Data Retention and Deletion Contract (CAIRL-Specific)

Status: Canonical Last Updated: 2026-02-06 Owner: Engineering

Purpose

This document defines the data retention, deletion, and anonymization rules for CAIRL, including compliance-driven requirements.

It establishes:

  • Explicit retention windows by data category
  • Legal and compliance overrides (HIPAA, billing, audit)
  • The difference between deletion and anonymization
  • Accounting-of-access requirements
  • Enforcement expectations for audits

This document defines system-wide invariants. All features, specs, and flows MUST comply.

Scope

This contract applies to:

  • All Supabase Postgres tables
  • All AWS S3 objects
  • All user-generated and system-generated data
  • All logs, audit trails, and webhook records
  • All compliance-relevant data (HIPAA, billing, SOC 2)

No feature may override this contract without an explicit revision.

Core Retention Principles (Invariants)

  1. Retention rules are explicit and enumerable.
  2. Legal and compliance requirements override user deletion.
  3. Data subject to compliance MUST survive account deletion when required.
  4. Deletion, anonymization, and retention are distinct concepts.
  5. Access to protected data MUST be logged and reviewable.
  6. Orphaned data is a system defect.

Data Classification

All data MUST be classified into one of the following categories.

User-Owned Data

Data created by or directly associated with a user.

Examples:

  • Messages
  • Uploaded files
  • Profile data
  • Preferences

Compliance-Regulated Data

Data subject to statutory or contractual retention requirements.

Examples:

  • HIPAA documents
  • Biometric verification images
  • Audit logs
  • Billing records

System-Owned Data

Data required for platform operation, safety, billing, or enforcement.

Examples:

  • Abuse reports
  • Enforcement actions
  • Allowlists
  • Partner API logs

Derived / Ephemeral Data

Non-source-of-truth data.

Examples:

  • Caches
  • Previews
  • Temporary webhook payloads

CAIRL-Specific Retention Requirements (MANDATORY)

The following retention rules are non-negotiable.

HIPAA-Regulated Data

Includes:

  • HIPAA documents
  • Any PHI uploaded or generated by the user

Retention:

  • Minimum 6 years from date of creation
  • Retention survives account deletion

Rules:

  • Data MUST NOT be fully deleted before 6 years
  • Data MAY be anonymized only if legally permissible
  • Access to this data MUST be logged
  • Accounting of disclosures MUST be possible

User Disclosure:

“Because of retention requirements, this document cannot be fully deleted for 6 years after upload, even if you close your account.”

Biometric Data (Selfies / Verification Images)

Includes:

  • Identity verification selfies
  • Biometric comparison images

Retention:

  • Rolling window of the most recent 12 images
  • Oldest image MUST be deleted when the limit is exceeded

Rules:

  • Users MAY NOT delete individual biometric images
  • Biometric images MUST NOT be reused outside the verification context
  • Access to biometric data MUST be logged

Account Deletion:

  • Full deletion of all biometric images occurs on account deletion
  • Biometric data does not have a 6-year retention requirement
  • Biometric data does not survive account deletion

Financial and Billing Records

Includes:

  • Partner VAE events
  • Billing transactions
  • Invoices
  • Dispute artifacts

Retention:

  • Minimum 2 years for dispute resolution (CAIRL policy decision)
  • Up to 7 years for tax and financial audit purposes

Rules:

  • Not user-deletable
  • Access restricted to authorized roles
  • Retention window MUST be documented per table

Note: The 2-year dispute window is a CAIRL policy choice and not a statutory requirement. If updated in the B2B spec, this document MUST be kept in sync.

Audit Logs (Including HIPAA Access)

Includes:

  • Access to HIPAA-regulated data
  • Admin actions
  • Enforcement actions

Retention:

  • Minimum 6 years

Rules:

  • Logs MUST be immutable
  • Logs MUST be access-controlled
  • Logs MUST support audit review and export

Webhook Events

Includes:

  • Stripe webhooks
  • Other provider callbacks

Retention:

  • 30 days

Rules:

  • Stored for debugging and reconciliation only
  • Automatically purged after retention window
  • Not a system of record

Partner API Logs

Includes:

  • B2B partner API requests/responses

Retention:

  • 30 days

Rules:

  • Used for debugging and dispute investigation
  • Must not store unnecessary sensitive payloads
  • Automatically purged

Retention Summary Table

Data Type Retention Window Deletable by User Survives Account Deletion
User-owned general data Until deletion Yes No
HIPAA documents 6 years minimum No Yes
Biometric images Rolling 12 No (partial) No
Billing records 2–7 years No Yes
HIPAA access audit logs 6 years No Yes
Webhook events 30 days No N/A
Partner API logs 30 days No N/A

Deletion vs Anonymization

Deletion

  • Data is permanently removed
  • Not recoverable
  • Required when retention window expires

Anonymization

  • Identifiers are irreversibly removed
  • Data may remain for analytics or compliance if permitted
  • MUST be documented per data type

Anonymization is NOT a substitute for deletion unless explicitly allowed.

Account Deletion Semantics

On account deletion:

  1. Authentication access is revoked immediately.
  2. User-owned non-regulated data is deleted.
  3. Compliance-regulated data is retained per this contract.
  4. All biometric data is fully deleted.
  5. Derived data is purged.

Deletion completion timelines MUST be documented.

Accounting of Access (HIPAA Requirement)

The system MUST support:

  • Recording who accessed HIPAA-regulated data
  • Recording when and why access occurred
  • Providing a user with an accounting of disclosures upon request

This applies to:

  • Admin access
  • Support access
  • Automated system access

SOC 2 Evidence Retention

For SOC 2 and similar audits:

  • Evidence logs MUST be retained through audit cycles
  • Changes to retention logic MUST be auditable
  • Deletion jobs MUST be observable and logged

Enforcement and Auditing

  • Retention enforcement MUST be server-side.
  • Automated deletion jobs MUST be monitored.
  • Violations are considered compliance defects.
  • Periodic retention audits SHOULD be conducted.

Non-Negotiable Rules

  • Compliance retention overrides user deletion.
  • HIPAA data retention is explicit and time-bound.
  • Biometric data is fully deleted on account deletion.
  • Access to protected data is logged.
  • Anonymization rules are explicit.
  • No feature may weaken these guarantees.

References

  • docs/governance/doc-authority.new.md
  • docs/contracts/authz-and-roles.new.md
  • HIPAA Privacy Rule (45 CFR §164)
  • SOC 2 Trust Services Criteria

End of Document