GDPR Article 30 — Record of personal data processing activities.
| ID | Purpose | Data Categories | Legal Basis | Retention & Enforcement | Recipients |
|---|---|---|---|---|---|
| PA-001 | Service Delivery Core application operations, user account management, and feature access. | Name, Email, Profile picture, Organization membership | Contract (Art. 6(1)(b)) | Until account deletion User-initiated deletion via Settings → Danger Zone. Cascading hard-delete across local product tables; PII removed from SF central within 30 days. | Vercel (hosting), Neon (database) |
| PA-002 | Billing & Payments Processing payments, managing subscriptions, generating invoices. | Email, Name, Payment method (via Calmony Pay), Invoice history | Contract (Art. 6(1)(b)) | 7 years (UK financial record retention — HMRC + AML) Retained for the statutory period for tax / AML defence. After 7 years, billing records are archived with PII fields anonymized to placeholders so financial totals remain auditable. | Calmony Pay |
| PA-003 | Transactional Email Sending account notifications, team invitations, and system alerts. | Email, Name | Contract (Art. 6(1)(b)) | 30 days (email delivery logs) Email delivery logs are retained by our processor (Resend) for 30 days then automatically purged by their platform. | Resend |
| PA-004 | Analytics Tracking usage patterns to improve the service. Only with user consent. | Usage events, Page views, Feature interactions | Consent (Art. 6(1)(a)) | 90 days Hourly aggregation workflow (usageAggregateWorkflow) rolls raw events into anonymous counts; raw rows older than 90 days are deleted by the shell-shipped retention sweep. | None |
| PA-005 | Security & Audit Logging state-changing operations for security monitoring and compliance. | User ID, Action, IP address, Timestamp | Legitimate Interest (Art. 6(1)(f)) | 90 days Daily Temporal workflow auditCleanupWorkflow (03:00 UTC) deletes audit log entries older than 90 days from SF central. | None |
| PA-006 | Error Monitoring Capturing application errors via the platform Observability dashboard. PII scrubbed before transmission. | Error stack traces (PII scrubbed), Browser/device metadata | Legitimate Interest (Art. 6(1)(f)) | 30 days Errors flow through captureError() into the SaaS Factory platform Observability dashboard, which auto-expires entries after 30 days. | None |
| PA-007 | Right-to-Rent Check Evidence Storing tenant immigration-status evidence (scanned passport / share code / document reference) required by UK Right-to-Rent legislation. | Document reference, Document expiry date, Scanned identity document, Free-form check notes | Legal Obligation (Art. 6(1)(c)) — Immigration Act 2014 | 1 year after the linked tenancy ends (Home Office guidance for letting agents) Daily Temporal workflow dataRetentionWorkflow (04:00 UTC) scrubs the document reference, notes, expiry date and scan filename; deletes the scan blob from storage. The check row itself is kept so the agency can prove a compliant check was performed during the tenancy. Audit-logged as data_retention.right_to_rent.scrubbed. | None |
| PA-008 | Tenant Records (post-tenancy) Tenant identity records linked to historical tenancies, deposits and dispute outcomes. | Full name, Email, Phone, Date of birth, Nationality, Forwarding address, Free-form notes | Contract (Art. 6(1)(b)) and Legal Obligation (Art. 6(1)(c)) | 7 years after the tenant's last tenancy ends (UK lettings financial record retention) Daily Temporal workflow dataRetentionWorkflow (04:00 UTC) anonymizes the tenant row — PII fields replaced with '[redacted]' / NULL — while preserving the row's foreign-key relationship to deposits and disputes so financial / dispute records remain auditable. Audit-logged as data_retention.tenant.anonymized. | None |
Retention periods documented above are enforced automatically — no manual intervention is required to keep DepositClear compliant with GDPR Article 5(1)(e) (storage limitation).
src/temporal/schedules.ts.src/temporal/activities/dataRetention.ts. Per-run safety cap of 1,000 rows; subsequent ticks resume where the previous left off.Every scrub / anonymisation is recorded in the audit log (data_retention.* actions) so a regulator or internal auditor can verify the policy was enforced on any given date. Workflow runs are visible in the platform Observability dashboard.