DATA RETENTION AND DELETION POLICY

Mindara

Last Updated: February 21, 2026

1. PURPOSE AND SCOPE

This Data Retention and Deletion Policy ("Policy") establishes the framework for how Mindara, LLC ("Mindara," "we," "us," or "our") retains, manages, and deletes user data collected through our AI-powered learning platform (the "Service").

1.1 Policy Objectives:

  • Retain data only as long as necessary for legitimate business purposes
  • Ensure compliance with legal and regulatory requirements
  • Protect user privacy and enable data deletion rights
  • Maintain data integrity and security throughout the retention lifecycle
  • Establish clear procedures for data deletion and disposal

1.2 Scope:

This Policy applies to all personal data and user-generated content collected through the Service, including but not limited to account information, learning activity, preferences, and communications.

2. DATA CATEGORIES AND RETENTION PERIODS

2.1 Account and Identity Data

Data Type:

  • Email address (required)
  • Name (optional)
  • Account credentials (encrypted passwords)
  • Account creation date
  • Last login date

Retention Period:

  • Active Accounts: Retained for the duration of account activity
  • Inactive Accounts: 30 days after account deletion request
  • Backup Systems: Up to 30 additional days in disaster recovery backups

Deletion Trigger:

  • User-initiated account deletion
  • Extended inactivity (if implemented in the future)
  • Termination for Terms of Service violations

2.2 Learning Activity and Progress Data

Data Type:

  • Selected topics and curricula
  • Lesson completion status and progress
  • Time spent on lessons
  • Learning goals and preferences
  • User notes and annotations
  • Quiz or assessment results (if applicable)
  • "Surprise Me" feature interactions

Retention Period:

  • Active Learning: Retained while account is active for progress tracking
  • Completed Curricula: Retained for account lifetime unless specifically deleted
  • After Account Deletion: 30 days for processing, then permanently deleted

Deletion Trigger:

  • User-initiated curriculum deletion
  • Account deletion
  • User request for specific activity deletion

2.3 Communication and Support Data

Data Type:

  • Email correspondence with support team
  • Feedback submissions
  • Survey responses
  • In-app notifications and communications
  • Newsletter subscriptions

Retention Period:

  • Support Communications: 3 years from last interaction
  • Feedback/Surveys: 2 years from submission
  • Newsletter Subscriptions: Until unsubscribe or account deletion

Deletion Trigger:

  • User request
  • Account deletion
  • Expiration of retention period
  • Unsubscribe from communications

2.4 Payment and Billing Data (When Applicable)

Data Type:

  • Tokenized payment information (not actual credit card numbers)
  • Billing address
  • Transaction history
  • Invoice records
  • Payment method tokens

Retention Period:

  • Transaction Records: 7 years for tax compliance and accounting purposes
  • Payment Tokens: Until payment method is removed or account deleted
  • Billing Address: Duration of active subscription plus 7 years

Deletion Trigger:

  • Account deletion (except records required by law)
  • Payment method removal
  • Legal retention period expiration

Legal Exception: Transaction records required for tax, accounting, or legal compliance will be retained for the full legal retention period (typically 7 years) even after account deletion.

2.5 Technical and Usage Data

Data Type:

  • Device information (type, OS, browser)
  • IP address (approximate location only)
  • Session data and authentication tokens
  • Usage patterns and analytics
  • Error logs and debugging information
  • Performance metrics

Retention Period:

  • Session Data: Duration of active session
  • Authentication Tokens: Until logout or token expiration
  • Usage Analytics: 24 months in identifiable form
  • Error Logs: 12 months
  • Aggregated Analytics: Indefinitely (anonymized)

Deletion Trigger:

  • Session termination
  • Token expiration
  • Retention period expiration
  • Account deletion (identifiable data only)

2.6 AI-Generated Content and Interactions

Data Type:

  • User inputs to AI systems
  • AI-generated lesson content
  • Content personalization data
  • AI interaction history

Retention Period:

  • User Inputs: Retained with learning activity data (see Section 2.2)
  • Generated Content: Retained in user account until deletion
  • Interaction Patterns: 24 months in identifiable form
  • Aggregated/Anonymized Data: Indefinitely for model improvement

Third-Party Processing: Note that user inputs may be processed by third-party AI providers (Anthropic, OpenAI, Google) who maintain their own retention policies. We do not control third-party retention periods.

Deletion Trigger:

  • Curriculum or lesson deletion
  • Account deletion
  • User request for specific content deletion

2.7 Aggregated and Anonymized Data

Data Type:

  • De-identified usage statistics
  • Anonymized learning patterns
  • Platform performance metrics
  • Research data (cannot identify individuals)

Retention Period:

  • Indefinite: Once properly anonymized, this data cannot reasonably identify individuals and may be retained permanently

Legal Basis: Anonymized data falls outside the scope of personal data regulations once it can no longer be linked to an identifiable individual.

3. DATA DELETION PROCEDURES

3.1 User-Initiated Account Deletion

Request Methods: Users may request account deletion through:

  1. Account settings deletion feature
  2. Email to privacy@meetmindara.com
  3. Written request to company address

Processing Timeline:

  • Acknowledgment: Within 48 hours of request
  • Deletion Initiation: Within 30 days of verified request
  • Backup Purge: Within 30 days of deletion initiation
  • Completion Confirmation: Email sent upon completion

Verification Process:

  • Email confirmation required for deletion requests
  • Additional identity verification for email requests
  • Final confirmation prompt before irreversible deletion

3.2 What Gets Deleted

Immediately Deleted (within 30 days):

  • Account credentials and authentication data
  • Personal information (name, email)
  • Learning activity and progress data
  • User preferences and settings
  • User-generated content and notes
  • Payment tokens and methods

Retained for Legal Compliance:

  • Transaction records (7 years for tax purposes)
  • Records required by law or court order
  • Information necessary for ongoing disputes

Converted to Anonymized Form:

  • Usage patterns and analytics
  • Aggregated learning statistics
  • Platform improvement data

3.3 Selective Data Deletion

Users may request deletion of specific data without deleting their entire account:

Supported Deletions:

  • Individual curricula or lessons
  • Specific learning progress data
  • Communication preferences
  • Payment methods (while retaining transaction history)

Request Process: Contact privacy@meetmindara.com with specific deletion request. We will process within 30 days.

3.4 Third-Party Data Deletion

AI Providers: We process deletion requests for data stored in our systems. For data processed by third-party AI providers:

  • We cannot guarantee deletion from AI provider systems
  • Users should review AI provider privacy policies
  • We recommend users submit deletion requests directly to AI providers

Service Providers: We coordinate with service providers (database, hosting, analytics) to ensure complete deletion within agreed timelines.

4. DATA RETENTION JUSTIFICATIONS

4.1 Legal and Regulatory Compliance

We retain certain data to comply with:

  • Tax laws and accounting regulations (7-year retention)
  • Consumer protection laws
  • Anti-fraud and security regulations
  • Court orders and legal holds
  • Intellectual property protections

4.2 Operational Necessities

We retain data to:

  • Provide continuous service to active users
  • Track learning progress and personalization
  • Troubleshoot technical issues
  • Maintain platform security and prevent abuse
  • Improve AI content generation quality

4.3 User Experience and Service Quality

We retain data to:

  • Preserve learning history and achievements
  • Enable curriculum continuity
  • Personalize content recommendations
  • Provide consistent user experience across devices
  • Support feature development based on usage patterns

4.4 Legitimate Business Interests

We retain aggregated and anonymized data to:

  • Conduct research on learning effectiveness
  • Develop new features and improvements
  • Generate business intelligence
  • Demonstrate platform value to stakeholders

5. DATA SECURITY DURING RETENTION

5.1 Storage Security

Active Data:

  • Encrypted at rest and in transit
  • Access controls limiting employee access
  • Regular security audits and monitoring
  • Intrusion detection and prevention systems

Archived Data:

  • Encrypted storage with limited access
  • Separate from production systems
  • Regular integrity checks
  • Secure backup procedures

5.2 Access Controls

  • Role-based access for employees
  • Multi-factor authentication for sensitive systems
  • Audit logging of data access
  • Regular access reviews and revocations
  • Need-to-know principle enforcement

5.3 Disposal Procedures

When data reaches end of retention:

  • Secure deletion using industry-standard methods
  • Overwriting or cryptographic erasure
  • Physical destruction of hardware when retired
  • Certificate of destruction for sensitive data
  • Verification of complete deletion

6. INACTIVE ACCOUNT HANDLING

6.1 Definition of Inactive Account

Currently, we do not automatically delete inactive accounts. An account is considered inactive if:

  • No login activity for 12 months
  • No engagement with learning content
  • No response to reactivation communications

6.2 Current Policy

During beta phase, inactive accounts are retained indefinitely unless the user requests deletion.

6.3 Future Policy

We may implement automatic deletion of inactive accounts with:

  • Advance notice period (e.g., 90 days)
  • Multiple notification attempts
  • Option to preserve account with single login
  • Grace period for data export

Users will be notified before any automatic deletion policy takes effect.

7. DATA BREACH RESPONSE

7.1 Retention During Investigation

In the event of a data breach:

  • Affected data may be retained longer than normal periods
  • Retention necessary for forensic investigation
  • Compliance with breach notification requirements
  • Legal hold may prevent deletion

7.2 Post-Breach Actions

Following breach resolution:

  • Affected data reviewed for continued necessity
  • Unnecessary data deleted immediately
  • Enhanced security measures implemented
  • Retention policies re-evaluated

8. INTERNATIONAL CONSIDERATIONS

8.1 Multi-Jurisdictional Compliance

We maintain retention periods that comply with the most stringent applicable regulations, including:

  • GDPR (European Union): Right to erasure
  • CCPA (California): Right to deletion
  • Other U.S. state privacy laws
  • International data protection regulations

8.2 Data Localization

Data may be stored in multiple geographic locations. Deletion requests apply to all locations and copies.

9. TRANSPARENCY AND REPORTING

9.1 User Access to Retention Information

Users may request information about:

  • What data we hold about them
  • How long we will retain specific data
  • Justification for retention periods
  • Status of deletion requests

Contact privacy@meetmindara.com for retention inquiries.

9.2 Policy Reviews

This Policy is reviewed:

  • Annually for continued appropriateness
  • When legal requirements change
  • After significant platform changes
  • Following data breach or security incident

10. POLICY UPDATES

10.1 Modification Rights

We reserve the right to modify this Policy at any time to reflect:

  • Changes in legal requirements
  • Platform feature additions or changes
  • Enhanced privacy protections
  • Business practice evolution

10.2 Notification of Changes

Material changes will be communicated via:

  • Updated "Last Updated" date
  • Email notification to registered users
  • Prominent notice on the Service
  • Reasonable advance notice before implementation

10.3 User Rights

Following Policy changes:

  • Users may request account deletion if dissatisfied
  • Existing retention periods may be grandfathered
  • Users can opt out of new data collection practices

11. CONTACT INFORMATION

For Data Retention and Deletion Inquiries:

Email: privacy@meetmindara.com

Support: support@meetmindara.com

Response Time: We will respond to retention and deletion inquiries within 30 days.

12. RELATED POLICIES

This Policy should be read in conjunction with:

  • Mindara Privacy Policy
  • Mindara Terms of Service
  • Third-party AI provider privacy policies (Anthropic, OpenAI, Google)

ACKNOWLEDGMENT

This Policy forms part of our commitment to user privacy and data protection. By using the Service, you acknowledge this Policy governs how we retain and delete your data.

NOTES FOR ATTORNEY REVIEW:

Priority areas for legal review:

  1. Legal Retention Requirements: Section 2.4 - verify 7-year retention aligns with applicable tax/accounting laws
  2. GDPR Right to Erasure: Sections 3 and 4 - ensure legitimate grounds for retention are clearly articulated
  3. CCPA Deletion Rights: Section 3 - verify exception categories align with CCPA requirements
  4. Third-Party Deletion: Section 3.4 - assess liability for AI provider retention practices
  5. Inactive Account Policy: Section 6 - determine appropriate notification and grace periods
  6. Data Breach Retention: Section 7 - confirm alignment with breach notification laws

Suggested additions:

  • Specific retention schedule table for quick reference
  • Data minimization principles statement
  • Storage limitation justifications by data category
  • Retention period calculation methodology
  • Legal hold procedures for litigation
  • Records management responsibilities by role
  • Data inventory and classification system reference
  • Audit trail requirements for deletion activities

Compliance considerations:

  • GDPR Article 17: Right to erasure exceptions clearly stated
  • CCPA Section 1798.105: Deletion request verification procedures
  • SOX (if applicable): 7-year financial record retention
  • HIPAA (if health data): 6-year minimum retention
  • State laws: Varying retention requirements by jurisdiction
  • Industry standards: ISO 27001, NIST frameworks

Implementation requirements:

  • Automated retention period tracking system
  • Deletion request workflow and ticketing
  • Data classification and tagging in databases
  • Scheduled deletion jobs for expired data
  • Audit logs of deletion activities
  • User-facing retention period displays
  • Legal hold flag capabilities
  • Third-party DPA alignment on retention

Integration with systems:

  • Supabase data retention automation
  • Email service provider deletion coordination
  • AI provider data processing agreements
  • Backup system purge schedules
  • Analytics platform anonymization pipelines