Data Retention & Deletion Policy
Version: 1.0 (template) · Effective date: [DATE] · Operator: [LEGAL ENTITY NAME] (Scoola)
Template — not legal advice. Review with qualified Indonesian counsel before use.
Principle
We keep personal data only as long as needed to provide the service or to meet legal obligations, then delete or anonymise it. Each school's data lives in its own database; deleting a school deletes its data.
Retention schedule
| Data | Default retention | Notes |
|---|---|---|
| Account & membership | While the user is active at the school + [12] months | Then deleted/anonymised |
| Academic records (assignments, grades, attendance) | Per school policy / academic year + [school-defined] | Controller-configurable |
| Messages & announcements | [12] months or per school | Controller-configurable |
| Uploaded materials & submissions | While the class is active + [school-defined] | Stored privately in R2 |
| Live recordings | [30] days (configurable per school) | Auto-deleted after the window; can tier to cold storage |
| Audit & security logs | [12–24] months | For security & accountability |
| Payment records (Phase 2) | As required by Indonesian tax/accounting law | Typically [10] years for invoices |
| Backups | [30] days rolling | Then overwritten |
Triggers for deletion
- Student/parent removed from the school → their personal data is deleted/anonymised per schedule.
- Consent withdrawn for live video → live access stops immediately; related recordings deleted within the retention window.
- School offboarding → the school's entire database is deleted within [30] days (subject to legally-required retention).
- Data-subject erasure request (via the school) → actioned within [30] days, subject to legal exceptions.
How deletion works
Deletion removes data from the live database and storage; backups expire on the rolling schedule above. Deletion is recorded for accountability. Recordings in R2 are removed by an automated retention job.
Contact
Requests and questions: [DPO/CONTACT EMAIL].