Data Retention Management¶
Dxtra tracks data retention policies through configurable fields on processing purposes and data processor configurations.
Documentation Only
Retention periods in Dxtra are for documentation and compliance tracking. Automated deletion enforcement is not currently implemented. Organizations must implement their own deletion processes.
Retention Configuration¶
Processing Purpose Retention¶
Each processing purpose in the dashboard includes:
| Setting | Description |
|---|---|
| Retention period | Maximum data retention duration |
| Usage period | Active processing duration |
| Essential flag | Whether processing is essential for service |
Data Processor Retention¶
Each configured data processor includes processor-specific retention and usage periods.
Common Retention Periods¶
| Duration | Typical Use |
|---|---|
| 30 days | Temporary/log data |
| 90 days | Short-term processing |
| 13 months | Transaction data |
| 1 year | Standard retention |
| 5 years | Financial records |
| 7 years | Tax compliance |
| 11 years | Advertising data |
| 50 months | Analytics data |
| While active | While service relationship is active |
Pre-configured Processor Retention¶
Dxtra includes retention defaults for common data processors:
| Processor | Retention | Usage | Notes |
|---|---|---|---|
| Stripe | 5 years | 13 months | AML/KYC requirements |
| Shopify | While active | While active | While merchant active |
| WooCommerce | 30 days | 30 days | Server logs |
| Eventbrite | While active | While active | While account active |
| SurveyMonkey | While active | While active | Customer controlled |
| Mailchimp | While active | While active | While account active |
| Klaviyo | 90 days | 90 days | Post-deletion period |
| Customer.io | While active | While active | As long as necessary |
| QuickBooks | While active | While active | Legal/business obligations |
| Google Ads | 11 years | 180 days | Advertising data retention |
| Google Analytics | 50 months | 180 days | Configurable 2-50 months |
| Sabre | While active | While active | Service provision |
Configuring Retention¶
Set Processing Purpose Retention¶
- Navigate to Purposes in the Dxtra dashboard
- Select or create a processing purpose
- Set the retention period and usage period
- Mark whether the processing is essential
- Save the configuration
Set Processor Retention¶
- Navigate to Processors in the Dxtra dashboard
- Select a configured processor
- Review and update retention and usage periods
- Save the configuration
Legal Retention Requirements¶
Common regulatory retention requirements:
| Regulation | Data Type | Retention | Notes |
|---|---|---|---|
| GDPR | Personal data | As needed for purpose | No longer than necessary |
| CCPA | Consumer data | No specific minimum | Delete on valid request |
| Tax (US) | Financial records | 3-7 years | Varies by jurisdiction |
| SOX | Financial communications | 7 years | Public companies |
| PCI DSS | Cardholder data | Minimum needed | Subject to PCI requirements |
Legal Exceptions
Retention policies may be overridden by: active legal holds, ongoing investigations, contractual obligations, or industry-specific regulations.
Deletion Requests¶
Processing Erasure Requests¶
When handling GDPR Article 17 or CCPA deletion requests:
- Verify identity -- Confirm the requester's identity
- Assess legal basis -- Verify no legal basis prevents deletion
- Identify scope -- Review processing activities for the data subject
- Process deletion -- Delete data from systems manually
- Notify processors -- Contact integrated processors for deletion
- Document -- Update request status to completed
Data Controller Account Deletion¶
Dxtra supports scheduled deletion for data controller accounts. When account deletion is scheduled and the date passes, the account and associated data are eligible for deletion.
Best Practices¶
Setting Retention Periods¶
- Identify legal requirements -- Research applicable regulations
- Document business need -- Justify retention beyond legal minimum
- Configure in Dxtra -- Set retention and usage periods in the dashboard
- Establish deletion process -- Create manual deletion procedures
- Regular review -- Audit retention compliance periodically
Handling Conflicts¶
When legal requirements conflict with deletion requests:
- Apply the longest required retention period
- Document justification in the processing purpose
- Inform data subject of legal basis for extended retention
- Delete when legal requirement expires
When processor retention differs from your policy:
- Document processor retention in the Processors dashboard
- Include processor retention in privacy notices
- Request deletion from processor when your retention expires
- Track deletion confirmation
Common Questions¶
What happens when retention period expires?¶
Nothing automatic. Organizations must implement deletion processes and manually remove data when retention periods expire.
Can retention periods be extended?¶
Yes. Update the retention period on the processing purpose in the dashboard. Document the business or legal justification for the extension.
How do we handle indefinite retention?¶
"While active" retention indicates data retained while the service relationship is active. Define what triggers the retention period start (e.g., account closure).
What about data in backups?¶
Backup retention should align with primary data retention. Document backup deletion procedures separately.
Related Documentation¶
- GDPR Article 30 -- Processing records requirements
- GDPR Implementation -- European data protection
- CCPA Implementation -- California privacy law
- Data Controller Setup -- Initial configuration