{# Pre-built Tailwind bundle + project custom styles. Replaces the old cdn.tailwindcss.com script so we can drop 'unsafe-inline' from the CSP. Rebuild with `.venv/bin/tailwindcss -i tailwind_src/input.css -o static/css/app.css --minify`. #}
C
Fill in the sidebar to personalise, or scroll down to read the raw template (placeholders shown as {{ ORG_NAME }}). 
# Data Retention Schedule — {{ ORG_NAME }}

**Effective date:** {{ EFFECTIVE_DATE }}
**Owner:** Data protection contact, **{{ CONTACT_EMAIL }}**

This schedule tells everyone in {{ ORG_NAME }} how long each kind of
record is kept and how it is disposed of. The default retention is
**{{ RETENTION_DEFAULT }} days** for any data category not listed below.

| Data category | Purpose | Retention | Disposal method |
|---|---|---|---|
| Customer account data | Operate the account | While account is active + 30 days after closure | Hard delete from DB and backups within 90 days |
| Support emails / chat transcripts | Resolve and improve support | 12 months | Hard delete |
| Marketing contact lists | Newsletters, product updates | Until consent withdrawn | Hard delete on withdrawal |
| Application logs (incl. IP) | Debugging, security | 30 days | Rolled out of log storage |
| Security event logs (auth, failures) | Incident investigation | 12 months | Hard delete |
| Payment / billing records | Tax & accounting compliance | 6 years (or as required by {{ JURISDICTION }}) | Secure shred / hard delete |
| Recruitment data — successful applicants | Onboarding | Folded into employee file | See HR retention |
| Recruitment data — unsuccessful applicants | Defence of selection decision | 6 months unless consent for talent pool | Hard delete |
| Backups | Disaster recovery | 30 days rolling | Tape or cloud lifecycle expiry |

## Implementation rules

1. **Defaults are the floor.** A data owner may *shorten* the period if it
   serves the data subject (data minimisation), but never silently extend
   it. Extensions need DPO sign-off and a documented reason.
2. **Anonymisation counts as deletion.** Once a record can no longer be
   linked to a living person, it is no longer personal data and may be
   kept indefinitely for analytics.
3. **Backups are not exempt.** Personal data deleted from the live system
   must roll out of backups within the backup retention window.
4. **Legal hold overrides this schedule.** If we receive a litigation
   notice or regulator demand, retention pauses until the hold is lifted.

## Review

This schedule is reviewed at least once per year and after any major
service change. Owner: **{{ CONTACT_EMAIL }}**.