Data Retention Policy
Effective date: 2026-06-01
Effective date:
Version: retention_v2
Pilotium - Data Retention Policy
This Policy specifies how long Digital Technologies OÜ (operating under the trading name "Pilotium") retains each category of personal data processed in connection with the Pilotium service, in accordance with Article 5(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the applicable national laws of the Republic of Estonia and the Kingdom of Spain.
Where a legal obligation requires a longer retention period than the operational period stated below, only the personal data strictly necessary to meet that obligation is retained for the longer period, segregated in a read-only store with access restricted to personnel administering the obligation ("blocking", in the sense of Recital 39 GDPR, Art. 32 LOPDGDD, and § 6 of the Estonian Personal Data Protection Act).
| # | Data category | Retention period | Legal basis | Disposal mechanism |
|---|---|---|---|---|
| 1 | Account data (gym owner identifiers, login credentials, role assignments) | Active period + 30 days | Art. 6(1)(b) GDPR - performance of contract; closure grace window | Soft delete at T+0 (account closure); hard delete at T+30. Soft-deleted accounts are blocked from all processing other than restoration on data-subject request and legal hold. |
| 2a | Accounting source documents (invoices issued and received, receipts, wallet transactions, bank statements, contracts supporting an accounting entry) | 7 years from the end of the financial year in which the document was issued or recorded | Art. 6(1)(c) GDPR; Raamatupidamise seadus § 12 (Estonia); Maksukorralduse seadus § 58 (Estonia); Código de Comercio art. 30 (Spain); Ley 37/1992 IVA art. 165 (Spain) | Quarantined to read-only accounting store; hard delete after the year-end + 7-year anniversary. |
| 2b | Documents supporting tax credits, loss carry-forwards, or deductions that may be offset in future tax periods | 10 years from the end of the financial year in which the credit was generated | Art. 6(1)(c) GDPR; Ley 58/2003 art. 66 bis (Spain); Maksukorralduse seadus § 58 (Estonia, by extension for offsettable items) | Same regime as 2a, 10-year retention flag. |
| 2c | Stripe payment-method tokens and saved-card metadata (last-4, expiry, brand) | Until card removal by the customer + 30 days | Art. 6(1)(b) GDPR - performance of contract; Art. 32 GDPR - security of processing. No tax basis; PAN data resides with Stripe under PCI-DSS. | Token revocation at Stripe; audit log entry. |
| 3 | Restricted Accounts Register (entities subject to suspension or unpaid debt) | 5 years from registration, or until full settlement, whichever is earlier (aligned with Código Civil art. 1964.2 in Spain; permissible ceiling under Tsiviilseadustiku üldosa seadus § 146 in Estonia) | Art. 6(1)(f) GDPR - legitimate interest in fraud and bad-debt prevention; Legitimate Interest Assessment under Art. 14 LOPDGDD documented and available to data subjects on written request. This register is an internal file and does not constitute a fichero común de información sobre solvencia patrimonial within the meaning of Art. 20 LOPDGDD. The right to object under Art. 21 GDPR applies and is assessed under Art. 21(1) (compelling legitimate grounds). | Hard delete on closure of register entry. |
| 4 | WhatsApp conversation content (inbound and outbound messages, media references) - including any historical conversation backfill received from Meta during initial Coexistence onboarding (up to 6 months prior to onboarding date) | 18 months from message timestamp (or, for backfilled history, from date of receipt by Pilotium), then either (a) irreversibly anonymised by removal of all direct and indirect identifiers and aggregation to a level where re-identification is not reasonably likely (Recital 26 GDPR; EDPB Guidelines 01/2025), or (b) where the data subject has granted consent under Art. 6(1)(a) for AI-training purposes, retained in pseudonymised form for that purpose until consent is withdrawn | Art. 6(1)(b) + (f) GDPR; Art. 6(1)(a) GDPR if AI-training consent given | Cryptographic shredding of message-body PII; aggregate counters retained. |
| 5 | AI long-term memory (per-contact embeddings, retrieved facts, qualification state) | 18 months from last interaction; rebuilt on demand | Art. 6(1)(b) GDPR - performance of contract; Art. 6(1)(f) GDPR - legitimate interest in system safety, abuse-prevention and AI Act Art. 50 transparency record-keeping; balancing test documented in LIA | Vector deletion + index purge. |
| 6 | Audit log (all access to personal data, all decryption events, all administrative actions, all AI-system significant events) | 7 years from event timestamp | Art. 6(1)(f) GDPR - legitimate interest in information-security monitoring, incident response and demonstrable accountability under Art. 5(2) and Art. 32(1)(d); Art. 6(1)(c) for the subset evidencing accounting-record access (Raamatupidamise seadus § 12; Cdcom art. 30) | Append-only partitioned table; monthly partitions; cryptographically hash-chained partition boundaries; no UPDATE/DELETE at the application database role; partitions older than 7 years are dropped by a privileged separated role under dual control. |
| 7 | Consent events (every grant or withdrawal of consent, with text-version hash) | 7 years from event timestamp | Art. 7(1) GDPR - burden of proof of consent; § 24 of the Estonian Personal Data Protection Act (IKS) and Art. 11 LOPDGDD (Spain) - transparency of retention basis | Append-only table; identical regime to audit log. |
| 8 | Meta access tokens, refresh tokens, page tokens, and WhatsApp Business Account (WABA) credentials including BISU tokens issued via Embedded Signup | Until revoke or disconnection + 30 days | Art. 6(1)(b) GDPR; Art. 32 GDPR - security of processing | Immediate cryptographic shredding of wrapped key on revoke; audit log entry retained. |
| 9 | Server logs (HTTP access, application errors, queue events) | 30 days | Art. 6(1)(f) GDPR - security and incident response | Automatic log rotation. |
| 10 | Database backups (full and incremental) | 90 days | Art. 32 GDPR - restoration capability | Encrypted at rest; storage in EU (Hetzner Falkenstein); rotation policy enforced. |
| 11 | Anonymised analytics (aggregated usage, A/B test cohorts, campaign performance) | Indefinite | Not personal data under Recital 26 GDPR | n/a |
| 12 | Marketing communications log (newsletter sends, transactional sends) | 24 months from send date | Art. 6(1)(f) GDPR - service-quality monitoring and unsubscribe enforcement | Aggregation to monthly counters; recipient field cryptographically shredded. |
| 13 | Cookie consent records (preference state per device) | 12 months from last update, then cookie re-prompts | Art. 7 GDPR + Art. 5(3) ePrivacy Directive 2002/58/EC | Cookie expiry; in-app record purged. |
| 14 | DSR request register (Arts. 15-22 requests received, verification artefacts, response copies) | 3 years from closure | Art. 6(1)(c) GDPR (Art. 12(3)-(4) record-keeping obligation); Art. 6(1)(f) GDPR (defence of legal claims) | Soft delete at T+0; hard delete at 3-year anniversary. |
1 6-month historical backfill applies only where the gym onboards via WhatsApp Coexistence; cf. the Sub-processor Disclosure for the WhatsApp-platform entities involved.
Records of Processing (Art. 30 GDPR)
Pilotium maintains its Record of Processing Activities (controller register, Art. 30(1)) and Record of Processing on behalf of Controllers (processor register, Art. 30(2)) for the lifetime of the relevant processing activity plus 3 years after cessation. Records are kept bilingually (English + Spanish; Estonian on demand).
Erasure under the Right to be Forgotten (Art. 17 GDPR)
Where a data subject exercises the right to erasure, Pilotium applies a two-stage process:
- Soft delete (T+0):the data subject's personal identifiers are flagged as deleted across all production tables; outbound communications are blocked; access is restricted to incident-response personnel only.
- Hard delete (T+30 days):all personal identifiers are irreversibly removed from production tables; audit-log entries referencing the data subject are pseudonymised by replacing the personal identifier with an HMAC-SHA-256 keyed hash, where the key is held by Pilotium's security team in a key-management facility not co-located with the audit log. This transformation is pseudonymisation within the meaning of Art. 4(5) GDPR, not anonymisation, because the underlying identifier could in principle be re-derived by a party holding the key. Backups containing the data continue to exist until natural expiry under row 10 above, after which the data is unrecoverable.
The 30-day window may be shortened on written request from the data subject; it may not be unilaterally extended by Pilotium. Where the data subject's request affects records held under row 2a, 2b or 6, Pilotium will not erase the records during the statutory retention period; instead it will block the records under Art. 17(3)(b) GDPR and Art. 32 LOPDGDD (Spain) / IKS § 6 (Estonia), so that the records remain accessible solely for the purpose of fulfilling the relevant tax, accounting or accountability obligation, and are then deleted on the next end-of-period purge.
Restored data after a backup restore
If a backup taken before a hard-delete is restored for incident-response purposes, any personal data of subjects who exercised erasure between the backup date and the restore date is re-deleted within 24 hours of the restore and an audit-log entry is recorded. During the period between restore and re-deletion the restored data is processed solely for the purpose that justified the restore; no other processing operations are performed against it.
Annual review
This Policy is reviewed annually and on any material change to Estonian or Spanish accounting, tax, or data-protection law. Prior versions are retained in the audit log under row 6 above.