Data Retention Policy

Last updated: June 24, 2025

Overview

This Data Retention Policy outlines how long AffiliateForge Limited ("AffiliateForge," "we," "us," or "our") retains different types of data collected through our AI-powered affiliate content generation service. Our retention periods balance your privacy rights with our legitimate business needs, legal obligations, and regulatory requirements.

This policy applies to all users of our Service, regardless of location, with specific provisions for users in different jurisdictions as required by applicable law.

• Data Controller: AffiliateForge Limited, Ireland
• Data Protection Officer: dpo@affiliateforge.com

1. Retention Principles

1.1 Legal Basis for Retention

We retain data based on:

• Contract Performance: Data necessary for service delivery
• Legal Obligation: Data required by law (tax, accounting, regulatory)
• Legitimate Interest: Data for security, fraud prevention, and service improvement
• Consent: Data retained with your explicit consent (marketing, analytics)

1.2 Data Minimization

We retain only the minimum data necessary for the specified purpose and delete data when retention is no longer justified.

1.3 Storage Limitation

Personal data is stored for no longer than necessary for the purposes for which it was collected, subject to legal requirements.

1.4 Regular Review

We conduct quarterly reviews of retained data to ensure compliance with this policy and applicable law.

2. User Account Data

2.1 Active Accounts

Retention Period: For the duration of your active account

Data Types:

• Name, email address, and hashed password
• Account creation date and subscription tier
• Profile preferences and settings
• Dashboard configuration and user preferences

Legal Basis: Contract performance for service provision

Rationale: Required for account management and service delivery

2.2 Deleted Accounts

Retention Period: 30 days after account deletion request

Purpose:

• Account recovery in case of accidental deletion
• Prevention of immediate re-registration with same credentials
• Completion of pending transactions or processes

After 30 Days: Complete permanent deletion of all account data

Exception: Data subject to longer legal retention requirements (see Section 8)

2.3 Inactive Accounts

Free Tier Accounts:

• Retention Period: 3 years after last activity
• Warning Notice: Email notification 60 days before deletion
• Final Notice: Email notification 30 days before deletion

Paid Accounts:

• Retention Period: 12 months after subscription ends
• Warning Notice: Email notification 60 days before deletion
• Final Notice: Email notification 30 days before deletion

Reactivation: Inactive accounts can be reactivated before deletion by logging in

3. Generated Content and Creative Data

3.1 AI-Generated Articles

Retention Period: For the duration of your active account

Data Types:

• Article content, topics, and generation parameters
• Content modifications and editing history
• Generation timestamps and version history
• Associated metadata and tags

Deletion: All articles permanently deleted when account is deleted

Export: Users can export articles before account deletion

3.2 Content Generation Logs

Retention Period: 90 days

Data Types:

• API request logs and generation parameters
• AI model responses and processing times
• Error logs and debugging information
• Performance metrics and optimization data

Purpose: Service optimization, debugging, and usage analytics

Legal Basis: Legitimate interest for service improvement

3.3 Content Templates and Preferences

Retention Period: For the duration of your active account

Data Types:

• Custom content templates and formatting preferences
• Affiliate disclosure templates and compliance settings
• Content style preferences and tone settings
• Saved prompts and generation configurations

Legal Basis: Contract performance for personalized service delivery

3.4 Third-Party AI Provider Data

Anthropic Claude:

• Our Retention: 90 days for generation logs
• Anthropic's Retention: Per Anthropic's data retention policy
• User Control: Contact us to request deletion from third-party systems

OpenAI (when applicable):

• Our Retention: 90 days for generation logs
• OpenAI's Retention: Per OpenAI's data retention policy
• User Control: Contact us to request deletion from third-party systems

Note: We do not control third-party AI provider retention. We will assist with deletion requests where possible.

4. Affiliate Marketing and Performance Data

4.1 Affiliate Link Data

Retention Period: 3 years from last use

Data Types:

• Generated affiliate links and network associations
• Link performance metrics and click-through data
• Commission tracking information (where available)
• Compliance and disclosure tracking

Legal Basis: Legitimate interest for service improvement and compliance monitoring

4.2 Network Integration Data

Retention Period: For the duration of active integration + 2 years

Data Types:

• Affiliate network API credentials (encrypted)
• Network-specific settings and preferences
• Integration configuration and status
• Performance analytics and reporting data

Purpose: Service delivery and performance optimization

4.3 Compliance and Moderation Data

Retention Period: 5 years

Data Types:

• Content moderation flags and reviews
• Compliance check results and recommendations
• Affiliate disclosure tracking and verification
• Regulatory compliance monitoring data

Legal Basis: Legal obligation and legitimate interest for regulatory compliance

Rationale: Potential regulatory audits and compliance verification

5. Payment and Subscription Data

5.1 Stripe Payment Data

Retention Period: Managed by Stripe according to their retention policy (typically 7+ years)

Data Types:

• Payment methods and transaction history
• Billing information and invoices
• Dispute and chargeback records
• Customer identification and verification data

Note: We do not store credit card information directly

5.2 Subscription Records

Active Subscriptions: Retained for the duration of the subscription

Cancelled Subscriptions: 7 years for tax and accounting compliance

Data Types:

• Subscription plan history and changes
• Billing cycle information and payment status
• Customer ID and account associations
• Upgrade/downgrade history and usage patterns

Legal Basis: Legal obligation for tax compliance

5.3 Subscription Events and Analytics

Retention Period: 3 years

Data Types:

• Webhook events and system notifications
• Subscription lifecycle events and state changes
• Payment failures and retry attempts
• Revenue analytics and billing metrics

Purpose: Billing dispute resolution, service improvement, and business analytics

5.4 Tax and Accounting Records

Retention Period: 7 years (Irish legal requirement)

Data Types:

• VAT records and tax calculations
• Invoice generation and payment records
• Currency conversion rates and calculations
• Revenue recognition and accounting data

Legal Basis: Legal obligation for tax and accounting compliance

6. System Logs and Security Data

6.1 Application and Performance Logs

Retention Period: 1 year

Data Types:

• Server logs and application performance metrics
• Error logs and exception tracking
• Database performance and optimization data
• API response times and system health metrics

Purpose: System monitoring, debugging, performance optimization, and capacity planning

6.2 Authentication and Security Logs

Retention Period: 6 months

Data Types:

• Login attempts (successful and failed)
• Session management and token lifecycle
• Multi-factor authentication events
• Password reset and security verification events

Purpose: Security monitoring, fraud prevention, and incident investigation

Legal Basis: Legitimate interest for security and fraud prevention

6.3 Security Incident Data

Retention Period: 5 years

Data Types:

• Security breach records and incident reports
• Threat detection and response data
• Forensic analysis and investigation records
• Remediation actions and security improvements

Purpose: Security incident management, legal compliance, and future threat prevention

6.4 Audit and Compliance Logs

Retention Period: 7 years

Data Types:

• Data access and modification logs
• Privacy rights exercise records
• Compliance monitoring and verification data
• Internal and external audit records

Legal Basis: Legal obligation and legitimate interest for compliance verification

7. Analytics and Business Intelligence

7.1 Usage Analytics

Retention Period: 2 years (aggregated data), 6 months (individual data)

Data Types:

• Feature usage patterns and user behavior
• Content generation frequency and preferences
• Platform performance and user experience metrics
• A/B testing results and optimization data

Legal Basis: Legitimate interest for service improvement

7.2 Google Analytics Data

Retention Period: 26 months (Google's default setting)

Data Types:

• Website traffic and user interaction data
• Content engagement and conversion metrics
• Demographics and interest data (anonymized)
• Acquisition and campaign performance data

User Control: Users can opt out via cookie settings or browser settings

7.3 Customer Support Analytics

Retention Period: 3 years

Data Types:

• Support ticket volume and resolution metrics
• Customer satisfaction scores and feedback
• Feature request tracking and prioritization
• Support team performance and training data

Purpose: Service quality improvement and customer experience optimization

8. Legal and Compliance Data

8.1 Legal Proceedings Data

Retention Period: Until resolution + 7 years

Maximum Retention: 15 years

Data Types:

• Legal notices and court documents
• Evidence and supporting documentation
• Settlement agreements and compliance orders
• Legal correspondence and attorney communications

Legal Basis: Legal obligation and legitimate interest for legal defense

8.2 Regulatory Compliance Data

Retention Period: As required by applicable regulations (typically 5-7 years)

Data Types:

• Regulatory reports and filings
• Compliance assessments and audit results
• Data protection impact assessments
• Breach notification records and responses

Legal Basis: Legal obligation for regulatory compliance

8.3 Intellectual Property Records

Retention Period: For the duration of protection + 7 years

Data Types:

• Trademark and copyright registrations
• License agreements and permissions
• Infringement notices and responses
• IP protection and enforcement records

8.4 Data Subject Rights Records

Retention Period: 3 years from resolution

Data Types:

• Privacy rights requests and responses
• Identity verification records
• Request processing logs and documentation
• Appeal and complaint records

Purpose: Demonstrating compliance with privacy laws and regulations

9. Backup and Recovery Data

9.1 Database Backups

Retention Period: 90 days

Frequency: Daily automated backups

Purpose: Disaster recovery and data restoration

Security: Encrypted and stored securely in EU data centers

9.2 Point-in-Time Recovery

Retention Period: 30 days

Purpose: Recovery from data corruption or accidental deletion

Scope: Transaction-level recovery capability

9.3 Archive Backups

Retention Period: 1 year for quarterly archives

Purpose: Long-term business continuity and historical reference

Legal Compliance: Subject to same deletion requirements as primary data

9.4 Backup Purging

• Automated Cleanup: Expired backups automatically deleted
• Account Deletion: Backups purged when account deletion is processed
• Legal Holds: Backups preserved during legal proceedings

10. Cross-Border Data Retention

10.1 EU Data Subjects

Primary Storage: EU data centers (Ireland, Germany)

Third-Party Processing: US-based AI providers with appropriate safeguards

Retention Compliance: GDPR Article 17 (Right to Erasure) compliance

10.2 US Data Subjects

California Residents: CCPA deletion rights honored

Data Residency: May be processed in EU or US facilities

Cross-Border Transfers: Standard Contractual Clauses where applicable

10.3 Other Jurisdictions

Local Laws: Compliance with applicable local data protection laws

Data Localization: Where required by local law

Transfer Mechanisms: Appropriate safeguards for international transfers

11. Data Deletion Process

11.1 User-Initiated Deletion

Account Deletion:

1. User requests account deletion through dashboard or email
2. 30-day grace period for account recovery
3. Automated deletion of personal data after grace period
4. Retention of legally required data per this policy

Content Deletion:

1. Individual content items deleted immediately upon request
2. Backup systems updated within 72 hours
3. Third-party systems notified for deletion where applicable

11.2 Automated Deletion

Scheduled Cleanup:

• Daily: Expired session tokens and temporary files
• Weekly: Expired logs and cache data
• Monthly: Inactive account notifications and cleanup
• Quarterly: Comprehensive data retention review

11.3 Legal Hold Procedures

When Applied: During legal proceedings or regulatory investigations

Scope: Relevant data preserved beyond normal retention periods

Documentation: Legal hold notices and scope documentation

Release: Data deletion resumed after legal hold lifted

12. Third-Party Data Retention Coordination

12.1 AI Content Providers

Anthropic Claude:

• Coordinate deletion requests with Anthropic
• Monitor Anthropic's retention policy changes
• Provide user notification of third-party retention

OpenAI (when applicable):

• Coordinate deletion requests with OpenAI
• Monitor OpenAI's retention policy changes
• Assist users with third-party deletion requests

12.2 Infrastructure Providers

Render (Hosting):

• Coordinate data deletion in hosting environment
• Ensure secure data wiping procedures
• Verify deletion completion and certification

Vercel (Frontend):

• Coordinate deletion of cached content
• Ensure CDN cache purging
• Verify global content removal

12.3 Analytics Providers

Google Analytics:

• User deletion requests forwarded to Google
• Coordinate data retention setting changes
• Provide opt-out mechanisms for users

13. Data Retention Exceptions

13.1 Legal Requirements

We may retain data beyond specified periods when:

• Required by law or court order
• Necessary for legal proceedings or investigations
• Subject to regulatory preservation requirements
• Part of ongoing compliance audits or reviews

13.2 Technical Limitations

Backup Systems: Data in backups may persist until next backup cycle

Third-Party Systems: Deletion dependent on third-party cooperation

Technical Constraints: Immediate deletion may not always be technically feasible

13.3 De-Identified Data

Aggregated Analytics: May be retained indefinitely when properly anonymized

Research Data: De-identified data for product improvement and research

Statistical Data: Business intelligence and trend analysis data

14. User Rights and Data Retention

14.1 Right to Erasure (GDPR Article 17)

EU users can request immediate deletion when:

• Personal data no longer necessary for original purpose
• User withdraws consent and no other legal basis exists
• Personal data unlawfully processed
• Deletion required for compliance with legal obligation

14.2 California Consumer Privacy Act (CCPA)

California residents have the right to:

• Request deletion of personal information
• Receive confirmation of deletion
• Be informed of any inability to delete (with reasons)

14.3 Retention Period Challenges

Users may challenge retention periods by:

• Contacting our Data Protection Officer
• Providing justification for early deletion
• Requesting review of retention necessity
• Appealing retention decisions through supervisory authorities

15. Data Retention Monitoring and Compliance

15.1 Regular Audits

Internal Audits: Quarterly reviews of retention compliance

External Audits: Annual third-party privacy and security assessments

Compliance Monitoring: Ongoing monitoring of retention policy adherence

15.2 Data Retention Metrics

Tracking: Volume of data retained by category and age

Reporting: Regular reports to management and DPO

Optimization: Continuous improvement of retention practices

15.3 Policy Updates

Review Schedule: Annual policy review and updates

Trigger Events: Legal changes, business changes, or incident findings

Change Management: Version control and communication of policy changes

16. Contact Information and Data Retention Requests

16.1 Data Retention Inquiries

General Questions: privacy@affiliateforge.com

Data Protection Officer: dpo@affiliateforge.com

Response Time: Within 48 hours for general inquiries

16.2 Deletion Requests

Email: dpo@affiliateforge.com

Subject Line: "Data Deletion Request"

Required Information: Account details and specific deletion scope

Processing Time: Within 30 days (subject to verification)

16.3 Retention Challenges

Appeal Process: Available for retention period disputes

Escalation: Supervisory authority contact information provided

Documentation: Detailed reasoning for retention decisions provided

16.4 Emergency Contact

Security Incidents: security@affiliateforge.com

Legal Matters: legal@affiliateforge.com

24/7 Availability: For urgent data protection matters

17. Compliance and Legal Framework

17.1 Applicable Laws

This policy complies with:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• Irish Data Protection Acts
• Other applicable privacy laws

17.2 Industry Standards

• ISO 27001 security management principles
• SOC 2 Type II compliance preparation
• Industry best practices for SaaS data retention

17.3 Regular Updates

This policy is reviewed and updated to reflect:

• Changes in applicable law
• Regulatory guidance and enforcement actions
• Industry best practices and standards
• Business model and service changes