Data Retention Policy
Platform: Viby
Effective Date: 28.07.2025
Last Updated: 28.07.2025
Scope: All data processed by Viby
Compliance: GDPR, Norwegian Personal Data Act, Norwegian Accounting Act
1. INTRODUCTION
This Data Retention Policy explains how long we keep different types of data and why. This policy is designed to comply with Norwegian and EU data protection laws while supporting the legitimate business and legal needs of our platform.
1.1 Policy Objectives
- Legal Compliance: Meet Norwegian and EU data protection requirements
- Data Minimization: Keep data only as long as necessary
- User Rights: Support user rights to deletion and data portability
- Business Continuity: Maintain necessary data for platform operations
- Security: Protect data throughout its lifecycle
1.2 Legal Framework
This policy complies with:
- GDPR Article 5(1)(e): Storage limitation principle
- Norwegian Personal Data Act: Norwegian-specific requirements
- Norwegian Accounting Act: Financial record retention
- Norwegian Archive Act: Public record requirements (if applicable)
2. DATA CATEGORIES AND RETENTION PERIODS
2.1 User Account Data
Basic Account Information
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Name, Email | Account lifetime + 30 days | Contract | Account deletion request |
| Encrypted Phone Number | Account lifetime + 30 days | Consent | Consent withdrawal or account deletion |
| Encrypted Date of Birth | Account lifetime + 30 days | Legal obligation | Account deletion (age verification records may be retained) |
| Hashed Passwords | Account lifetime | Contract | Account deletion or password change |
| Account Creation Date | Account lifetime + 6 years | Legal obligation | Business record retention requirements |
Profile Information
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Display Name, Bio | Account lifetime + 30 days | Contract | User deletion or account closure |
| School, Graduation Year | Account lifetime + 30 days | Contract | Profile update or account deletion |
| Encrypted Location | Account lifetime + 30 days | Consent | Consent withdrawal or account deletion |
| Profile/Cover Images | Account lifetime + 90 days | Contract | User deletion or account closure |
| Social Links | Account lifetime + 30 days | Contract | User deletion or account closure |
2.2 Content Data
User-Generated Content
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Posts (Text) | Until user deletion | Contract | User deletes post or account |
| Comments | Until user deletion | Contract | User deletes comment or account |
| Images/Videos | Until user deletion + 90 days | Contract | User deletion (90 days for backup recovery) |
| Poll Votes | 2 years | Legitimate interest | Automatic deletion after 2 years |
| Likes/Reactions | Until content deletion | Contract | Content or account deletion |
| Shares | Until content deletion | Contract | Content or account deletion |
Content Metadata
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Creation Timestamps | Content lifetime + 1 year | Legitimate interest | Content deletion + retention period |
| Edit History | Content lifetime + 1 year | Legitimate interest | Content deletion + retention period |
| View Counts | 2 years | Legitimate interest | Automatic deletion |
| Engagement Statistics | 2 years | Legitimate interest | Automatic deletion |
2.3 Communication Data
Platform Communications
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Direct Messages | Until deletion by sender/recipient | Contract | User deletion |
| System Notifications | 1 year | Legitimate interest | Automatic deletion |
| Email Communications | 3 years | Legal obligation | Business record requirements |
| Support Tickets | 3 years | Legal obligation | Support resolution + retention |
2.4 Technical and Analytics Data
Usage Analytics
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Page Views (Anonymized) | 26 months | Consent | GDPR analytics limit |
| Session Data | 30 days | Legitimate interest | Session expiration |
| Device Information | 12 months | Legitimate interest | Annual cleanup |
| IP Addresses | 12 months | Legal obligation | Security/legal requirements |
| Error Logs | 6 months | Legitimate interest | Technical maintenance |
Security Data
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Login Attempts | 12 months | Legitimate interest | Security monitoring |
| Failed Login Logs | 24 months | Legitimate interest | Security investigation |
| Security Incidents | 24 months | Legal obligation | Security compliance |
| Fraud Detection Data | 6 years | Legal obligation | Financial crime prevention |
2.5 Moderation and Safety Data
Content Moderation
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Content Reports | 3 years | Legal obligation | Moderation compliance |
| Moderation Decisions | 3 years | Legal obligation | Appeal process support |
| Removed Content (Hash) | 5 years | Legal obligation | Prevent re-upload |
| Appeal Records | 5 years | Legal obligation | Legal compliance |
| Banned User Records | 5 years | Legitimate interest | Platform safety |
Safety and Compliance
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Age Verification Records | 6 years | Legal obligation | Regulatory compliance |
| Audit Logs | 6 years | Legal obligation | Business record requirements |
| Legal Hold Data | Until hold lifted | Legal obligation | Court order/legal requirement |
| Law Enforcement Requests | 6 years | Legal obligation | Legal compliance |
2.6 Business and Financial Data
Financial Records (for premium features)
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| Payment Records | 7 years | Legal obligation | Norwegian Accounting Act |
| Invoice Data | 7 years | Legal obligation | Tax compliance |
| Subscription History | 7 years | Legal obligation | Financial record keeping |
| Refund Records | 7 years | Legal obligation | Accounting requirements |
Business Records
| Data Type | Retention Period | Legal Basis | Deletion Trigger |
|---|---|---|---|
| User Registration Logs | 6 years | Legal obligation | Business compliance |
| Platform Usage Statistics | 5 years | Legitimate interest | Business planning |
| Performance Metrics | 3 years | Legitimate interest | Technical optimization |
3. AUTOMATED DELETION PROCEDURES
3.1 Scheduled Cleanup Jobs
Daily Cleanup
- Expired Sessions: Delete sessions older than 30 days
- Temporary Files: Remove upload staging files older than 24 hours
- Failed Uploads: Clean up incomplete upload attempts
- Cache Cleanup: Remove expired cache entries
Weekly Cleanup
- Inactive Invitations: Remove crew invitations older than 7 days
- Expired Tokens: Delete expired password reset tokens
- Temporary Backups: Clean up short-term backup files
- Log Rotation: Archive and compress older log files
Monthly Cleanup
- Inactive Accounts: Flag accounts inactive for 12+ months
- Orphaned Files: Remove files no longer referenced in database
- Analytics Aggregation: Process and anonymize detailed analytics data
- Security Audit: Review and clean up security logs
Annual Cleanup
- Deep Data Review: Comprehensive review of all data categories
- Legal Compliance Audit: Ensure retention periods are followed
- Policy Updates: Review and update retention periods if needed
- Archive Creation: Create long-term archives for required data
3.2 User-Triggered Deletion
Account Deletion Process
-
Immediate Actions (within 24 hours):
- Disable account access
- Remove public profile visibility
- Stop data processing for marketing purposes
-
30-Day Grace Period:
- Account marked for deletion
- User can restore account within 30 days
- Essential data maintained for restoration
-
Final Deletion (after 30 days):
- Permanently delete user data (except legally required records)
- Remove from all backups within 90 days
- Anonymize any remaining data
Content Deletion Process
-
User Deletion Request:
- Content immediately removed from public view
- Content marked for deletion in database
-
Backup Cleanup (within 90 days):
- Remove from all backup systems
- Update data export capabilities
-
Metadata Handling:
- Anonymize engagement statistics
- Maintain aggregated analytics (anonymized)
4. DATA EXPORT AND PORTABILITY
4.1 User Data Export
Available Export Formats
- JSON: Machine-readable format for data portability
- CSV: Spreadsheet format for easy viewing
- PDF: Human-readable format for review
- ZIP Archive: Complete data package with media files
Export Contents
- Profile Data: All profile information and settings
- Content Data: Posts, comments, and uploaded media
- Social Data: Connections, likes, and interactions
- Account Data: Account history and preferences
- Metadata: Creation dates, edit history (where applicable)
Export Process
- Request Submission: User submits export request
- Identity Verification: Confirm user identity for security
- Data Compilation: Gather data from all relevant systems
- Export Generation: Create downloadable package
- Secure Delivery: Provide secure download link
- Link Expiration: Download link expires after 7 days
4.2 Data Transfer Services
Third-Party Integration
- Direct Transfer: Support for data transfer to compatible platforms
- API Access: Programmatic access to user data (with consent)
- Standard Formats: Use industry-standard formats for compatibility
- Transfer Verification: Confirm successful data transfer
5. BACKUP AND ARCHIVAL PROCEDURES
5.1 Backup Retention
Active Backups
- Daily Backups: 30 days retention
- Weekly Backups: 12 weeks retention
- Monthly Backups: 12 months retention
- Quarterly Backups: 4 quarters retention
Long-Term Archives
- Annual Archives: 7 years retention (for legal compliance)
- Legal Hold Archives: Until legal hold released
- Disaster Recovery: Geographically distributed backups
- Encryption: All backups encrypted at rest and in transit
5.2 Archive Management
Archive Creation
- Automated Scheduling: Regular archive creation process
- Data Verification: Ensure archive integrity and completeness
- Metadata Tracking: Track what data is archived and when
- Access Controls: Restricted access to archived data
Archive Retrieval
- Legal Requests: Process for retrieving archived data for legal purposes
- User Requests: Limited retrieval for user rights requests
- Business Continuity: Disaster recovery procedures
- Audit Trails: Log all archive access and retrieval
6. SPECIAL CIRCUMSTANCES
6.1 Legal Hold Procedures
When Legal Holds Apply
- Court Orders: Compliance with judicial orders
- Law Enforcement Requests: Legitimate law enforcement investigations
- Regulatory Investigations: Data protection authority investigations
- Civil Litigation: When platform is party to legal proceedings
Legal Hold Process
- Hold Notification: Legal team notifies relevant staff
- Data Identification: Identify all relevant data sources
- Preservation: Stop all automatic deletion for identified data
- Documentation: Document hold scope and duration
- Monitoring: Ongoing monitoring of hold compliance
- Release: Formal release process when hold is lifted
6.2 Regulatory Investigations
Data Protection Authority Requests
- Immediate Preservation: Stop deletion of relevant data
- Cooperation: Provide requested data in specified format
- Documentation: Maintain records of all interactions
- Legal Review: Ensure compliance with legal obligations
6.3 Emergency Procedures
Data Breach Response
- Evidence Preservation: Preserve forensic evidence
- Extended Retention: Temporarily extend retention for investigation
- Notification Compliance: Meet regulatory notification requirements
- Recovery Planning: Plan for data recovery and system restoration
7. USER RIGHTS AND CONTROL
7.1 User Deletion Rights
Individual Content Deletion
- Self-Service: Users can delete their own content at any time
- Immediate Effect: Content removed from public view immediately
- Backup Cleanup: Removed from backups within 90 days
- Metadata Handling: Associated metadata anonymized or deleted
Account Deletion
- Complete Deletion: Option to delete entire account and all data
- Grace Period: 30-day period to restore account
- Data Export: Option to export data before deletion
- Confirmation: Multiple confirmation steps to prevent accidental deletion
7.2 Data Access Rights
Data Access Requests
- Response Time: 30 days maximum (GDPR requirement)
- Free of Charge: No fee for reasonable requests
- Identity Verification: Secure verification process
- Comprehensive Response: All personal data in understandable format
Data Correction Rights
- Self-Service: Users can correct most data themselves
- Assisted Correction: Support for complex corrections
- Verification: Verify accuracy of corrections
- Propagation: Ensure corrections apply to all relevant systems
8. MONITORING AND COMPLIANCE
8.1 Retention Monitoring
Automated Monitoring
- Retention Tracking: Automated tracking of data age
- Deletion Alerts: Alerts when data reaches retention limits
- Compliance Dashboards: Real-time compliance monitoring
- Exception Reporting: Reports on retention policy exceptions
Manual Reviews
- Quarterly Reviews: Manual review of retention compliance
- Policy Effectiveness: Assessment of policy effectiveness
- Legal Updates: Review of changing legal requirements
- Process Improvements: Identify and implement improvements
8.2 Audit and Reporting
Internal Audits
- Annual Audits: Comprehensive annual retention audits
- Spot Checks: Random sampling of data retention compliance
- Documentation Review: Review of retention documentation
- Staff Training: Regular training on retention procedures
External Compliance
- Regulatory Reporting: Reports to data protection authorities
- Third-Party Audits: Independent audits of retention practices
- Certification Compliance: Maintain relevant certifications
- Legal Review: Regular legal review of retention practices
9. CONTACT AND REQUESTS
9.1 Data Retention Inquiries
General Questions:
- 📧 Email: kontakt@viby.no
- 📧 Subject: "Data Retention Question"
- 📧 Response Time: 5-7 business days
Data Deletion Requests:
- 📧 Email: kontakt@viby.no
- 📧 Subject: "Data Deletion Request"
- 📧 Response Time: 30 days maximum
9.2 Legal and Compliance
Legal Hold Notifications:
- 📧 Email: kontakt@viby.no
- 📧 Subject: "Legal Hold Notice"
- 📧 Response Time: 24 hours
Regulatory Inquiries:
- 📧 Email: kontakt@viby.no
- 📧 Subject: "Regulatory Compliance"
- 📧 Response Time: 3-5 business days
10. POLICY UPDATES
10.1 Review and Updates
Regular Reviews
- Annual Review: Comprehensive annual policy review
- Quarterly Checks: Quarterly compliance checks
- Legal Updates: Updates based on legal changes
- Technology Changes: Updates based on technical changes
Update Notifications
- Email Notification: Direct notification to users
- Platform Notices: Prominent notices on platform
- Version Control: Clear version numbering and change logs
- Effective Dates: Clear indication of when changes take effect
Document Version: 1.0
Effective Date: 28.07.2025
Next Review: 28.07.2026
Legal Compliance: GDPR Article 5(1)(e), Norwegian Personal Data Act, Norwegian Accounting Act
Key Principle: We keep your data only as long as necessary for the purposes for which it was collected, and no longer. You have the right to deletion, and we provide clear, automated processes to honor those rights while meeting our legal obligations.
Questions?: For data retention questions, contact kontakt@viby.no. For deletion requests, use the same email or the account deletion feature in your settings.