Data Retention and Deletion Policy
Focura Legacy Organizers
Effective date: [To be set at launch] Last reviewed: April 2026 Policy owner: Privacy Officer Regulatory basis: PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention), Quebec Law 25, anticipated CPPA
1. Purpose
This policy defines how long Focura retains personal information, when and how it is deleted, and how deletion requests are handled. It fulfils the obligation under PIPEDA Schedule 1, Principle 5: personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected.
Estate data presents a unique retention challenge. Unlike most SaaS products, the data may need to persist for decades — through the account holder’s lifetime and the subsequent estate administration period. This policy balances that reality against the legal requirement not to retain information indefinitely without purpose.
2. Scope
This policy applies to all personal information held by Focura, across all storage systems and formats, including:
- User account data (identity, authentication, preferences)
- Estate profile data (family, assets, liabilities, legal documents, distribution instructions)
- Health-related information (healthcare directives, medical contacts, MAID wishes)
- Digital asset credentials (passwords, keys, access instructions)
- Tell Your Story content (text, voice, video messages, heirloom records)
- Executor task data (checklists, progress, notes, correspondence records)
- Advisor/professional data (linked advisor profiles, access permissions)
- Platform usage data (logs, analytics, support interactions)
- Breach records
It applies regardless of whether the data was entered by the account holder, an authorized advisor, an executor, or uploaded via API.
3. Data Categories and Retention Periods
3.1 Active Accounts — Household (Testator)
| Data Category | Retention Period | Rationale |
|---|---|---|
| Estate profile data (family, assets, liabilities, will distribution, beneficiaries) | Duration of active subscription + grace period (see §4) | Core service delivery |
| Tell Your Story content (text, voice, video, heirloom records) | Duration of active subscription + grace period | Core service delivery |
| Health information (healthcare directives, medical contacts) | Duration of active subscription + grace period | Core service delivery; PIPEDA sensitive data |
| Digital credentials (passwords, keys, stored in zero-knowledge vault) | Duration of active subscription + grace period | Core service delivery; highest-sensitivity category |
| Account/identity data (name, email, billing) | Duration of active subscription + 12 months post-closure | Required for billing reconciliation, tax records, support of outstanding data portability requests |
Active account = subscription current, or within the grace period defined in §4.
3.2 Post-Death Transition — Estate Administration
When Focura is notified that an account holder has died:
| Data Category | Retention Period | Rationale |
|---|---|---|
| All estate profile data | Duration of estate administration + 3 years after estate closure confirmation | Executor needs continued access; 3-year buffer covers CRA clearance certificate timeline, potential litigation, and the limitation period for most estate-related claims in Ontario |
| Tell Your Story content | Duration of estate administration + 1 year after estate closure, or until beneficiaries confirm receipt — whichever is later | Delivery of messages to intended recipients must be completed before deletion |
| Executor task data (checklist progress, notes, correspondence records) | Duration of estate administration + 3 years after estate closure | May be required as evidence of executor diligence in passing of accounts or beneficiary disputes |
| Digital credentials | Deleted within 90 days of death notification, unless executor requests extended retention with documented purpose | Highest-risk category; no purpose served once executor has extracted needed access information |
Estate closure confirmation = executor provides written confirmation (email or in-platform) that estate administration is complete, or 7 years from date of death notification — whichever is earlier. The 7-year backstop prevents indefinite retention of orphaned accounts.
3.3 Advisor / Professional Accounts
| Data Category | Retention Period | Rationale |
|---|---|---|
| Advisor profile and credentials | Duration of active subscription + 12 months post-closure | Account reconciliation and audit trail |
| Access logs (which client data was accessed, when, by whom) | 7 years from date of access | Regulatory audit trail; mirrors CIRO record-keeping requirements for registrants; supports investigation of unauthorized access |
| Client linkage records (which advisor was linked to which household) | Duration of household account retention | Inseparable from household access history |
3.4 Platform Operations Data
| Data Category | Retention Period | Rationale |
|---|---|---|
| Application logs (errors, performance, debugging) | 90 days | Operational troubleshooting; no personal information should be in application logs by design |
| Security/audit logs (authentication events, permission changes, data exports) | 7 years | Security investigation, regulatory compliance, breach forensics |
| Breach records (PIPEDA Division 1.1 records) | 24 months minimum from date of breach determination | PIPEDA mandatory minimum; retain longer if breach is subject to investigation or litigation |
| Support interactions (tickets, chat transcripts) | 3 years from resolution | Consumer protection; dispute resolution |
| Anonymized/aggregated analytics | Indefinite | No personal information; used for product improvement and reporting |
3.5 Backup and Disaster Recovery Copies
Backup copies follow the same retention periods as the source data. When source data is deleted, corresponding backup copies are deleted within the next backup rotation cycle, not to exceed 90 days from source deletion. Backups are encrypted with the same standards as production data.
4. Subscription Lapse — Grace Period
When a household subscription lapses (non-renewal, failed payment, voluntary cancellation):
| Phase | Duration | What Happens |
|---|---|---|
| Grace period | 180 days (6 months) from lapse date | All data retained in full. Account is read-only (no edits). User can reactivate at any time to restore full access. Reminder notifications sent at 30, 90, and 150 days. |
| Export window | Final 30 days of grace period (days 150–180) | Prominent notification that data will be permanently deleted. Data export (download) available in structured format (JSON + PDF). |
| Deletion | Day 181 | All personal information permanently deleted per §6, except account/identity data retained for 12 months per §3.1. |
Rationale for 180 days: Estate data takes significant effort to compile. A short grace period risks permanent loss of irreplaceable information due to a missed credit card renewal. Six months is generous enough to prevent accidental loss while not retaining data indefinitely.
5. Deletion Requests — User-Initiated
5.1 Right to Request Deletion
Any account holder (or their authorized representative) may request deletion of their personal information at any time by contacting the Privacy Officer or through the in-platform account settings.
5.2 Processing Timeline
| Action | Timeline |
|---|---|
| Acknowledge receipt of deletion request | 5 business days |
| Verify identity of requester | Before processing — standard identity verification (matching account credentials or, for representatives, proof of authority) |
| Complete deletion from production systems | 30 calendar days from verified request |
| Complete deletion from backup systems | 90 calendar days from verified request (next backup rotation) |
| Confirm deletion to requester | Within 5 business days of production deletion |
5.3 Exceptions — When Deletion May Be Refused or Delayed
Focura may refuse or delay deletion only in the following circumstances, with written explanation to the requester:
| Exception | Basis | Retention Limit |
|---|---|---|
| Active estate administration — an executor has been granted access and the estate is in progress | PIPEDA Principle 5 — information still required for the purpose for which it was collected | Until estate closure + 3 years per §3.2 |
| Legal hold — data subject to litigation, regulatory investigation, or court order | Legal obligation supersedes deletion request | Duration of legal proceeding + applicable limitation period |
| Breach record — the data forms part of a PIPEDA-mandated breach record | PIPEDA Division 1.1 — 24-month mandatory retention | 24 months from breach determination |
| Outstanding financial obligation — unpaid invoices or billing disputes | Legitimate business purpose | 12 months from resolution |
In all exception cases, the minimum necessary information is retained, and the exception is documented in the deletion request log.
5.4 Partial Deletion
Users may request deletion of specific data categories (e.g., “delete my Tell Your Story recordings but keep my asset data”). Focura will accommodate partial deletion requests where technically feasible.
6. Deletion Standards
6.1 What “Deleted” Means
Deletion means the personal information is permanently and irreversibly removed such that it cannot be recovered, reconstructed, or re-identified. Specifically:
| System | Method |
|---|---|
| Production database | Hard delete (record removal), not soft delete or logical flag. Database vacuumed/compacted to overwrite freed space. |
| Zero-knowledge credential vault | Encrypted data blocks destroyed; encryption keys purged from HSM |
| File storage (documents, voice/video recordings) | File deleted from storage; storage provider’s deletion protocol engaged (e.g., AWS S3 object deletion with lifecycle expiration) |
| Backups | Excluded from future backup sets; existing backup copies expired within 90-day rotation |
| Search indices and caches | Purged within 24 hours of production deletion |
| Logs | Personal information should not appear in logs by design; if found, redacted within 30 days |
6.2 Anonymization as Alternative
Where retention of statistical or aggregate data is needed (e.g., product analytics, completion rate metrics), data may be anonymized rather than deleted, provided:
- All direct identifiers are removed (name, email, address, account numbers)
- All indirect identifiers that could enable re-identification are removed or generalized (postal code → province, exact age → age band)
- The anonymization is irreversible — Focura cannot re-link the record to an individual
- The anonymized dataset is reviewed by the Privacy Officer before use
7. Death of Account Holder — Transition Procedure
This section governs the critical transition from living-user account to estate-administration account.
7.1 Notification of Death
Focura may be notified of an account holder’s death by:
- A linked advisor
- A named executor (identified in the estate profile)
- A family member with proof of authority (death certificate + proof of relationship or executor appointment)
7.2 Verification
Before granting estate access or altering account status:
- Death certificate — certified copy required
- Proof of executor authority — Certificate of Appointment of Estate Trustee (Ontario), Letters Probate, or notarial will (Quebec), as applicable
- Identity verification of the person requesting access
7.3 Account Transition
| Action | Timeline |
|---|---|
| Account status changed to “Estate Administration” | Within 5 business days of verified death notification |
| Executor granted access per access permissions documented in estate profile | Concurrent with status change |
| Digital credentials flagged for 90-day deletion countdown per §3.2 | Concurrent with status change; executor notified |
| Subscription billing suspended | Effective immediately upon verified death notification |
| Tell Your Story delivery instructions triggered | Per delivery conditions set by the account holder |
7.4 Estate Closure
When the executor confirms estate administration is complete:
- Executor downloads final data export (structured format)
- Estate data retained for 3-year buffer per §3.2
- Automated deletion scheduled at buffer expiry
- Executor notified 30 days before deletion with final download opportunity
8. Advisor Access Revocation
When a household removes a linked advisor, or the advisor’s subscription ends:
| Action | Timeline |
|---|---|
| Advisor access to household data terminated | Immediately upon de-linking or advisor subscription end |
| Advisor’s cached copies (if any) of household data | Advisor is contractually required to delete per advisor agreement; Focura cannot enforce deletion of data already downloaded |
| Access log records | Retained per §3.3 (7 years) |
9. Data Portability
Account holders (or their authorized representatives) may request a complete export of their personal information in a structured, commonly used, machine-readable format:
- Format: JSON (structured data) + PDF (human-readable summary) + original media files (voice/video)
- Timeline: Available for download within 30 calendar days of request
- Cost: No charge
- Availability: Via in-platform self-service export, or on request to the Privacy Officer
- Quebec Law 25 compliance: Data export includes the right to request transmission to another organization, where technically feasible
10. Automated Enforcement
Retention periods must not depend solely on human memory or manual review. The following automated controls are required:
| Control | Implementation |
|---|---|
| Subscription lapse timer | Automated countdown from lapse date; triggers grace period notifications at 30/90/150 days and deletion at 181 days |
| Death notification timer | 90-day credential deletion countdown; 3-year estate buffer countdown from closure confirmation |
| Backup rotation | Automated expiration of backup copies containing deleted records within 90-day cycle |
| Annual retention audit | Automated report flagging any data that has exceeded its retention period without documented exception |
| Deletion log | Automated, immutable record of all deletions: what was deleted, when, by what trigger, and by whom |
11. Audit and Review
| Activity | Frequency |
|---|---|
| Policy review | Annually, or upon material change to applicable law |
| Retention compliance audit | Quarterly — automated report reviewed by Privacy Officer |
| Deletion log review | Monthly — Privacy Officer reviews for completeness and anomalies |
| Backup deletion verification | Quarterly — confirm that production deletions have propagated to backups |
12. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Privacy Officer | Policy owner; approves exceptions; reviews audit reports; handles deletion requests; responds to user inquiries |
| Engineering / Platform team | Implements automated retention controls, deletion procedures, and data portability exports; ensures zero-knowledge architecture for credential vault |
| Customer support | Receives deletion requests and death notifications; routes to Privacy Officer for processing; never processes deletions independently |
| Legal counsel | Reviews policy annually; advises on legal holds and regulatory changes; confirms provincial compliance as Focura expands |
13. Breach of This Policy
Failure to comply with this policy — including retaining data beyond its defined period, failing to process a deletion request within the required timeline, or circumventing automated controls — is treated as a privacy incident and:
- Logged in the breach record system (PIPEDA Division 1.1)
- Assessed for “real risk of significant harm” — if threshold met, breach notification obligations apply
- Reported to the Privacy Officer immediately
- Investigated and remediated within 30 days
14. Related Documents
- Regulatory Landscape — Full regulatory analysis underpinning this policy
- Privacy Officer — Designation and contact details
- informed consent — Consent framework for data collection
- Incident Response Plan — [To be developed]
- Terms of Service — [To be developed]
This policy is for internal governance and regulatory compliance. It is not legal advice. It should be reviewed by qualified Canadian privacy counsel before implementation and before any material change to the platform’s data handling practices.