Data Retention And Protection Policy

Purpose & Scope

This policy describes the categories of personal data Ekosistem App processes, retention periods, and the technical and organisational measures used to protect that data. It is consistent with our Privacy Policy and the GDPR.

Data Categories & Retention

Personal data is retained no longer than necessary for the purpose for which it was collected:

• Account profile (name, email, bio, avatar) — kept while the account is active; deleted within 30 days of account closure.
• Authentication tokens (refresh, magic-link) — short-lived; refresh ≤ 7 days, magic-link ≤ 15 minutes.
• Posts, comments, messages — retained while the ecosystem exists; users may delete their content at any time.
• Uploaded media on R2 — kept while referenced; orphan objects pruned periodically.
• Audit and moderation records — retained for accountability for up to 2 years unless legal requirements differ.
• Operational logs — retained per Log Management policy and provider defaults; PII fields scrubbed at source.

Technical & Organisational Measures

Personal data is protected through the following measures:

• Transit encryption (TLS) for all client-server and database connections.
• At-rest protection through managed providers (Supabase, R2) using their encryption defaults.
• Strict access controls: invite-only platform, role hierarchy, and ecosystem membership checks on every endpoint.
• Per-user export and deletion flows backed by audit logging.
• Data Processing Agreements with sub-processors that handle personal data on our behalf.

Data Subject Rights

Users may exercise the following rights at any time:

• Access — request a copy of personal data held about them.
• Rectification — correct inaccurate or incomplete personal data.
• Erasure — delete their account; personal data is permanently removed within 30 days.
• Portability — export their data in a machine-readable format.
• Restriction & objection — limit certain processing or object to specific uses where allowed by law.

Review & Contact

This policy is reviewed annually and following any change to data flows or sub-processors. Data-protection requests can be sent to developer@plademy.com.