# Data Retention Schedule **SnapSell AI** **Effective Date:** January 2025 **Last Updated:** January 2025 --- ## 1. Introduction This Data Retention Schedule defines how long SnapSell AI, operated by Nova AI Ventures, retains personal data. It fulfills our obligations under GDPR Article 5(1)(e) - the "storage limitation" principle. **Guiding Principle:** Personal data shall be kept for no longer than is necessary for the purposes for which it is processed. --- ## 2. Retention Periods by Data Category ### 2.1 Account Information | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | Email address | Active account + 30 days | Contract | Account deletion request | | Name | Active account + 30 days | Contract | Account deletion request | | Phone number | Active account + 30 days | Contract | Account deletion or user removal | | Profile photo | Active account + 30 days | Contract | Account deletion or user removal | | Password hash | Active account | Contract | Account deletion | | Auth tokens | Session duration | Contract | Logout or expiry | ### 2.2 User-Generated Content | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | Original product photos | Until deleted by user or account deletion + 30 days | Contract | User action or account deletion | | AI-enhanced photos | Until deleted by user or account deletion + 30 days | Contract | User action or account deletion | | AI-generated videos | Until deleted by user or account deletion + 30 days | Contract | User action or account deletion | | Listing content (titles, descriptions) | Until deleted by user or account deletion + 30 days | Contract | User action or account deletion | | Draft listings | 90 days from last modification | Contract | Automatic expiry | ### 2.3 Transaction Data | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | Token purchase records | 7 years | Legal obligation (tax) | Automatic after retention period | | Payment transaction IDs | 7 years | Legal obligation (tax) | Automatic after retention period | | Receipts/Invoices | 7 years | Legal obligation (tax) | Automatic after retention period | | Refund records | 7 years | Legal obligation (tax) | Automatic after retention period | | Token balance history | Active account + 7 years | Legal obligation | Account deletion + legal period | ### 2.4 Communication Data | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | Buyer-seller messages | 2 years from last message | Contract | Automatic or user request | | Customer support tickets | 3 years from resolution | Legitimate interest | Automatic expiry | | Support email correspondence | 3 years from last communication | Legitimate interest | Automatic expiry | | In-app notifications | 90 days | Contract | Automatic expiry | ### 2.5 Technical & Analytics Data | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | Server access logs | 90 days | Legitimate interest (security) | Automatic rotation | | Error logs | 90 days | Legitimate interest (debugging) | Automatic rotation | | Security audit logs | 1 year | Legitimate interest (security) | Automatic rotation | | Google Analytics data | 26 months | Consent | Automatic or consent withdrawal | | Device information | Active account | Contract | Account deletion | | IP addresses (logs) | 90 days | Legitimate interest | Automatic rotation | ### 2.6 Cookie Data | Cookie Type | Retention Period | Legal Basis | Deletion Trigger | |-------------|------------------|-------------|------------------| | Essential cookies | Session to 1 year | Legitimate interest | Logout/expiry/browser clear | | Functional cookies | Up to 1 year | Consent | Expiry or consent withdrawal | | Analytics cookies | Up to 26 months | Consent | Expiry or consent withdrawal | ### 2.7 Connected Platform Data | Data Type | Retention Period | Legal Basis | Deletion Trigger | |-----------|------------------|-------------|------------------| | OAuth tokens (eBay, Allegro) | Until disconnection | Contract | User disconnects platform | | Listing sync status | Active connection + 30 days | Contract | Platform disconnection | | Platform sale notifications | 1 year | Contract | Automatic expiry | --- ## 3. Retention Justifications ### 3.1 Legal Obligations | Requirement | Jurisdiction | Retention | Data Affected | |-------------|--------------|-----------|---------------| | Tax records | Poland/EU | 7 years | Transaction data, invoices | | Financial regulations | EU | 7 years | Payment records | | Anti-money laundering | EU | 5 years | High-value transaction records | ### 3.2 Legitimate Interest Justifications | Purpose | Retention | Balancing Test | |---------|-----------|----------------| | Security monitoring | 90 days - 1 year | Essential for fraud prevention; minimal privacy impact with pseudonymization | | Bug fixing | 90 days | Necessary for service quality; logs contain minimal personal data | | Dispute resolution | 2-3 years | Protects both users and company; aligned with limitation periods | | Service improvement | 26 months | Aggregated analytics; user consent obtained | --- ## 4. Deletion Procedures ### 4.1 Automatic Deletion Data subject to automatic deletion is processed by scheduled jobs: | Schedule | Data Types | |----------|------------| | Daily | Expired session tokens, temporary files | | Weekly | Draft listings older than 90 days | | Monthly | Server logs older than 90 days | | Quarterly | Messages older than 2 years | | Annually | Analytics data older than 26 months | ### 4.2 User-Initiated Deletion **Self-Service:** - Individual listings: Delete button in app - Photos: Delete button in gallery - Account: Settings → Delete Account **Request-Based:** - Email privacy@snap-sell.app - Response within 30 days - Identity verification required ### 4.3 Account Deletion Process When a user requests account deletion: 1. **Immediate (within 24 hours):** - Account access revoked - Active sessions terminated - Connected platforms disconnected 2. **Within 30 days:** - Account information deleted - User-generated content deleted - Anonymization of analytics data 3. **Retained (legal requirement):** - Transaction records (7 years, anonymized where possible) - Security logs if fraud investigation active ### 4.4 Backup Retention | Backup Type | Retention | Notes | |-------------|-----------|-------| | Database backups | 30 days rolling | Deleted data removed in next backup cycle | | Application logs | 90 days | Rotated automatically | | Disaster recovery | 7 days | Full system restore capability | --- ## 5. Data Retention by Purpose ### 5.1 Service Provision **Retention:** Duration of active account + 30 days grace period **Includes:** Account data, listings, photos, messages ### 5.2 Legal Compliance **Retention:** As required by law (typically 7 years) **Includes:** Transaction records, tax documentation ### 5.3 Security **Retention:** 90 days - 1 year depending on data type **Includes:** Access logs, security events, audit trails ### 5.4 Analytics & Improvement **Retention:** Up to 26 months (with consent) **Includes:** Usage data, aggregated statistics --- ## 6. Special Categories ### 6.1 Data Involved in Legal Disputes Data may be retained beyond normal periods if: - Involved in ongoing litigation - Subject to legal hold - Required for regulatory investigation Retained until: Resolution + applicable limitation period ### 6.2 Fraud Investigation Data When fraud is suspected: - Account data frozen (not deleted) - Transaction history preserved - Retention: Investigation completion + 5 years ### 6.3 Deceased Users Upon notification of user death: - Account access locked - Data retained for 1 year - Deletion upon verified next-of-kin request --- ## 7. Third-Party Retention Our subprocessors have their own retention policies: | Subprocessor | Their Retention | Our Control | |--------------|-----------------|-------------| | Google Cloud | Per our configuration | Full control via DPA | | Stripe | Per their policy (typically 7 years for transactions) | Limited - required for payments | | Google Analytics | 26 months (configured) | Configurable in GA settings | | External Marketplaces | Per their policies | User controls connection | --- ## 8. Review & Updates This schedule is reviewed: - **Annually:** Full review of all retention periods - **On Legal Changes:** When applicable laws change - **On Business Changes:** When processing activities change --- ## 9. Contact Questions about data retention: **Email:** privacy@snap-sell.app **Data Controller:** SnapSell AI Operated by Nova AI Ventures Registered in Poland --- *This Data Retention Schedule is part of SnapSell AI's GDPR compliance documentation.*