Legal
Data retention schedule
MindSafe retains personal data only for as long as it is necessary to deliver the service, meet our legal obligations, or support legitimate aggregate analysis where re-identification is no longer possible. This page sets out the retention windows we apply by category. It complements the privacy policy and the privacy lifecycle.
Retention principles
Three principles govern how we set retention windows. First, identifiable data is kept for the shortest period that still allows the employee to act on it through their personal dashboard. Second, beyond that period, the link between an employee and their historical responses is severed; aggregate signals may persist, but the identity is removed. Third, audit records of erasure and other lifecycle events are kept in append-only form so that compliance with data subject rights can be demonstrated without retaining the underlying personal data.
Schedule by category
| Category | Retention | Action at end of period |
|---|---|---|
| Pulse responses (identifiable) | 90 days from response | Identifier link severed; response retained in anonymised aggregate form. |
| Pulse responses (anonymised aggregate) | 36 months | Deleted unless extended for documented analytical purpose under DPA. |
| Employee identity record | Duration of employment + 30 days | Permanently deleted on offboarding or on employee erasure request. |
| Personal dashboard tokens | Until token expiry, typically 30 days | Expired automatically; cannot be replayed or re-issued. |
| HR and manager account credentials | Duration of role + 12 months | Account deactivated and personal data deleted. |
| Authentication session data | Until session expiry, maximum 14 days | Invalidated automatically. |
| Email delivery and open events | 13 months | Deleted from logs. |
| Application and security logs | 13 months | Deleted; rotated continuously. |
| Audit log of lifecycle events (append-only) | 7 years | Retained without identity to evidence GDPR compliance. |
| Support communications | 24 months from last interaction | Deleted unless required to defend a legal claim. |
| Backups | 30 days, point-in-time | Rotated automatically; erasure requests propagate within retention window. |
| Billing and contract records | 7 years from end of contract | Retained to meet Australian and EU statutory record-keeping obligations. |
Erasure on request
An employee may erase their identity from MindSafe at any time directly from their personal dashboard. Erasure is a single, audited operation that removes the identity record, severs links to historical responses, invalidates outstanding tokens, and stops future pulse delivery. Anonymised aggregate signals remain only where re-identification is not possible.
An HR administrator may also offboard an employee from the admin workspace. The effect is equivalent to an employee-initiated erasure for the affected record.
Erasure events propagate to backups within the standard 30-day backup rotation window. We do not restore from backups to reinstate erased identities.
Aggregate continuity after erasure
MindSafe maintains team-level aggregate signals after individual erasure to preserve continuity of long-running wellbeing trends. These aggregates are computed only above the five-respondent privacy floor and contain no field that can be used, alone or in combination, to re-identify the erased individual.
Sub-processor retention
Each of our sub-processors operates under its own retention regime, governed by the data processing agreement we hold with them. Where a customer initiates erasure, that erasure is propagated to relevant sub-processors. Backup retention at our database sub-processor follows the 30-day point-in-time window referenced above.
Statutory and contractual overrides
In limited circumstances we may retain personal data longer than the windows above where required by law (for example, to meet a tax or audit obligation), or where retention is necessary to establish, exercise, or defend legal claims. In such cases, the data is restricted to the minimum necessary and access is limited to named operators.
Reviewing this schedule
This schedule is reviewed at least annually and whenever a material change is made to the platform. Updates are reflected in the effective date of the privacy policy. Workspace administrators are notified in advance of material reductions to retention windows that affect their data.