Docs / Data Retention

Data Retention

Understanding data retention is important for compliance. This guide explains how SAR Portal manages data throughout its lifecycle.

Retention Overview

Data TypeActive PeriodAfter ClosureRetention Period
Case DataWhile openAnonymized7 years (audit only)
DocumentsWhile case openDeletedNone after closure
Audit LogsAlwaysPreserved7 years
User DataWhile activeOn requestUntil deletion

Case Data Retention

Active Cases

While a case is open:

Closed Cases

When a case is closed:

Anonymization

After a retention period (configurable):

Why Hash the Email?

The email hash allows:

Document Retention

During Active Cases

Document Deletion

When documents are deleted:

Soft Delete (Immediate)

Permanent Delete (On Case Closure)

After Case Closure

All documents are permanently deleted:

This aligns with data minimization principles - don’t keep data longer than necessary.

Audit Log Retention

Standard Retention: 7 Years

Based on:

What’s Retained

What’s NOT Retained Long-term

User Data Retention

Active Users

Full account data retained:

Deactivated Users

When a user is deactivated:

User Deletion

On GDPR deletion request:

Tenant/Organization Retention

Active Organizations

All data retained:

Organization Deletion

When the last admin deletes the organization, everything runs immediately and synchronously - there is no deferred purge window:

  1. Immediate (at deletion)

    • Stripe subscription cancelled
    • All cases deleted (not anonymized)
    • All documents and blobs deleted from storage
    • All user accounts removed
    • The tenant record removed
  2. Retained afterwards

    • Anonymized audit logs (7 years, GDPR Article 17(3)(e))
    • Billing records (legal requirement)
Deletion vs cancellation
Deletion is immediate and permanent. The 90-day read-only + export window applies only when you cancel a subscription (see Plans & Pricing) - it is not part of deletion.

Configuring Retention

Case Anonymization Timing

Configure when closed cases are anonymized:

Go to Settings > Advanced to configure.

For cases under legal hold:

Data Minimization

SAR Portal follows data minimization principles:

Collect Only What’s Needed

Store Only While Needed

Delete When No Longer Needed

Compliance Reports

Generate retention compliance reports showing:

Your Responsibilities

As the data controller, you should:

  1. Inform Data Subjects

    • Include retention periods in privacy notice
    • Explain anonymization vs deletion
    • Describe audit log retention
  2. Configure Appropriately

    • Set retention periods matching your policy
    • Enable legal holds when needed
    • Review settings periodically
  3. Honor Deletion Requests

    • Process account deletions promptly
    • Understand what can/cannot be deleted
    • Explain retained audit logs

Audit log retention is based on:

This is documented in our DPA and privacy notice.