Data Retention Policy
Last reviewed 2026-05-18
This policy defines retention periods for personal data and operational records HiringCoachAI stores, the backup posture supporting recovery and disaster preparedness, and how account deletion interacts with active storage and backups.
Retention by data class
| Data class | Storage | Retention | Notes |
|---|---|---|---|
| Application audit log | Firestore auditLog (append-only) | 2 years | Forensics, compliance, access reviews |
| AI call audit metadata (no prompts or completions) | Firestore aiCallAudit | 1 year | AI governance, anomaly detection |
| Security audit monitor run records | Firestore securityAuditMonitorRuns | 365 days | Hourly anomaly-monitor evidence |
| Retention run logs | Firestore dataRetentionRuns | 90 days | Operating-control evidence |
| Deleted-user audit record | Firestore deleted_users | 365 days | Fraud and abuse detection, restoration support |
| Account-deletion challenges | Firestore account_deletion_challenges | 15 minutes | TTL on write |
| Deleted-account recovery snapshots | Firestore deleted_account_snapshots + restricted storage object | 30 days | Recovery from accidental self-deletion |
| Deleted-account feedback | Firestore deleted_account_feedback | 365 days | Optional; collected only after deletion completes |
| LinkedIn integration cookies | Firestore linkedinCookies | 1 hour | TTL on write |
| Short-lived auto-login tokens | Firestore authTokens | 5 minutes | TTL on write |
| Billing records | Stripe + Firestore subscriptions, subscriptionHistory | Up to 7 years | Legal obligation (tax records) |
User-controlled content (resumes, applications, contacts, notes, drafts, AI-assisted outputs) is retained while the account is active and removed during the account-deletion workflow. The full personal-data inventory is documented in the data map.
Backups
| Backup layer | Retention | Notes |
|---|---|---|
| Firestore point-in-time recovery (PITR) | 7 days | Short-horizon recovery from operator error |
| Firestore scheduled daily backups | 98 days | Managed by Google Cloud |
| Backup/export bucket soft delete | 90 days | Object versioning enabled |
| Backup/export bucket retention policy | 90 days | Unlocked retention policy |
Backup/export buckets use object versioning, 90-day soft delete, and a 90-day retention policy.
Account deletion and backups
- Self-service account deletion is final in active product systems once the required checks complete.
- A 30-day encrypted recovery snapshot is created before destructive work begins, supporting recovery from accidental self-deletion only.
- User-controlled content is removed from active product systems during the deletion workflow.
- Pilot-program usage records are retained only after direct user identifiers and direct contact, name, and free-text fields are replaced with non-reversible deleted-participant identifiers, so historical program reporting can continue without identifying the deleted account.
- The deletion audit record retains counts only and does not copy the original content arrays.
- Account-deletion takes effect in active storage promptly. Older copies in backup snapshots and PITR windows roll off as the backup window rotates. Backup restore operations include controls to avoid restoring deleted accounts into active product state.
- Billing, tax, and other legally required financial records are retained for the period required by applicable law, independent of account deletion.
Institutional / customer bulk requests
Where an institutional or sponsor-program agreement provides for it, the Customer administrator may request bulk deletion or bulk export of a sponsored cohort by writing to [email protected]. Bulk requests are handled within the response window applicable to the underlying agreement (typically aligned with the data-subject-request 30-day response window under GDPR Art. 12(3), extendable for complex requests where permitted by law).
Enforcement
- Retention is enforced by a scheduled daily job that deletes records past their retention window for the collections listed above. The job emits per-collection counts and is retained as operating-control evidence.
- Backup retention is configured at the Google Cloud platform layer and is verified during quarterly internal audit.
- The retention policy is reviewed at least annually and on any material data-flow change.