Records Retention Summary
Data retention periods, deletion processes, and compliance boundaries
Last Modified on March 28, 2019
Owner & Contact
Owner/Operator: Spyface Tech Company, LLC (d/b/a "ClinicBooking") — 30 N Gould St Ste N, Sheridan, WY 82801, USA
Corporate: hello@spyface.com
Support: care@clinicbooking.com
On This Page
1
Scope & Definitions
This page summarizes how long ClinicBooking generally retains common record types and how we dispose of them. It complements (but does not replace) our internal Records Retention & Destruction Policy, our Data Processing Addendum (DPA), and our Privacy Policy. Where a law, court order, or contract requires longer retention, that requirement controls.
- Record: Any information created, received, or maintained by ClinicBooking in the course of business (electronic or physical).
- Clock Start: Unless noted, the retention period begins on the later of (i) collection/creation date or (ii) last business interaction tied to that record.
- Providers are independent: Medical records created by clinics/doctors are their records (not ours). Provider retention duties are governed by their local laws and professional rules.
2
Master Retention Matrix (Summary)
Corporate & Governance
Examples: Articles, bylaws, board minutes, equity records
Retention: Permanent
Rationale: Corporate law; audit trail
Disposition: Permanent archive; secure storage
Contracts & Legal
Examples: Customer/provider agreements, NDAs, BAAs, DPAs
Retention: 6 years after termination (or longer of applicable statute of limitations)
Rationale: Defense of claims; compliance
Disposition: Secure wipe; certificate of destruction (physical)
Finance & Tax
Examples: General ledger, invoices, bank statements, tax filings
Retention: 7 years
Rationale: Tax & accounting requirements
Disposition: Secure wipe / shredding
Payments & PCI
Examples: Gateway tokens, transaction logs (no card PAN stored)
Retention: 7 years for financial logs; PCI logs: 1 year (≥3 months immediately available)
Rationale: Financial regs; PCI DSS
Disposition: Tokenization; secure wipe
Security & Access Logs
Examples: Auth/audit trails, network/app logs
Retention: 12–24 months (system-dependent)
Rationale: Security forensics; compliance
Disposition: Log rotation; secure wipe
Incident & Breach Records
Examples: Security incident reports, notifications
Retention: 7 years
Rationale: Legal defense; audit
Disposition: Secure archive; wipe post-retention
Customer Support & Comms
Examples: Tickets, chat/email threads (non-PHI)
Retention: 2 years (unless legal hold)
Rationale: Quality; dispute resolution
Disposition: Secure wipe
Marketing & Web Analytics
Examples: Consent logs, campaign metrics, cookie/analytics
Retention: Consent logs: 5 years; analytics: typically 13 months
Rationale: Proof of consent; privacy norms
Disposition: Secure wipe; platform deletion
User Accounts & Preferences
Examples: Profile data, settings
Retention: Life of account + 90 days (or earlier upon verified deletion request)
Rationale: Service delivery
Disposition: Account closure workflow; wipe
UGC: Reviews/Photos/Videos
Examples: Public posts, ratings, comments
Retention: While published; backups rotate ≤ 12 months
Rationale: Platform integrity; expression
Disposition: Takedown removes from production; backup expiry
DMCA/IP Records
Examples: Notices, counter-notices, takedown logs
Retention: 3 years
Rationale: Copyright Act; defenses
Disposition: Secure archive; wipe
Provider KYC/Verification
Examples: License checks, identity, credential attestations
Retention: 5 years after end of relationship
Rationale: Fraud prevention; trust & safety
Disposition: Secure wipe
Applicant/Candidate Data
Examples: Resumes, interviews, assessments
Retention: 2 years (EEOC/FCRA considerations)
Rationale: Employment compliance
Disposition: ATS purge; secure wipe
I-9 (US only)
Examples: Employment eligibility
Retention: 3 years after hire or 1 year after termination (whichever later)
Rationale: 8 CFR §274a.2
Disposition: Secure storage; shredding
HIPAA (if BAA in place)
Examples: BAA, policies, PHI disclosures (minimal; if any)
Retention: 6 years (HIPAA documentation rule)
Rationale: 45 CFR §164.530(j)
Disposition: Secure archive; verified destruction
Consumer Health Data*
Examples: Data covered by state CHD laws (e.g., WA MHMD)
Retention: Only as necessary to provide services; delete upon request unless an exception applies
Rationale: State CHD statutes; minimization
Disposition: System purge + backup expiry
| Category | Examples | Typical Retention | Primary Rationale | Disposition Method |
|---|---|---|---|---|
| Corporate & Governance | Articles, bylaws, board minutes, equity records | Permanent | Corporate law; audit trail | Permanent archive; secure storage |
| Contracts & Legal | Customer/provider agreements, NDAs, BAAs, DPAs | 6 years after termination (or longer of applicable statute of limitations) | Defense of claims; compliance | Secure wipe; certificate of destruction (physical) |
| Finance & Tax | General ledger, invoices, bank statements, tax filings | 7 years | Tax & accounting requirements | Secure wipe / shredding |
| Payments & PCI | Gateway tokens, transaction logs (no card PAN stored) | 7 years for financial logs; PCI logs: 1 year (≥3 months immediately available) | Financial regs; PCI DSS | Tokenization; secure wipe |
| Security & Access Logs | Auth/audit trails, network/app logs | 12–24 months (system-dependent) | Security forensics; compliance | Log rotation; secure wipe |
| Incident & Breach Records | Security incident reports, notifications | 7 years | Legal defense; audit | Secure archive; wipe post-retention |
| Customer Support & Comms | Tickets, chat/email threads (non-PHI) | 2 years (unless legal hold) | Quality; dispute resolution | Secure wipe |
| Marketing & Web Analytics | Consent logs, campaign metrics, cookie/analytics | Consent logs: 5 years; analytics: typically 13 months | Proof of consent; privacy norms | Secure wipe; platform deletion |
| User Accounts & Preferences | Profile data, settings | Life of account + 90 days (or earlier upon verified deletion request) | Service delivery | Account closure workflow; wipe |
| UGC: Reviews/Photos/Videos | Public posts, ratings, comments | While published; backups rotate ≤ 12 months | Platform integrity; expression | Takedown removes from production; backup expiry |
| DMCA/IP Records | Notices, counter-notices, takedown logs | 3 years | Copyright Act; defenses | Secure archive; wipe |
| Provider KYC/Verification | License checks, identity, credential attestations | 5 years after end of relationship | Fraud prevention; trust & safety | Secure wipe |
| Applicant/Candidate Data | Resumes, interviews, assessments | 2 years (EEOC/FCRA considerations) | Employment compliance | ATS purge; secure wipe |
| I-9 (US only) | Employment eligibility | 3 years after hire or 1 year after termination (whichever later) | 8 CFR §274a.2 | Secure storage; shredding |
| HIPAA (if BAA in place) | BAA, policies, PHI disclosures (minimal; if any) | 6 years (HIPAA documentation rule) | 45 CFR §164.530(j) | Secure archive; verified destruction |
| Consumer Health Data* | Data covered by state CHD laws (e.g., WA MHMD) | Only as necessary to provide services; delete upon request unless an exception applies | State CHD statutes; minimization | System purge + backup expiry |
*"Consumer health data" is defined by certain state laws; see our Consumer Health Data Collection & Use notice for details.
3
Regional Variations (High-Level)
USA
Highlights: IRS/tax; state SoL; HIPAA docs (if BAA) 6 yrs; EEOC; I-9 rules; CHD state laws (e.g., WA MHMD)
Minimums above; longer if SoL/legal hold
EU/EEA (GDPR)
Highlights: Storage limitation & minimization; member-state labor/tax specifics
Retain only as necessary; follow local rules
UK (UK GDPR)
Highlights: Similar to GDPR; typical 6-year limitation for contract claims; HMRC tax retention
Align to UK norms; longer for claims/holds
| Region | Highlights | Effect on Retention |
|---|---|---|
| USA | IRS/tax; state SoL; HIPAA docs (if BAA) 6 yrs; EEOC; I-9 rules; CHD state laws (e.g., WA MHMD) | Minimums above; longer if SoL/legal hold |
| EU/EEA (GDPR) | Storage limitation & minimization; member-state labor/tax specifics | Retain only as necessary; follow local rules |
| UK (UK GDPR) | Similar to GDPR; typical 6-year limitation for contract claims; HMRC tax retention | Align to UK norms; longer for claims/holds |
4
Litigation Holds
If ClinicBooking reasonably anticipates litigation, government inquiry, audit, or similar event, related records are placed on legal hold. Legal holds suspend normal deletion until the hold is released. We notify relevant custodians and systems and track hold scope and release.
5
Deletion & Destruction
- Production systems: Data scheduled for deletion is purged within ~30 days of the retention trigger, unless a legal hold applies.
- Backups/replicas: Because backups are immutable and rotated, purged data falls out of backup within ≤ 90 days of the production deletion (see "Backups & Logs").
- Methods: Cryptographic erasure or NIST-aligned secure wipe for electronic media; cross-cut shredding or certified destruction for paper.
- Verification: Periodic sampling and vendor attestations for destruction events.
6
Backups & Logs
We maintain encrypted, access-controlled backups for business continuity. Backups are not used as active archives. When production data is deleted, corresponding backup data becomes inaccessible for normal use and ages out on the backup rotation schedule (≤ 90 days).
Operational and security logs follow the retention windows in the matrix (typically 12–24 months) unless a longer period is required for investigations, compliance, or legal holds.
7
Roles & Oversight
- Data Protection & Legal: Own the schedule; approve legal holds; align with privacy/security laws.
- Security & Engineering: Implement technical controls, deletion workflows, and log/backup rotations.
- Operations/Support: Apply timelines for tickets and comms; escalate holds and exceptions.
- Vendors/Sub-processors: Bound by DPA to meet or exceed these retention and deletion practices.
8
Important Notes & Disclaimers
- Summary only: This page is a high-level summary. Specific products, regions, or contracts may impose different requirements.
- Minimization & purpose limitation: We retain the least amount of data needed for the shortest appropriate time.
- Provider medical records: Providers manage their own clinical records in line with their licensing and laws; ClinicBooking is not the custodian of provider medical charts.
- HIPAA boundary: ClinicBooking is generally not a HIPAA covered entity. If we act as a Business Associate under a signed BAA, HIPAA documentation is retained for 6 years, and any PHI we process is handled per the BAA.
- Consumer Health Data: Where state CHD laws apply, we retain only as necessary to provide services or as legally required, and honor valid deletion requests subject to exceptions.
9
Records & Retention Queries
For questions about this summary, legal holds, or to raise a records-related concern, contact:
Corporate/Legal: hello@spyface.com
Support: care@clinicbooking.com