Data Retention Policy
Last updated: July 11, 2025
Data Retention Overview
This policy outlines how long AGOL Helper retains different types of data and the procedures for data deletion and archival in compliance with GDPR and other privacy regulations.
1. Data Categories & Retention Periods
1.1 User Account Data
| Data Type | Retention Period | Purpose |
|---|---|---|
| User credentials & tokens | 24 hours (auto-expire) | Authentication & API access |
| User profile information | Active use + 30 days | Application functionality |
| User preferences & settings | Active use + 90 days | User experience continuity |
| Organization configuration | Active subscription + 1 year | Service delivery & support |
1.2 ArcGIS Online Data
| Data Type | Retention Period | Purpose |
|---|---|---|
| Content metadata | Active sync + 180 days | Data governance & reporting |
| Version history | Active use + 2 years | Version control & rollback |
| Security risk assessments | Active use + 1 year | Security monitoring & compliance |
| User permission analysis | Active use + 6 months | Access control & audit |
1.3 Audit & Compliance Data
| Data Type | Retention Period | Purpose |
|---|---|---|
| System access logs | 2 years | Security monitoring & compliance |
| Data processing logs | 1 year | System maintenance & support |
| Sharing violations | Active use + 2 years | Compliance reporting & trends |
| Error logs | 90 days | System troubleshooting |
2. Data Deletion Procedures
2.1 Automatic Deletion
- Authentication tokens are automatically expired after 24 hours
- Temporary cache data is cleared every 6 hours
- Error logs are automatically purged after 90 days
- Expired backup files are removed after 90 days
2.2 Scheduled Deletion
- Monthly review and deletion of expired data
- Quarterly audit of data retention compliance
- Annual review of retention policies
- On-demand deletion for user requests
2.3 Secure Deletion Methods
- Database records are permanently deleted using secure deletion commands
- File system data is overwritten multiple times
- Backup media is securely wiped before disposal
- Deletion logs are maintained for audit purposes
3. Data Archival
3.1 Archival Criteria
Data may be archived instead of deleted when:
- Required for legal or regulatory compliance
- Needed for historical analysis or reporting
- Part of long-term audit trails
- Requested by organization for business continuity
3.2 Archived Data Access
- Archived data is stored in secure, encrypted formats
- Access requires specific authorization and business justification
- Retrieved data is subject to the same privacy controls
- Archived data is reviewed annually for continued necessity
4. User Rights & Requests
4.1 Right to Deletion (Right to be Forgotten)
Users have the right to request deletion of their personal data when:
- The data is no longer necessary for the original purpose
- Consent has been withdrawn
- Data has been unlawfully processed
- Required for compliance with legal obligations
4.2 Request Processing
Deletion Request Timeline
- • Immediate: Authentication tokens and session data
- • Within 72 hours: Active user data and preferences
- • Within 30 days: All personal data across systems
- • Within 60 days: Archived data and backups
4.3 Exceptions to Deletion
Some data may be retained beyond user requests when:
- Required by law or regulation
- Necessary for legal claims or defenses
- Needed for public interest or scientific research
- Part of anonymized datasets (no longer personal data)
5. Data Backup & Recovery
5.1 Backup Retention
| Backup Type | Frequency | Retention Period |
|---|---|---|
| Daily backups | Every 24 hours | 30 days |
| Weekly backups | Every Sunday | 12 weeks |
| Monthly backups | First of month | 12 months |
5.2 Backup Data Privacy
- All backups are encrypted using industry-standard encryption
- Backup data is subject to the same privacy controls as live data
- Deleted data is purged from backup systems within 90 days
- Backup restoration includes privacy impact assessment
6. Compliance & Monitoring
6.1 Regular Audits
- Monthly automated compliance checks
- Quarterly manual data retention reviews
- Annual policy effectiveness assessments
- Continuous monitoring of data lifecycle
6.2 Documentation
- Data processing records maintained for 3 years
- Deletion logs kept for audit purposes
- Policy changes documented and communicated
- Compliance reports generated quarterly
7. Policy Updates
This Data Retention Policy is reviewed annually and may be updated to reflect:
- Changes in privacy laws and regulations
- Updates to technical capabilities
- Organizational policy changes
- Industry best practices
8. Contact Information
For questions about data retention or deletion requests:
Data Protection Officer
Email: [Your Organization's DPO Email]
Phone: [Your Organization's Contact Number]
Address: [Your Organization's Address]
Policy Compliance
This Data Retention Policy is designed to ensure compliance with GDPR, CCPA, and other applicable privacy regulations. It is regularly reviewed and updated to maintain compliance with evolving legal requirements.