Version 1.0, Effective February 15, 2026

    Data Retention & Deletion Policy

    This policy establishes mandatory retention periods, secure deletion procedures, and periodic review cycles for all categories of data processed by the Organization, in compliance with applicable data privacy laws.

    Section 1

    Purpose & Scope

    This Data Retention and Deletion Policy ("Policy") establishes the mandatory framework governing how long data is retained, when and how it is securely deleted, and the review mechanisms that ensure ongoing compliance. This policy applies to all data, electronic, physical, or verbal, processed, stored, or transmitted by Brent Norris ("the Organization") on behalf of clients, prospects, and internal operations.

    The objectives of this policy are to:

    • Define enforceable retention periods for every category of data the Organization processes
    • Establish secure, auditable deletion procedures that prevent unauthorized data recovery
    • Ensure compliance with HIPAA, CCPA, IRS requirements, and general data protection best practices
    • Minimize data exposure by retaining only what is legally or operationally necessary
    • Provide a structured review cycle to adapt to evolving regulatory requirements

    Non-compliance with this policy may result in regulatory penalties, breach of contractual obligations, or disciplinary action. All personnel, contractors, and third-party processors are bound by this policy.

    Section 2

    Definitions

    TermDefinition
    Retention PeriodThe defined duration for which a specific category of data must be stored before deletion is permitted or required
    Secure DeletionIrreversible removal of data using cryptographic erasure, secure overwrite, or physical destruction such that recovery is computationally infeasible
    Legal HoldA directive suspending normal deletion schedules for data relevant to pending or anticipated litigation, regulatory investigation, or audit
    Data SubjectAny identified or identifiable individual whose personal data is processed by the Organization
    Cryptographic ErasureDeletion of encryption keys rendering encrypted data permanently unreadable without decrypting and overwriting the underlying data
    Disposal CertificateDocumented evidence confirming that data has been securely deleted, including method, date, authorizer, and scope
    Section 4

    Data Classification for Retention

    Data is classified into the following categories, each with distinct retention and deletion requirements. Classification determines retention period, deletion method, and review priority.

    ClassificationDescriptionDeletion Method
    RestrictedPHI, encryption keys, credentials, BAAsCryptographic erasure + disposal certificate
    ConfidentialClient PII, financial records, contracts, invoicesCryptographic erasure or secure overwrite
    InternalAudit logs, email logs, analytics, internal notesStandard deletion with verification
    PublicPublished website content, marketing materialsStandard removal from publication
    Section 5

    Retention Schedule

    The following retention schedule is binding. Data must be deleted within 30 days of the retention period expiration unless a legal hold or documented exception applies (see Section 8).

    5.1 Client & Business Data

    Data CategoryRetention PeriodLegal BasisReview Trigger
    Client account recordsEngagement duration + 3 yearsContractual, statute of limitationsClient offboarding
    Invoices & financial records7 years from transaction dateIRS 26 CFR §1.6001-1Annual tax review
    Contracts & proposalsEngagement duration + 6 yearsStatute of limitationsContract expiration
    Lead/prospect data1 year from last contact (if no engagement)Legitimate interestQuarterly lead review
    Feature requestsDuration of client engagement + 1 yearContractualClient offboarding

    5.2 Security & Operational Data

    Data CategoryRetention PeriodLegal BasisReview Trigger
    Security audit logs2 yearsSecurity, SOC 2Semi-annual review
    Email delivery logs1 yearOperational, deliverabilityQuarterly purge cycle
    Site health check data1 year (rolling)Service deliveryMonthly automated purge
    Session/analytics data90 days (anonymized thereafter)Legitimate interestAutomated expiry
    Encrypted credentialsUntil rotation or revocationSecurity90-day rotation schedule
    Email suppressionsIndefinite (compliance requirement)CAN-SPAM, deliverabilityAnnual review

    5.3 HIPAA-Regulated Data

    Data CategoryRetention PeriodLegal BasisReview Trigger
    Business Associate Agreements6 years from last effective dateHIPAA §164.530(j)BAA expiration
    HIPAA policies & procedures6 years from creation or last effective dateHIPAA §164.530(j)Annual policy review
    PHI access logs6 yearsHIPAA §164.312(b)Semi-annual review
    Security incident records6 years from resolution dateHIPAA §164.530(j)Post-incident review
    Training records6 years from training dateHIPAA §164.530(j)Annual training cycle
    Section 6

    Deletion Procedures

    All deletion activities must follow the procedures below, selected based on data classification. No data may be deleted without verifying that the retention period has expired and no legal hold applies.

    6.1 Electronic Data Deletion

    ClassificationMethodVerification
    RestrictedCryptographic erasure (key destruction) per NIST SP 800-88Disposal certificate + audit log entry
    ConfidentialCryptographic erasure or 3-pass secure overwriteAudit log entry + spot verification
    InternalStandard database DELETE with cascade verificationAudit log entry
    PublicContent removal from publication platformsURL verification (404 check)

    6.2 Deletion Workflow

    Every deletion action follows this four-step workflow:

    1. Pre-Deletion Check: Verify retention period has expired, confirm no active legal hold, check for dependent records
    2. Authorization: Restricted/Confidential deletions require AI Information Security Officer approval; Internal/Public may be automated
    3. Execution: Apply the deletion method specified for the data classification, including backup purging
    4. Verification & Logging: Confirm deletion success, generate disposal certificate (Restricted), write audit log entry with timestamp, scope, method, and authorizer

    6.3 Backup Deletion

    • Backup copies must be purged within 30 days of primary data deletion
    • Point-in-time recovery snapshots containing deleted data expire per their defined retention window (7 days for daily, 30 days for weekly)
    • Off-site backups are subject to the same deletion timelines as primary storage
    Section 7

    Individual Deletion Requests

    Data subjects may request deletion of their personal information under CCPA (Cal. Civ. Code §1798.105) and general data protection principles. The Organization processes these requests as follows:

    • Submission: Requests must be submitted to brentfm@gmail.com with subject line "Data Deletion Request"
    • Identity Verification: Requestor identity must be verified before processing. Verification requires matching two of: email on file, phone number, account credentials
    • Scope Assessment: Within 10 business days, the Organization identifies all systems containing the requestor's data
    • Processing Timeline: Deletion completed within 45 calendar days of verified request. Complex requests may extend to 90 days with notice
    • Confirmation: Written confirmation of deletion is provided to the requestor, specifying categories deleted and any exceptions applied

    7.1 Permitted Exceptions to Deletion

    The Organization may deny or partially deny a deletion request when data is required for:

    • Completing a transaction or providing a requested service
    • Detecting security incidents, protecting against fraud, or prosecuting offenders
    • Compliance with a legal obligation (HIPAA, IRS record-keeping)
    • Active litigation, legal hold, or regulatory investigation
    • Internal uses reasonably aligned with consumer expectations

    When an exception applies, the requestor is informed in writing with the specific exception cited, the expected retention period, and the date when deletion will proceed.

    Section 8

    Exceptions & Legal Holds

    Legal holds override normal retention and deletion schedules. When a legal hold is issued, the following procedures apply:

    • Issuance: Legal holds are issued in writing by the AI Information Security Officer or legal counsel, specifying the scope of data, reason, and anticipated duration
    • Implementation: All automated deletion processes affecting in-scope data are suspended within 24 hours of issuance
    • Documentation: A legal hold register records: hold ID, issue date, scope, authorizer, and status
    • Review: Active legal holds are reviewed every 90 days to determine whether conditions still warrant the hold
    • Release: Upon release, normal deletion schedules resume. Data past its retention period is queued for deletion within 30 days of hold release
    Section 9

    Enforcement & Accountability

    This policy is enforced through the following accountability mechanisms:

    AI Information Security Officer

    Owns this policy. Authorizes Restricted/Confidential deletions. Conducts review cycles. Investigates policy violations.

    System Administrators

    Execute deletion procedures. Maintain automated purge schedules. Generate disposal certificates. Report anomalies.

    All Personnel & Contractors

    Must not retain data beyond authorized periods in personal storage, local devices, or shadow IT systems. Violations reported to ISO immediately.

    Policy violations are treated as security incidents and handled per the Organization's Incident Response procedures. Consequences range from mandatory retraining to contract termination and legal action, proportionate to the severity of the violation.

    Section 10

    Technical Controls

    The following technical controls are implemented to enforce this policy:

    • Automated Purge Jobs: Scheduled database functions that identify and delete expired records based on the retention schedule (session data at 90 days, health checks at 1 year)
    • Cascade Deletion: Foreign key relationships configured with appropriate cascade rules to prevent orphaned records
    • Encryption Key Lifecycle: Credential encryption keys stored in isolated vault services with 90-day automated rotation; old keys destroyed upon rotation
    • Row-Level Security: Database RLS policies prevent unauthorized access to data pending deletion, ensuring only admin-role users can execute deletions
    • Immutable Audit Trail: Security audit log records all deletion events with timestamp, actor, method, and scope. Audit logs themselves have no DELETE policy for non-admin users
    • IP Address Hashing: IP addresses are stored as SHA-256 hashes, never in plaintext, minimizing PII exposure in operational logs
    Section 11

    Audit & Verification

    Compliance with this policy is verified through the following audit activities:

    ActivityFrequencyResponsible
    Retention compliance scanQuarterlyISO
    Automated purge verificationMonthlySystem Administrator
    Disposal certificate auditSemi-annuallyISO
    Legal hold register reviewQuarterlyISO / Legal Counsel
    Deletion request log reviewQuarterlyISO
    Third-party processor auditAnnuallyISO

    Audit findings are documented in the Organization's risk register and tracked to resolution. Critical findings require remediation within 30 days.

    Section 12

    Review Schedule

    This policy is subject to the following mandatory review cycle:

    Review TypeFrequencyNext ScheduledScope
    Comprehensive Policy ReviewSemi-annuallyAugust 15, 2026Full policy text, retention periods, deletion procedures
    Regulatory Update ReviewQuarterlyMay 15, 2026New or amended privacy laws affecting retention requirements
    Technical Controls ReviewQuarterlyMay 15, 2026Automated purge jobs, deletion scripts, key rotation
    Incident-Triggered ReviewAs needed-Triggered by data breaches, regulatory inquiries, or audit findings

    All review outcomes are documented with: reviewer name, review date, findings, recommended changes, and implementation timeline. Changes to retention periods require documented justification and ISO approval before taking effect.

    Section 14

    Contact Information

    For questions about this policy, data deletion requests, or to report a retention violation, contact:

    Subject Lines

    "Data Deletion Request" for individual requests | "Retention Policy Inquiry" for general questions | "Retention Violation Report" for incidents

    Response Times

    Deletion requests: 45 calendar days | General inquiries: 30 calendar days | Violation reports: 48 hours

    Document Control: Version 1.0 | Effective: February 15, 2026 | Last Updated: February 15, 2026 | Next Review: August 15, 2026

    This Data Retention & Deletion Policy should be read in conjunction with the Information Security Policy and Privacy Policy.