Data Retention Policy 

Rev: July 1, 2021

Purpose

This policy establishes the retention period of data within systems owned by intent.ly and for which intent.ly is responsible for the disposition of deleted data.  This includes system and log files that are a routine record of events on systems.

Scope

intent.ly collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products. The data we collect depends on the context of your interactions with intent.ly and the choices you make, including your privacy settings and the products and features you use. We also obtain data about you from third parties.

You have choices when it comes to the technology you use and the data you share. When we ask you to provide personal data, you can decline. Many of our products require some personal data to provide you with a service. If you choose not to provide data required to provide you with a product or feature, you cannot use that product or feature. Likewise, where we need to collect personal data by law or to enter into or carry out a contract with you, and you do not provide the data, we will not be able to enter into the contract; or if this relates to an existing product you’re using, we may have to suspend or cancel it. We will notify you if this is the case at the time. Where providing the data is optional, and you choose not to share personal data, features like personalization that use such data will not work for you.

Roles

The retention of data and determination of useful retention of system logs is determined by system administrators under the direction of the Chief Information Security Officer, DPO and the Senior Director of Administrative Systems.  System administrators and database administrators are responsible for the execution of retention and adherence to the schedule.

Record Types

This policy addresses electronic data generated by systems in various formats (.txt, .tar, .zip, etc), data stored on AWS Servers, and all on-premise systems provided to the community for the storage of data. For user generated data, retention refers to the length of time a document is available for recovery once deleted by the user from the system.

This retention policy does not include data and email stored in intent.ly’s Google Workspace and Office365 tenants. Office365 email is retained in Deleted Items until removed.  Once removed from Deleted Items, email is available for recovery for 14 days. Mail in the Google Trash folder (non-faculty and staff email is delivered to Google) is retained for 30 days and is not recoverable beyond that.

Litigation Hold

When intent.ly receives a litigation hold for electronic data from the General Counsel or legal entities, the data and email as well as any associated backups as of the day of the hold are placed in litigation hold in systems designed for that purpose using Microsoft, Google , and Code42 litigation hold tools.  Any backup retention policies that would delete files older than 30 days are removed so that files are retained.  intent.ly will provide access to electronic records under a litigation hold as directed by the General Counsel or Legal Entities.

Records Retention

intent.ly has a document outlining the retention of system logs, responsible party and location.

User data, for the purpose of this document, data or email that has already been deleted by the user is retained via backup copies in the AWS cloud for 7 days.  Data that resides on user desktops/laptops is retained for 90 days beyond deletion. Once 90 days has passed, this data is permanently removed and no longer able to be recovered.  Data that resides on intent.ly provisioned on-premise storage (shared network drives and file locations) is retained for 7 days beyond deletion.