VelisAds Network

Data Retention Policy

Effective date: February 17, 2026 | Version: 2026.02-global

This Data Retention Policy defines how operational, financial, privacy, and security records are retained, archived, and securely deleted across VelisAds Network systems.

Retention periods must align with legal obligations, contractual duties, and operational necessity.

Scope and Applicability

  1. Applies to account data, traffic logs, reports, payment records, and audit evidence.
  2. Applies to structured databases, file storage, logs, backups, and exports.
  3. Applies to production and non-production systems containing real or regulated data.
  4. Applies to subprocessors handling retention tasks under contractual obligations.
  5. Applies to legal hold and regulator preservation requests.
  6. Applies to full lifecycle from collection through secure destruction.

Mandatory Requirements

Retention Schedule Management

  • Every dataset must have a documented retention period and business rationale.
  • Retention periods must satisfy legal, tax, and contractual requirements.
  • Indefinite retention is not allowed without explicit legal justification.
  • Retention catalogs must be reviewed by data owners and compliance teams.

Deletion and Anonymization

  • Expired records must be removed or anonymized using controlled workflows.
  • Deletion jobs must generate auditable completion evidence.
  • Anonymization must prevent practical re-identification in normal use.
  • Catch-up cleanup must run after prolonged processing interruptions.

Backup and Legal Hold Handling

  • Backups with regulated data must follow defined retention windows.
  • Legal holds must be scoped, documented, and reviewed periodically.
  • Released legal holds should trigger controlled post-hold deletion.
  • Archive access must enforce least privilege and full auditability.

Prohibited Practices

  1. Retaining expired data in active systems without legal necessity.
  2. Deleting records that are subject to active legal hold.
  3. Maintaining hidden shadow datasets outside approved inventories.
  4. Restoring expired records to production without retention revalidation.
  5. Destroying security or compliance evidence required for investigations.
  6. Using unapproved tools for mass deletion of critical records.
  7. Exposing archived sensitive data without proper access control.
  8. Disabling lifecycle jobs to avoid policy enforcement.

Governance, Monitoring, and Enforcement

  1. Data owners are accountable for retention mapping and classification quality.
  2. Lifecycle automation health is monitored with failure alerts.
  3. Legal holds are tracked in a central register with owner and release status.
  4. Internal audits validate both retained and deleted record samples.
  5. Vendor contracts must include return or deletion obligations.
  6. Deletion evidence is retained to demonstrate policy execution quality.
  7. Material deviations require documented risk acceptance and remediation plan.
  8. Policy updates are versioned and announced with effective dates.

Global Source Links and Standards

  1. EU GDPR Regulation (EU) 2016/679
  2. California Privacy Protection Agency (CPPA)
  3. NIST Privacy Framework
  4. NIST SP 800-88 Media Sanitization
  5. ISO 15489 Records Management
  6. ISO/IEC 27701
  7. ICO UK GDPR Guidance
  8. OECD Privacy Framework