidelines (credit card data should only be stored as long as necessary for processing and then destroyed)[21][22]. Within Stripe, HGA configures settings to minimize data retention. Customer Data in Stripe: If HGA creates customer records in Stripe (for example, to facilitate recurring billing or to save a client’s payment method with consent), those records will be deleted when they are no longer needed. Specifically, if a client disengages from HGA and has no pending payments, the Receivables Officer will trigger deletion of their Stripe customer profile and any stored payment methods. If immediate deletion is not performed, Stripe’s records will still be reviewed periodically (at least annually) and any customer with no activity for over 2 years will be removed. Transaction Records: Stripe will inherently keep transaction logs for a period (often required for financial record-keeping). HGA relies on Stripe’s internal retention for transactions (which may align with financial record requirements, e.g. 7 years). We do not have the ability to purge individual transaction history from Stripe if it’s needed for financial statements; however, we ensure that any personal data in those records is limited (usually just name or email of payer). If an individual requests deletion of their personal data, we will consult Stripe’s capabilities – in many cases, Stripe can anonymize or delete personal identifiers on transactions without erasing the fact of the transaction. We have a Data Processing Agreement with Stripe that requires Stripe to delete or return personal data upon termination of service or at our instruction, to the extent feasible. Stripe Payouts: For paying consultants, Stripe (or integrated banking APIs) might store payee information. Similar rules apply: once a consultant’s engagement is over and after required retention (e.g. for 1099 tax reporting in the US or other payroll records) which is generally a few years, we remove or anonymize their payout details from the system.
  • Amazon S3 (Cloud Storage): AWS S3 is used to store files such as consultant-uploaded documents (CV PDFs, certifications), AI-generated documents, project deliverables, and backup data. HGA applies lifecycle rules on S3 buckets to enforce retention policies. For each bucket or data prefix corresponding to a certain data category, we configure S3 to automatically transition or expire objects. For example, documents in the “consultant-docs” bucket might have a rule to delete objects 30 days after we mark a consultant profile for deletion. Similarly, an “ai-applications” storage area can be set to purge files after 6 months. These automated rules act as a safety net in case a manual deletion is missed. In addition, the System Manager performs regular audits of S3 contents to ensure no data lingers past its due date. Backups in S3: (Backups are detailed in Section 6, but briefly) backup files stored in S3 have their own retention (e.g. daily backups for X days, etc.), managed by lifecycle rules that permanently delete expired backup files. All S3 data is encrypted at rest, and versioning is enabled on critical buckets; when we delete an object containing personal data, we also ensure previous versions are removed or are set to expire. Access Control to S3: Only the System Manager (and authorized IT staff) can access the raw S3 buckets where personal data is stored, ensuring that deletion or retention changes are done in a controlled manner. Data Subject Requests on S3 data: If we receive a deletion request, the System Manager will promptly remove the individual’s files from S3 (and not just rely on lifecycle expiration), to fulfill the request without undue delay. Amazon’s infrastructure ensures that when we delete an object, it is no longer accessible; any remnants in Amazon’s backups are governed by AWS’s compliance (AWS states that deleted data is typically overwritten in their next maintenance cycle). HGA’s agreement with AWS includes standard clauses that we are the controller of the data and AWS acts on our instructions, which includes deleting data when asked[18].
  • Other Integrated Services: HGA also integrates with other APIs and third-party platforms (for example, an email delivery service for system notifications, an SMS service, or the OpenAI API for AI applications). In all cases, we aim to minimize the personal data sent to these services and ensure they do not store HGA data longer than necessary. Email/SMS Services: If we use an email service (like SendGrid, Amazon SES) or SMS gateway, they might log messages for a brief period (for deliverability and troubleshooting). We have configured such services to redact or minimize personal content in logs where possible, and we rely on their default retention (often 30 days for logs). We ensure no long-term retention of message content occurs on those platforms. Analytics or Monitoring Tools: Any analytics service integrated into the portal will also follow our retention guidelines. For instance, if we track usage, we will either self-host the analytics or configure data retention settings (e.g. Google Analytics data retention setting) to not retain personal identifiers beyond our policy timeline. AI Service (OpenAI): The platform’s AI that generates applications might use an external API (OpenAI). We ensure not to send more personal data than needed in prompts, and we review OpenAI’s data usage policy – as of effective date, OpenAI does not use API data for training by default and retains it temporarily. We do not store the prompts or responses containing personal data beyond what’s needed for the AI-generated application record (which itself has a 6-month retention as noted). After an AI application’s retention is over, any cached AI outputs are deleted from our system; any data residing transiently with the AI provider is expected to be purged per their standard retention (typically 30 days for API data).

For all third parties, contracts and DPAs are in place to bind them to HGA’s data retention and deletion requirements[18]. These agreements stipulate that the provider must assist HGA in deleting data or returning it upon request, and must not retain personal data beyond the purpose of processing. HGA maintains an inventory of all third-party systems with personal data and tracks the data types, ensuring each is covered by this policy’s scope. If a third-party service cannot meet a required retention or deletion functionality, HGA will assess alternatives or compensating controls (for example, not storing personal data on that service, or encrypting it in a way that we can “delete” by key destruction).

In summary, data in Stripe, S3, and other external systems is treated with the same rigor as data in HGA’s direct control. We do not consider data “out of sight, out of mind” – if it’s HGA data, we manage its lifecycle. Deletions or changes in our primary database are mirrored by actions on integrated platforms, and we include those platforms in our periodic retention reviews. This holistic approach ensures that personal data is not inadvertently retained in a third-party silo after we’ve deleted it from HGA’s main systems, maintaining compliance across our entire data ecosystem[3].

Backups and Disaster Recovery

HGA implements regular data backups to ensure business continuity and disaster recovery (DR). However, we recognize that backups contain copies of data (including personal data) and thus must be managed to avoid violating retention rules. This section details our backup retention windows and deletion procedures, designed to balance data availability with compliance:

  • Backup Scope and Frequency: Our system creates full and incremental backups of critical data stores (databases, file storage, system configurations). Database backups (dump files or snapshots) are taken daily, and file storage (documents uploaded, etc.) is versioned or backed up in sync. These backups are encrypted and stored in a secure off-site location (primarily in Amazon S3 or secure archive storage). Backup files are only accessible to the System Manager and are protected with strong access controls.
  • Backup Retention Schedule: Backups are retained for a limited period sufficient to recover from incidents without keeping data indefinitely. The standard schedule is:
  • Daily backups – retained for 14 days (2 weeks) on a rolling basis.
  • Weekly backups – a weekly full backup is retained for 3 months (90 days).
  • Monthly backups – a monthly snapshot is retained for 12 months (1 year).
  • Backups older than 1 year are automatically deleted. We do not keep any backups beyond one year unless an extraordinary situation demands it (e.g. an archival backup taken before a major system overhaul, which would be separately justified and documented). This schedule ensures that even if a deletion is performed, the data may still reside in backups for at most one year. However, as described below, those backups are isolated and not used unless needed, and any restoration triggers deletion of expired data.
  • Deletion and “Beyond Use” Handling of Backups: When personal data is deleted from our live systems (due to a data subject request or retention period lapse), that deletion is not immediately applied to historical backups (to avoid compromising backup integrity)[23][24]. Per regulatory guidance, we handle this by putting backup data “beyond use.” This means:
  • We do not actively process or access personal data in backups except for disaster recovery scenarios.
  • We maintain a secure log of deletions that occurred in live systems. If a backup from before that deletion is ever restored, we will consult this deletion log and promptly remove the data that had been previously deleted from live systems[25][26]. The deletion log records, for example, that “User X’s profile was deleted on Date Y” so that if we restore a backup made on Date W (before Y), we will re-delete User X’s data immediately after restoration.
  • Backups themselves are encrypted and not generally readable without restoration; in effect, the data is inaccessible during the retention period, satisfying the idea of being beyond use in the interim[27].
  • We inform individuals (via our privacy notice) that while their data is deleted from active systems, it will persist in backups until those backups expire, but will not be restored or used in the meantime except as required for disaster recovery[27]. This transparency is in line with ICO guidance to be clear about backup data handling on erasure requests[28].
  • If a data subject explicitly requests complete erasure, and it is technically feasible to remove their data from backups without impairing the backup (rarely feasible for encrypted, whole-db backups), we will evaluate doing so. Generally, our approach is as endorsed by regulators: allow backups to age out, and ensure deletion if restored, rather than trying to edit historical backup files which could be impractical[24].
  • Secure Storage and Deletion of Backups: All backup files are stored in encrypted form (using strong encryption such as AES-256). The encryption keys are managed by HGA; only authorized personnel can decrypt a backup if needed. When backup files reach their expiration date, the System Manager confirms that the automated deletion (via S3 lifecycle rules or backup software retention settings) has occurred. If not, they will manually delete the expired backup and document the deletion. Deletion of backups from S3 or other storage is done in a way that the data is not retrievable (e.g. in S3, when an object is deleted and version expired, AWS will eventually physically expunge it according to their processes, and our encryption means even if fragments remained, they are unreadable without keys we’ve deleted). For backups stored on any physical media, media will be securely wiped or destroyed once they are no longer needed. We maintain a log of backup creation and deletion events as part of our records (which aids in demonstrating we follow the retention schedule).
  • Disaster Recovery and Restoration Procedures: In the event of data loss or a need to restore from a backup, the following steps ensure compliance:
  • The System Manager will select the newest backup that can solve the issue (preferring the most recent to minimize data divergence).
  • After restoration, they will apply any pending deletions recorded in the deletion log. For example, if user data that was deleted last week reappears because we restored a 2-week-old backup, we will immediately delete that user data again.
  • They will document that a restore occurred and that post-restore deletion reconciliation was performed, maintaining an audit trail.
  • Business Developer or relevant data owners will be notified if any data subject might notice reappearance of deleted data (so we can inform them appropriately, though our goal is to remove it before it would be observable).
  • Once the crisis is resolved, normal operations and retention schedules continue. The temporary restored data does not extend its retention “clock” – we treat the original creation dates as still applicable.
  • Disaster Recovery Tests: Periodically, HGA tests its backups by performing test restorations in a secure sandbox. These tests include verifying that our deletion logs and procedures work – i.e., we simulate that certain data was deleted, restore an older backup, and ensure we can effectively purge that data post-restore. This not only validates our DR capability but also our compliance approach to backups under GDPR/CCPA.

In essence, HGA’s backup strategy is designed to never keep personal data longer than necessary, even in backups, while still safeguarding data for legitimate disaster scenarios. We justify the backup retention on the basis of business continuity (a legitimate interest and often a legal expectation for data controllers to have backups[29]). We document those justifications and ensure backups are covered under the same data protection measures (access control, encryption, eventual deletion) as production data. By limiting backup retention to one year and typically much less for frequent backups, we reduce the window in which deleted data might still exist somewhere in our system. This systematic expiration of backups ensures that, in practice, no personal data will remain in any form (live or backup) beyond the longest stated retention period plus the backup overlap (max one additional year).

 Legal and Compliance Requirements (GDPR, CCPA, and Global Best Practices)

This policy is built to ensure HGA’s compliance with all relevant data protection laws and regulations, notably the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), as well as applicable laws in other jurisdictions where HGA operates. We also incorporate industry best practices and standards for data lifecycle management. Key legal compliance elements addressed include:

  • Storage Limitation (GDPR Article 5): We adhere to the GDPR principle that personal data shall be kept “no longer than is necessary” for the purposes for which it was collected[30][31]. As detailed in Section 3, each category of personal data has an established retention period tied to its original purpose. Once that period expires (or the purpose is achieved and no other lawful basis justifies retention), the data is deleted or anonymized[19][15]. We document our justifications for each retention period, fulfilling GDPR’s accountability requirement to be able to demonstrate why each type of data is kept for the time it is[19][32]. We also implement processes for periodic review of data – for example, scheduled tasks or calendar reminders for data owners to review their holdings – so that data which is no longer needed can be flagged and removed even before the maximum retention if appropriate[33].
  • Data Subject Rights (GDPR Articles 15-20; CCPA Rights): HGA respects individuals’ rights regarding their personal data. In particular, the right to erasure (“right to be forgotten”) under GDPR and the right to deletion under CCPA/CPRA are central to this policy. We have a defined procedure to handle such requests:
  • Individuals (consultants, customers, or employees) may request deletion of their personal data by contacting HGA through the designated channels (as outlined in our Privacy Notice).
  • Upon receiving a verified request, the Business Developer (for consultant data) or other appropriate data owner, together with the System Manager, will locate all personal data concerning the individual in our systems (including active databases and third-party systems).
  • We will erase the data without undue delay, typically within 30 days for GDPR requests, and within the statutory 45 days for CCPA requests (with a possible 45-day extension when necessary, as allowed by CCPA, but we aim to be faster).
  • We also contact our processors (Stripe, etc.) or utilize their tools to ensure the individual’s data is deleted from their systems as well[18].
  • If certain data cannot be deleted due to a legal obligation or exception (for example, CCPA includes exceptions where a business may retain data needed to complete a transaction, detect fraud, or comply with a legal obligation), we will inform the individual of that and will isolate that data from active use. For instance, if a consultant who was paid by HGA requests deletion, we must retain payment records for accounting, but we can remove their profile and other data. In such cases, we mark the data as blocked for other uses and ensure it’s only kept for the required period then deleted.
  • We maintain records of requests and our responses to demonstrate compliance with these rights[34]. According to GDPR, deletions following an individual’s request should also be communicated to any third-parties who received the data (unless this is impossible or involves disproportionate effort). HGA will notify relevant third parties of the need to delete that data (for example, if a consultant’s CV had been shared with a client in a proposal, and now the consultant invokes erasure, we will inform the client to delete their copy, unless an overriding legal reason prevents it).
  • In summary, HGA fully enables data subjects to exercise their rights, and our retention practices align such that fulfilling a deletion request is straightforward (our systems are designed to delete upon command, not to lock in data).
  • Disclosure of Retention Schedules (CPRA requirement): Under the CPRA, businesses must inform consumers about the length of time they intend to retain each category of personal information or the criteria used to determine such period[35][8]. HGA complies by publishing our retention schedules (in summarized form) in our external Privacy Policy. We list the categories of personal data we collect (e.g. contact info, professional info, financial info, etc. corresponding to CCPA categories) and for each, we state the retention period or criteria. For example, “Identification and contact data – retained for the duration of the consultancy plus 2 years.” This transparency fulfills CPRA and also mirrors GDPR’s expectation (Recital 39) that time limits for erasure be communicated or at least available[36].
  • Legal Hold and Preservation: If HGA is involved in litigation, investigation, or receives a legal order (such as a preservation order or subpoena) requiring certain data to be retained beyond normal schedules, we will suspend deletion for the relevant records (this is often referred to as a “legal hold”). The System Manager and legal counsel will work together to identify data subject to the hold (e.g. emails of certain employees, files related to a project under dispute) and ensure those are exempted from routine deletion. We tag or segregate such data so it is not accidentally purged. Once the hold is released (case concluded, etc.), we will promptly resume normal retention policy for the data, including deleting anything that is now past its retention period. We also ensure that new backups containing that data are not deleted while the hold is active even if they exceed the typical retention, to avoid spoliation. Legal holds are documented, including scope and duration, as part of our audit readiness (see Section 8).
  • Breach Notification and Data Security Regulations: While not directly a retention matter, HGA’s compliance efforts include adhering to breach notification laws. Under GDPR, if a personal data breach occurs that is likely to result in a risk to individuals’ rights, we will notify the relevant Data Protection Authority within 72 hours and affected individuals without undue delay. Under various U.S. state laws, including CCPA (as amended by CPRA), we will notify affected California residents in the event of a qualifying security breach of their personal information. Our retention of audit logs and system logs (for one year minimum)[5] supports breach detection and forensic analysis. We keep security logs (login attempts, data access logs, etc.) typically for at least 12 months, and in some cases longer if needed for investigations, to ensure we can identify what was accessed in a breach. These logs, while not containing high-level personal data, are considered in our data categories (system logs) and are protected. Importantly, by having strict retention limits on personal data, we reduce the amount of data that could be exposed in a breach[20]. This risk mitigation is recognized by GDPR (Recital 39 mentions data minimization and limited retention as security measures) and by CPRA which encourages data minimization to limit breach harm[37][38]. In the event of a breach, any data that was scheduled for deletion but still present (perhaps just within backups) will be assessed, and if not needed, we may expedite its deletion to prevent further risk.
  • Documentation and Accountability: HGA maintains detailed records of its processing activities and data retention decisions. This policy document itself serves as a primary reference. In addition, we maintain a Data Retention Schedule register (often in a spreadsheet or database form) that lists each data asset, classification, retention period, and disposal method, with references to legal basis or business rationale[39]. We keep records of when data was disposed of – e.g., logs of data deletion as mentioned, and any forms or tickets used to approve data deletion. During compliance audits or assessments (internal, external, or regulatory), we can produce:
  • This policy and any updates (with version history).
  • The retention schedule and justification logs[34].
  • Examples of deletion records or anonymization reports.
  • Training records showing that employees with responsibilities (Section 2 roles) have been trained on the policy.
  • Third-party DPA agreements showing our partners are contractually bound to comply (including cooperating with deletions)[18].
  • Privacy notices and consent forms provided to individuals that include information about data retention. All these documentation efforts align with GDPR’s accountability principle and CCPA/CPRA’s record-keeping expectations. They ensure that if a regulator asks “Can you prove you delete personal data after X years?” we can confidently answer yes and show evidence[40].

In summary, HGA’s Data Retention and Deletion Policy is crafted to meet or exceed the requirements of GDPR, CCPA/CPRA, and other privacy laws. By justifying retention periods[19], disclosing them, enabling deletion on request, and integrating these rules across all systems (including third parties), we uphold individuals’ rights and data privacy. Compliance is not seen as a checkbox but as an ongoing practice: we will review legal changes (e.g. new state laws, or changes in EU guidance) regularly and adjust this policy to remain current. For instance, if a new law in a jurisdiction where we operate imposes a shorter retention for certain data, that will be updated in Section 3 and communicated. Ultimately, this policy operationalizes the principle that HGA only keeps data for as long as it has value and legal justification, and no longer[30][17].

Audit Trails, Monitoring, and Review Mechanisms

HGA has established several controls to monitor compliance with this Data Retention and Deletion Policy and to maintain readiness for audits (whether internal, external, or by regulators). These mechanisms ensure that we not only set rules but also actively follow and verify them:

  • Audit Trails of Data Deletion and Access: As part of system design, we log critical operations related to data lifecycle:
  • Whenever a record containing personal data is deleted (or anonymized), the system generates a log entry. This entry typically includes which record (or at least which dataset) was affected, date/time, and which user or process performed the deletion. For example, if an admin deletes a consultant’s profile, the system might log “Profile ID 123 deleted by AdminID at timestamp.” These logs are stored in an audit log database that is tamper-evident (only appendable by the system; not editable by users).
  • We also log data exports or mass accesses, since a bulk export could be akin to retaining data outside the system. By tracking accesses, we can ensure that if someone extracted data before deletion, we know about it and can ensure that extracted copies are managed or destroyed. Our system monitors unusual access patterns that might indicate someone is circumventing retention (e.g., saving locally large data sets).
  • The audit logs themselves are considered confidential records and are accessible only to the System Manager and compliance officers. They do not contain raw personal data, just references, so they can be kept longer for accountability (we retain audit logs for at least 2 years, and certain security audit logs for up to 5 years).
  • These logs fulfill requirements such as GDPR’s expectation to demonstrate compliance and are useful in responding to any inquiries or audits[34]. If, for instance, a regulator asks for proof that we deleted a user’s data, we can show the log entry and the date.
  • Periodic Policy Reviews and Data Audits: HGA will review this policy at least annually and also whenever there is a significant change in our data practices or legal requirements. The review is led by [the Data Protection Officer (if appointed) or the Compliance Manager, in collaboration with System Manager]. They will:
  • Check each data category’s retention period against current laws and business needs. If a new law dictates a change (e.g., a country introduces a 5-year limit on CV retention), we update the policy and communicate it.
  • Evaluate if any data categories have emerged or changed (e.g., if we start collecting a new type of personal data, we add it to the schedule).
  • Assess the effectiveness of deletion procedures – reviewing a sample of deletions to ensure they happened on time and fully.
  • Analyze metrics such as number of deletion requests fulfilled within the SLA, any incidents of data kept beyond retention, etc. Findings of each review are documented, and any action items (such as “implement a new tool for automated anonymization” or “shorten retention for X data”) are tracked to completion.
  • Ongoing Monitoring and Alerts: The System Manager configures automated alerts for certain conditions, such as:
  • Data exceeding retention: e.g., a scheduled job that flags any records in the database with a timestamp older than the retention cutoff that haven’t been deleted. Or an S3 report that lists objects older than X days in certain buckets. These alerts prompt immediate remedial action.
  • Backup retention: notifications if any backup files are nearing or surpassing their retention limit, to double-check deletion.
  • Deletion process failures: if an automated deletion job fails (maybe due to system error), it triggers an alert so it can be re-run promptly. These technical controls help catch any issues proactively.
  • Internal Audits and Compliance Checks: HGA may conduct internal audits (or engage third-party auditors) to verify adherence to this policy. Such audits include:
  • Checking whether data that should have been deleted is indeed gone from both primary and secondary systems.
  • Verifying that access rights correspond to the roles (no one outside the authorized roles can access or delete data in violation of policy).
  • Interviewing responsible personnel (Business Developer, Receivables, Payables, System Manager) to ensure they understand and are following procedures (for example, asking Receivables to show how they purge old Stripe customers).
  • Reviewing documentation like data maps, DPIAs (Data Protection Impact Assessments), and training records. Results of internal audits are reported to senior management, and any deficiencies are corrected with urgency. A common metric is the percentage of records past retention – we strive for 0%, meaning no data is kept beyond its allowed period. Any non-zero findings would be addressed.
  • Audit Readiness: In preparation for potential external audits or inquiries (by clients or regulators), HGA keeps a well-organized repository of compliance documentation, such as:
  • The current and prior versions of this policy (version history).
  • The data retention schedule and any changes made to it with justification (e.g., memos explaining why we chose 2 years for support tickets referencing industry practice).
  • Records of training sessions for staff on data retention and privacy.
  • Past audit logs and summaries showing deletion events. We might produce a report of deletions every quarter summarizing how many records of each type were disposed of, to show active enforcement.
  • Logs of data subject requests (how many access or deletion requests received, completed in time, etc.).
  • Copies of relevant laws or guidance we rely on (to show we aligned with them).

By maintaining this readiness, HGA can efficiently respond to due diligence questionnaires from clients (who often ask about data retention policies for GDPR/CCPA compliance) or to regulatory audits without scrambling for information.

  • Enforcement and Accountability: All HGA staff and contractors with access to company data are expected to comply with this policy. Any violation (such as keeping unauthorized copies of data or failing to delete data when required) may result in disciplinary action, up to termination of employment or contract. This is communicated in training and in our employee handbook. We also incorporate compliance with retention requirements into our vendor management: for example, if we share data with a contractor or partner, our contract will oblige them to adhere to our retention limits and delete data we provided once it’s no longer needed. Regular audits extend to checking major vendors for their data handling as well.
  • Continuous Improvement: HGA recognizes that data governance is an evolving field. We monitor updates from data protection authorities (e.g. EDPB guidelines, FTC guidance, etc.) and learn from industry incidents. If another company is fined for over-retention or if new best practices emerge (like new tools for automated anonymization), we evaluate incorporating those. We consider running fire-drills such as simulating a regulator inquiry (“Show us compliance for category X data”) to ensure our team can promptly retrieve evidence. Our monthly/quarterly compliance meetings include a standing agenda item on data retention to discuss any issues or improvements.

By implementing these audit and review mechanisms, HGA ensures that the Data Retention and Deletion Policy is not a one-time document but a living practice. We remain vigilant that data is handled correctly throughout its life and that we can confidently demonstrate our compliance posture at any time[40][41]. This rigor ultimately protects our users’ privacy, maintains trust, and reduces risk for the organization[42][43].

Document Control: This document is maintained by the HGA Compliance Manager. It will be reviewed and approved by executive management at least annually or whenever significant changes are made. The latest version will be published internally (and relevant excerpts in external privacy notices as needed). Any questions about this policy or specific data handling should be directed to info@humanicsgroup.com.

All HGA personnel must adhere to this policy. By following these guidelines for data retention and deletion, HGA ensures regulatory compliance, protects individual privacy rights, and responsibly manages the data entrusted to us throughout its lifecycle.