Data Retention and Deletion Policy
Approved legal and compliance content sourced from 10_Data_Retention_and_Deletion_Policy.md.
1. Scope
1.1 This Data Retention and Deletion Policy (the "Policy") describes how long [LEGAL ENTITY NAME — confirm exact legal name, entity type, jurisdiction] ("Escrow Bunny," "we," "us") retains categories of data generated through the Escrow Bunny platform (the "Platform" or "Service"), and how and when data is deleted, de-identified, or otherwise disposed of.
1.2 This Policy is incorporated by reference into the Terms of Service and the Standard Escrow Agreement and is read together with the Privacy Policy (data-subject rights) and the KYC/KYB and Sanctions Screening Policy (identity/screening recordkeeping).
1.3 In the event of conflict, the [order of precedence in the Terms of Service Section 1.3 / Standard Escrow Agreement Section 1.4 controls — PLACEHOLDER pending counsel confirmation].
1.4 Capitalized terms not defined here have the meaning given in the Terms of Service and the Standard Escrow Agreement.
2. Definitions
- "Retention period" — the period for which a data category is kept before deletion, de-identification, or disposal.
- "Deletion" — removal such that the data is no longer accessible or recoverable in the ordinary course, subject to technical and legal constraints.
- "De-identification / anonymization" — processing so the data no longer identifies an individual, subject to applicable legal standards.
- "Immutable record" — a record that cannot be altered or selectively deleted once written, including Ledger postings and hash-chained Audit Logs.
- "Legal hold" — a suspension of deletion required for litigation, investigation, regulatory, or legal-process reasons.
- "Backups" — system backups retained for resilience and recovery.
- Other capitalized terms have the meaning given in the Terms of Service and the Standard Escrow Agreement.
3. Principles
3.1 Data is retained only as long as necessary for the purposes for which it was collected, to operate the Service, to comply with legal, regulatory, recordkeeping, and tax obligations, to resolve disputes, to prevent and investigate fraud and financial crime, and to enforce agreements.
3.2 Retention periods are set by the longest applicable of: (a) the operational need; (b) the legally required minimum retention; and (c) the period necessary for established or reasonably anticipated legal claims, subject to any legally required maximum. [Counsel to set the controlling periods per jurisdiction and per category.]
3.3 Certain records are immutable (Ledger postings and hash-chained Audit Logs) and cannot be altered or selectively erased; corrections are made by adjusting entries. This materially constrains deletion for those categories (Sections 6 and 7).
3.4 Where deletion is not permitted or not technically possible (e.g., immutable records, legal-hold, statutory retention), data is retained and protected, and access is restricted, until deletion is permissible.
4. Retention Schedule (Placeholders — Counsel to Set)
All periods below are placeholders. They must be determined by counsel per jurisdiction and reconciled with statutory recordkeeping, AML/CTF, tax, limitation, and consumer-law requirements. The categories reflect the data the prompt indicates the Platform generates; exact data elements must be validated against the product/database specification, which was not available for this draft.
| # | Data category | Indicative retention | Primary basis |
|---|---|---|---|
| 4.1 | Escrow records (parameters, milestones, approvals, status, releases, refunds, cancellations) | [PERIOD — PLACEHOLDER] | Contract performance; legal/recordkeeping; dispute defense |
| 4.2 | Ledger records (immutable double-entry postings) | [PERIOD — PLACEHOLDER; note immutability — see §6] | Financial recordkeeping; audit; legal |
| 4.3 | Identity records (KYC) and organization/beneficial-owner records (KYB), incl. screening results | [PERIOD — PLACEHOLDER; statutory due-diligence retention typically applies] | Legal/regulatory (AML/CTF/sanctions); see KYC/KYB Policy |
| 4.4 | Audit Logs (immutable, hash-chained) | [PERIOD — PLACEHOLDER; note immutability — see §6] | Security; integrity; legal/regulatory |
| 4.5 | Consent and acceptance records (by document type and exact version; User, timestamp, IP, user agent) | [PERIOD — PLACEHOLDER] | Evidence of consent/agreement; legal defense |
| 4.6 | Documents (uploaded files, transaction documents) | [PERIOD — PLACEHOLDER] | Contract; dispute; legal/recordkeeping |
| 4.7 | Messages (Platform messaging) | [PERIOD — PLACEHOLDER] | Contract; dispute; legal |
| 4.8 | Dispute evidence and dispute records | [PERIOD — PLACEHOLDER] | Dispute resolution; legal defense |
| 4.9 | Account/profile data | [PERIOD — PLACEHOLDER] | Service operation; legal |
| 4.10 | Technical/usage/diagnostic data (incl. Sentry error data) | [PERIOD — PLACEHOLDER] | Security; service operation; debugging |
| 4.11 | Communications data (notice/support email via Brevo) | [PERIOD — PLACEHOLDER] | Service operation; legal/notice evidence |
| 4.12 | Payment-related data (if/when a payment processor such as Stripe is activated) | [PERIOD — PLACEHOLDER; not applicable at launch unless activated] | Financial recordkeeping; legal |
4.13 Retention is typically measured from [a defined trigger — PLACEHOLDER, e.g., Escrow completion/closure, account closure, last activity, or the relevant statutory start point], to be set per category by counsel.
5. Provider-Held Data
5.1 Some data is processed or stored by third-party providers (DigitalOcean Managed PostgreSQL, DigitalOcean managed Valkey/Redis, DigitalOcean Spaces, Brevo, Sentry, Verified by Toni, and any future payment processor). Provider retention may differ from Escrow Bunny's and is governed by provider terms and the applicable data processing arrangements.
5.2 Verified by Toni retention/deletion. [PLACEHOLDER — state Verified by Toni's retention and deletion periods for submitted data and verification results per provider documentation; align with Privacy Policy Section 8.4 and KYC/KYB Policy Section 8.4. Do not assert periods until confirmed.]
5.3 Cache/transient data (Valkey/Redis). Transient/cache data is retained only as long as operationally necessary. [Confirm cache TTLs/retention against the architecture specification.]
5.4 Backups. Backups are retained for [BACKUP RETENTION — PLACEHOLDER] and cycle out on the backup schedule. Deleted production data may persist in backups until the backup cycle completes; backups are protected and access-restricted in the interim. [Confirm backup retention and deletion mechanics against the architecture specification.]
6. Immutable Records and the Limits of Deletion
6.1 Ledger postings are immutable once posted; they are not altered or selectively deleted. Corrections are made via adjusting entries.
6.2 Audit Logs are immutable and hash-chained; selective deletion would break the hash chain and is not performed.
6.3 As a result, deletion or erasure requests cannot result in alteration or selective removal of individual immutable Ledger or Audit Log records. Where an individual has a deletion right, Escrow Bunny will [PLACEHOLDER — describe the lawful approach counsel approves, e.g., honoring deletion for non-immutable categories, restricting processing/access of immutable records, and/or de-identifying associated non-immutable data, while retaining immutable records as required by law and integrity needs. Counsel to confirm the legally compliant approach for each applicable regime.]
6.4 Whole-dataset disposal of immutable records occurs only at end-of-life of the retention period for the entire dataset, in a manner that preserves integrity until disposal. [Confirm technical disposal approach and timing with counsel and engineering.]
7. Data Subject Deletion Requests
7.1 Individuals may request deletion of personal data as described in the Privacy Policy. We will honor such requests to the extent required by applicable law and subject to the limits in this Policy.
7.2 Deletion will not be performed where data must be retained for: legal, regulatory, AML/CTF, sanctions, tax, or recordkeeping obligations; establishment, exercise, or defense of legal claims; an active Escrow or open Dispute; a legal hold; fraud prevention; or where the data resides in immutable Ledger/Audit records.
7.3 Where full deletion is not permitted, we will, where lawful and feasible, restrict processing, limit access, and/or de-identify non-immutable associated data, and we will explain the applicable limitation when responding. [Counsel to confirm the response standard, timelines, and verification of requester identity; align with Privacy Policy Section 11.]
7.4 Requests are submitted via [PRIVACY REQUEST CHANNEL — PLACEHOLDER] and handled within [required timeframe — PLACEHOLDER].
8. Legal Holds
8.1 Where litigation, investigation, regulatory inquiry, or legal process is reasonably anticipated or pending, affected data is placed under a legal hold and is preserved beyond ordinary retention until the hold is released, notwithstanding any deletion request or schedule.
8.2 Legal-hold actions are recorded as Audit Log events. [Confirm legal-hold governance and any restriction on disclosing a hold with counsel.]
9. Deletion, De-identification, and Disposal Methods
9.1 On expiry of the applicable retention period and absent a legal hold or other lawful basis to retain, data is deleted, de-identified, or disposed of using reasonable methods appropriate to the medium, including in production systems and, on the applicable cycle, in backups.
9.2 Immutable records are handled per Section 6. [Confirm technical methods (e.g., secure deletion, key destruction, de-identification standards) against the security/architecture specification, which was not available for this draft.]
10. Account Closure
10.1 On account closure, data is retained for the applicable retention periods in Section 4 and is not immediately deleted, because of legal, recordkeeping, dispute, and immutability constraints. [Confirm closure data-handling and user-facing explanation with counsel.]
10.2 Obligations under any active Escrow, open Dispute, or legal hold survive account closure.
11. Changes to This Policy
11.1 Escrow Bunny may update this Policy and the retention schedule, including to reflect legal, regulatory, or operational changes. Material changes are notified by [notice method — PLACEHOLDER] with a stated effective date; the version and effective date are recorded, and acceptance is captured by document type and exact version where required.
12. User Acknowledgements
By using the Service, each User acknowledges and agrees that:
- Data is retained for the periods necessary for operational, legal, regulatory, recordkeeping, tax, dispute, and fraud-prevention purposes (final periods to be set by counsel).
- Ledger postings and Audit Logs are immutable and hash-chained and cannot be altered or selectively deleted, which limits certain deletion requests.
- Deletion requests are honored only to the extent required by law and subject to the limits in this Policy, including legal holds and statutory retention.
- Some data is held by third-party providers under their own retention terms, and deleted data may persist in backups until the backup cycle completes.
- Account closure does not result in immediate deletion of all data.
Acceptance capture: Acceptance of this Policy is recorded by document type and exact version, with associated User, timestamp, IP address, and user agent.
13. Contact / Legal Notice
- Operating entity: [LEGAL ENTITY NAME — PLACEHOLDER]
- Registered address: [ADDRESS — PLACEHOLDER]
- Privacy / data protection contact: [DPO OR PRIVACY CONTACT — PLACEHOLDER; see Privacy Policy]
- Data request / deletion channel: [EMAIL / PORTAL — PLACEHOLDER]
- Legal notices: [LEGAL NOTICE EMAIL / POSTAL ADDRESS — PLACEHOLDER; see Support, Complaints, and Legal Notices Policy]
14. Change History
| Version | Date | Summary | Author |
|---|---|---|---|
| 0.1 | [2026-05-17 DRAFT] | Initial first-pass draft for counsel review. | [DRAFTER / Claude-assisted] |