DATA RETENTION SUMMARY
Cognitiva Systems Inc.
Public Disclosure
Last Updated: 15 April 2026
INTRODUCTION
This document provides a summary of how long Cognitiva Systems Inc. ("Cognitiva," "we," "us," or "our") retains different categories of personal data.
Full Policy: Our complete Data Retention and Deletion Policy is maintained internally and governs operational procedures. This summary provides transparency for our users.
Legal Framework:
- GDPR Article 5(1)(e): Storage limitation principle
- CCPA: Supports right to deletion
- Industry best practices
RETENTION PRINCIPLES
Core Principles
Data Minimization: We retain personal data only as long as necessary for legitimate purposes.
Purpose Limitation: When original purpose is fulfilled, data is deleted or anonymized.
Legal Compliance: Some data must be retained to comply with legal obligations (tax, AML, etc.).
Transparency: We inform you of retention periods and provide mechanisms to request deletion.
RETENTION PERIODS BY CATEGORY
Account and Profile Data
Active Accounts:
- Retention: Duration of account plus 90 days
- Data: Name, email, company, profile information
- Reason: Service delivery, support, legitimate business interests
Inactive Accounts:
- Retention: 3 years of inactivity, then deleted
- Definition: No login, no API usage, no active subscription
- Notice: Email warning at 2 years, 30 days before deletion
Deleted Accounts:
- Retention: 90-day grace period (for accidental deletion recovery)
- After 90 Days: Permanent deletion
- Exception: Financial records retained 7 years (see below)
Campaign Execution Data
In-Platform Campaign Data:
- During Campaign: Retained indefinitely while account active
- Client Control: Clients determine retention in their workspace
- Post-Deletion: 90 days after account deletion (grace period)
Campaign Metadata:
- Retention: 2 years post-campaign completion
- Data: Campaign dates, participants (IDs only), workflow events
- Reason: Support, dispute resolution, analytics
Anonymized Campaign Data:
- Retention: Indefinite
- Status: No longer personal data (GDPR Recital 26)
- Use: AI model training, benchmarking, data products
Financial and Payment Data
Payment Transaction Records:
- Retention: 7 years
- Data: Invoice history, payment amounts, dates, status
- Reason: Tax law (IRS), audit requirements, dispute resolution
- Legal Basis: Legal obligation (26 USC §6001)
Stripe Payment Data:
- Retention: Per Stripe's policies (we do not store card data)
- Data: Tokenized references only
- Control: Stripe as independent controller
Tax Documents:
- Retention: 7 years
- Data: W-9 forms, 1099 forms, tax IDs
- Reason: IRS requirements
Identity Verification Data
KYC/AML Data:
- Retention: 7 years after account closure
- Data: Government-issued IDs, verification records
- Reason: Anti-Money Laundering regulations, FinCEN requirements
- Legal Basis: Legal obligation (31 USC §5318)
Communication Data
Support Tickets:
- Retention: 3 years from ticket closure
- Data: Support conversations, attachments
- Reason: Support history, quality assurance, dispute resolution
Marketing Communications:
- Retention: Until opt-out or 2 years of inactivity
- Data: Email address, communication preferences
- Opt-Out: Immediate removal from active lists, suppression list retained indefinitely
Transactional Emails:
- Logs: 30 days
- Content: Not retained (generated on-demand)
Technical and Usage Data
Application Logs:
- Retention: 90 days
- Data: Access logs, API requests, error logs
- Reason: Troubleshooting, security monitoring, performance optimization
Security Logs:
- Retention: 1 year
- Data: Authentication attempts, security events, access controls
- Reason: Security investigations, compliance audits
Aggregated Analytics:
- Retention: Indefinite
- Data: Anonymized usage statistics, performance metrics
- Status: No longer personal data
API Usage Data
API Request Logs:
- Retention: 30 days
- Data: Endpoint, timestamp, response codes, user ID
- Reason: Debugging, billing verification, rate limit enforcement
API Keys:
- Retention: Until revoked or account deleted
- Deletion: Immediate upon revocation
Backup Data
System Backups:
- Retention: 30 days (rolling)
- Automatic Deletion: Oldest backups overwritten
- Use: Disaster recovery only (not for individual data restoration)
Note: Personal data in backups subject to same retention as live data (backups eventually overwritten).
SPECIAL CIRCUMSTANCES
Legal Holds
When Applied:
- Litigation or regulatory investigation
- Government request or subpoena
- Internal investigation of ToS violations
Effect:
- Data preserved beyond standard retention period
- Deletion suspended until hold released
- Only affected data preserved (not entire account)
Release:
- When legal matter concludes
- Standard retention periods resume
Anonymization vs. Deletion
Anonymization (GDPR Recital 26):
- Data transformed to prevent re-identification
- No longer considered personal data
- Retained indefinitely for business purposes
Deletion:
- Complete removal of personal data
- Applied when anonymization not feasible or appropriate
- Secure deletion methods (overwriting, cryptographic erasure)
Decision Criteria:
- Data utility for anonymization vs. deletion
- Re-identification risk assessment
- Business need for anonymized insights
YOUR RIGHTS
Right to Deletion
GDPR (EEA/UK Residents):
- Request deletion of personal data
- We delete within 30 days (or explain exceptions)
- Exceptions: Legal obligations, legitimate interests with compelling grounds
CCPA (California Residents):
- Request deletion of personal data
- We delete within 45 days (or explain exceptions)
- Exceptions: Complete transaction, legal compliance, internal uses
How to Request:
Email: privacy@cognitiva.systems
Subject: "Deletion Request - [Your Email]"
Exceptions to Deletion
We may retain data when necessary for:
- Completing transactions
- Detecting/preventing fraud or security incidents
- Debugging and error correction
- Complying with legal obligations
- Internal uses aligned with your expectations
- Exercising free speech or research rights
Financial Records: Cannot be deleted during 7-year retention period (legal requirement).
DATA EXPORT
Before Deletion
Export Your Data: We provide data export in machine-readable format before deletion:
What You Can Export:
- Account information (JSON)
- Campaign data (CSV, JSON)
- Messages and communications
- Reports and analytics
How to Export:
- Account settings > Data Export
- API endpoint:
/v1/export - Email request: privacy@cognitiva.systems
Timeline:
- On-demand: Within 30 days
- Before deletion: Available during 90-day grace period
AUTOMATED DELETION
Scheduled Deletions
Daily:
- Expired logs (>90 days)
- Old backups (>30 days)
Weekly:
- Inactive session data
- Temporary files
Monthly:
- Expired API tokens
- Old notification data
Annually:
- Inactive accounts (3+ years, after warnings)
- Expired support tickets (3+ years)
Verification:
- Deletion logs maintained
- Audit trails preserved (metadata only, not deleted content)
CONTACT INFORMATION
Retention Questions
Phone: +1 302-217-6601
General Questions:
privacy@cognitiva.systems
Deletion Requests:
privacy@cognitiva.systems
Subject: "Deletion Request"
Data Export Requests:
privacy@cognitiva.systems
Subject: "Data Export Request"
DPO (EU Residents):
eu-datarights@cognitiva.systems
UPDATES
Review Frequency: At least annually
Last Updated: 15 April 2026
Notification: Material changes will be communicated via email 30 days in advance.
RELATED POLICIES
Full Privacy Policy: cognitiva.systems/legal/privacy-policy
Terms of Use: cognitiva.systems/legal/terms-of-use
Data Processing Agreement: Available for enterprise customers
QUICK REFERENCE TABLE
| Data Type | Retention Period | Reason |
|---|---|---|
| Active Account Data | Duration + 90 days | Service delivery |
| Inactive Accounts | 3 years | Business continuity |
| Campaign Data (Raw) | Client-controlled | Client ownership |
| Campaign Data (Anonymized) | Indefinite | No longer personal data |
| Financial Records | 7 years | Tax law (IRS) |
| KYC/AML Data | 7 years post-closure | AML regulations |
| Support Tickets | 3 years | Support history |
| Application Logs | 90 days | Troubleshooting |
| Security Logs | 1 year | Security monitoring |
| Backups | 30 days (rolling) | Disaster recovery |
END OF DATA RETENTION SUMMARY
Note: This is a public summary. Full operational procedures are maintained in our internal Data Retention and Deletion Policy.
Transparency Commitment: We believe users have a right to understand how long their data is retained.
Last Updated: 15 April 2026
Version: 1.0