Data Retention and Disposal Policy
Last Updated: April 22, 2026
Owner: Security Officer
1. Purpose
This policy establishes how Happee, Inc. retains, manages, and disposes of data — including Customer Data, personal data, operational data, and internal business records. It governs the retention commitments made in our Cloud Computing Service Agreement and Security Policy and supports compliance with GDPR, CCPA, and applicable US law.
2. Scope
This policy applies to all data held by or on behalf of Happee, Inc., including:
- Customer Data stored in tenant databases
- Personal data of customers, Authorized Users, leads, and employees
- Operational and infrastructure logs
- Backup and disaster recovery copies
- Financial and business records
- Communications (email, internal channels)
3. Data Categories and Retention Periods
| Category | Examples | Retention Period | Basis |
|---|---|---|---|
| Customer Data (active tenant) | Tenant database, uploaded files, accounting records | Duration of active subscription + 30-day export window after termination | Contractual obligation |
| Customer Data (deleted on request) | Same as above | 48 hours for active systems; 14 days for backup media | Contractual obligation (service agreement §7.3) |
| Personal data — customers/users | Name, email, billing address, IP logs | Duration of account + 3 years | Legitimate interest / legal obligation |
| Payment data | Card details, billing history | Not stored — held by payment processor (Stripe) per Stripe's retention policy | PCI DSS |
| Infrastructure and access logs | Server logs, sign-in records, IP addresses | 90 days rolling | Security / legitimate interest |
| Application error logs | Stack traces, debug output | 30 days rolling | Operational necessity |
| Backup data | Tenant database snapshots | 30 days rolling; one monthly snapshot retained for 12 months | Operational / disaster recovery |
| Financial records | Invoices, SOWs, revenue records | 7 years | US tax / legal obligation |
| Employee records | HR files, contracts, payroll | Duration of employment + 7 years | Legal obligation |
| Communications | Internal channel messages, email | 3 years, then deleted unless subject to legal hold | Legitimate interest |
| Marketing and lead data | CRM leads, email campaign data | 3 years from last interaction, or until opt-out request | Legitimate interest / CCPA/GDPR |
4. Customer-Initiated Deletion Requests
When a customer requests deletion of their Customer Data:
- Request received — logged within 24 hours
- Active systems — tenant database and associated files deleted within 48 hours of confirmed request
- Backup media — all backup copies destroyed within 14 days
- Confirmation — written confirmation sent to the customer's account email upon completion
- Exceptions — deletion may be suspended if required for an active incident investigation or pursuant to a court order; customer notified if a delay applies
5. Automated Retention Enforcement
Where technically feasible, retention periods are enforced automatically:
- Infrastructure logs are rotated on a 90-day schedule by the hosting provider
- Application logs are rotated on a 30-day schedule
- Backup snapshots older than 30 days (except monthly snapshots) are purged automatically
6. Disposal Methods
| Medium | Disposal Method |
|---|---|
| Tenant database files | Secure file deletion; hosting provider confirmation |
| Cloud storage objects | Provider-level deletion API with deletion confirmation |
| Backup media (cloud) | Provider-level purge with audit log |
| Backup media (physical, if any) | Cryptographic erasure or physical destruction |
| Logs | Provider-managed rotation |
7. Legal Hold
Normal retention schedules are suspended for data subject to a legal hold triggered by litigation, a court order, subpoena, or government demand. Customers are notified of any delay in their deletion request caused by a legal hold, to the extent permitted by law.
8. Policy Review
This policy is reviewed annually, or sooner if there is a material change in applicable law or our data practices.
Happee, Inc. · security@happee.ai · Delaware, USA