Data Retention Policy

This Data Retention Policy explains how long we keep your personal data, why we retain it, and when we delete it. This policy complies with GDPR Article 5(1)(e) (storage limitation) and SOC 2 requirements.

1. Data Retention Principles

We retain personal data only as long as necessary for:

Fulfilling the purposes for which it was collected
Complying with legal obligations (tax, financial reporting)
Establishing, exercising, or defending legal claims
With your consent (you can withdraw at any time)

After the retention period expires, we permanently delete or anonymize your data.

2. Retention Periods by Data Type

2.1 Active User Accounts

Retention: As long as your account remains active

Includes:

Profile information (name, email, phone, address)
Authentication data (magic link tokens, session tokens)
Preferences and settings
Quest progress and rewards
Shop follows and favorites

Why: Necessary to provide our services and maintain your account.

2.2 Deleted User Accounts (Soft Delete Period)

Retention: 90 days after account deletion

When you delete your account, your data is immediately soft-deleted (hidden from the platform) but retained for 90 days to allow for:

Account Recovery: Change your mind within 90 days (contact support)
SOC 2 Compliance: Audit trail and security incident investigation
Legal Disputes: Defense of legal claims during the 90-day window

Hard Delete: After 90 days, your data is permanently and irreversibly deleted via our automated data retention cron job.

💡 Recovery Window: If you deleted your account by mistake, contact privacy@dailyquest.com within 90 days to request restoration.

2.3 Transaction Records (Financial Compliance)

Retention: 7 years from transaction date

Includes:

Order records (order number, items, total, payment status)
Invoice and receipt data
Refund records
Tax-related transaction information

Why: Legal obligation for tax audits, financial reporting, and fraud prevention (IRS requires 7 years).

Note: Even if you delete your account, transaction records are retained for 7 years for legal compliance. Personal identifiers may be pseudonymized.

2.4 Consent Records (GDPR Compliance)

Retention: 3 years after consent withdrawal

Includes:

Cookie consent preferences
Marketing opt-in/opt-out records
Consent timestamps, IP address, and user agent

Why: GDPR Article 7(1) requires proof that consent was obtained. We must demonstrate compliance if challenged by a data protection authority.

2.5 Activity Logs & Audit Trails

Retention: 13 months (SOC 2 requirement)

Includes:

Login/logout events
Account changes (profile updates, password changes)
Data access logs (who accessed what data and when)
Security events (failed login attempts, suspicious activity)
Admin actions (support tickets, data corrections)

Why: Security monitoring, fraud detection, and SOC 2 audit compliance.

2.6 Marketing & Newsletter Data

Retention: Until you unsubscribe or withdraw consent

Includes:

Email address for newsletters
Email open/click analytics
Campaign engagement data

Deletion: When you unsubscribe, your email is removed within 30 days. Historical campaign metrics may be retained in anonymized form.

2.7 Support Conversations

Retention: 3 years from conversation close date

Includes:

Support tickets and messages
Live chat transcripts
Customer service notes

Why: Quality assurance, training, dispute resolution, and continuity of service.

2.8 User-Generated Content (Reviews, Comments)

Retention: 90 days after deletion

Includes:

Product reviews
Comments and feedback
Ratings

Note: When you delete a review, it's soft-deleted for 90 days (same as account deletion). After 90 days, it's permanently removed.

2.9 System Backups

Retention: 30 days (rolling backups)

We maintain automated database backups for disaster recovery. Your data may persist in backups for up to 30 days after deletion from the live system.

Note: Backups are encrypted, access-controlled, and used solely for disaster recovery (not for restoring individual user data after the 90-day soft delete period).

3. Automated Data Retention Enforcement

We use an automated cron job that runs daily to permanently delete data that has exceeded its retention period:

Soft-deleted accounts: Hard deleted after 90 days
Soft-deleted content: Hard deleted after 90 days
Activity logs: Deleted after 13 months
Transaction logs: Deleted after 7 years

All deletions are logged to deletion_audit_log for SOC 2 compliance.

4. Data Export Before Deletion

Before deleting your account, you can request a complete copy of your personal data:

Export Your Data

Download all your personal data in machine-readable JSON format (GDPR Article 20 - Right to Data Portability).

Go to Privacy Settings

5. Exceptions to Deletion

We may retain certain data beyond standard retention periods if:

Legal Hold: Court order, subpoena, or ongoing legal investigation
Fraud Investigation: Suspected fraudulent activity under active investigation
Regulatory Request: Tax authority audit or regulatory examination
Dispute Resolution: Ongoing customer dispute or chargeback

In such cases, we will notify you and resume normal deletion schedules once the exception no longer applies (unless prohibited by law).

6. Anonymization & Pseudonymization

For certain use cases, we may anonymize or pseudonymize data instead of deleting it:

Analytics: Aggregate usage statistics (e.g., "100 users signed up this month") with all personal identifiers removed
Machine Learning: Training data for fraud detection models (fully anonymized)
Financial Records: Transaction records after account deletion may be pseudonymized (user_id replaced with random identifier)

Anonymized data is no longer considered personal data under GDPR and is not subject to retention limits.

7. Your Rights Regarding Data Retention

You have the right to:

Request Deletion: Delete your account at any time from Privacy Settings
Request Restriction: Freeze processing of your data during disputes (contact privacy@dailyquest.com)
Object to Processing: Object to processing based on legitimate interests
Access Retention Information: Request details about how long we keep your specific data

8. Changes to This Policy

We may update this Data Retention Policy to reflect changes in legal requirements or business practices. When we make material changes:

We will update the "Last updated" date
We will notify you via email (if retention periods are shortened)
We will post a notice on our platform

9. Questions?

If you have questions about our data retention practices:

Data Protection Officer:

Email: privacy@dailyquest.com

Support: Contact Support

Related Policies

→ Privacy Policy → Cookie Policy → Privacy Settings → Terms of Service