Data Retention & Deletion Policy
Version 2026-06-02.v4
This policy describes how long Qlinniq keeps each category of data and what happens when you withdraw your account or when a record passes its retention window. Retention periods follow the medical-records retention rules applicable to your region — for US patients, HIPAA-related and US state requirements; for UK and EU/EEA patients, UK/EU medical-records retention guidance.
| Category | Retention | Notes |
|---|---|---|
| Identity (name, ITS, contact) | Until withdrawal | Anonymized on withdrawal; replaced with non-identifying placeholders. |
| Preregistration responses | Up to 7 years | Medical-records retention under applicable healthcare law; longest-applicable retention used. |
| Intake form responses (PHQ-9 / GAD-7 / general) | Up to 7 years | Required for longitudinal clinical assessment. |
| Visits, sessions, clinical notes | Up to 7 years | Standard mental-health record retention. |
| Audit logs | Minimum 6 years | Security & access auditing under the HIPAA Security Rule and UK/EU GDPR; scrubbed of IP/user-agent at 6 years, pruned at 7. |
| Notification + outreach logs | 2 years | Operational hygiene; not used for clinical decisions. |
| Audio recordings (when consented) | 1 year | Auto-purged unless extended retention is consented to per session. |
Patient-initiated withdrawal
On withdrawal, identifiers are anonymized within 30 days. The underlying clinical records remain in the system under their retention windows above so that statutory obligations (audit requests, regulator queries) can still be met. After the retention window elapses, the rows are hard-deleted.
Disposal
When a record passes its retention window it is purged from primary storage, with a single audit-log entry recording the purge for traceability.