Data Retention and Deletion Policy

Last updated: May 6, 2024

1. Introduction

JohnCode is committed to the proper handling of personal data, including its retention only for as long as necessary and its secure deletion when no longer needed. This policy defines the procedures for retention and deletion of personal data in compliance with the General Data Protection Law (LGPD) and other applicable regulations.

2. Scope

This policy applies to all personal data collected, stored, and processed by JohnCode, regardless of format or storage medium. This includes data in electronic systems, databases, physical documents, and any other media.

3. Data Retention Principles

Our data retention and deletion policy follows these principles:

Necessity: We retain data only as long as necessary for the specific purposes for which it was collected.
Minimization: We limit the collection and retention of data to the minimum necessary to fulfill the stated purposes.
Proportionality: The retention period is proportional to the need to maintain the data.
Transparency: We inform data subjects about the applicable retention periods.
Security: We ensure that data is stored securely throughout the retention period.

4. Retention Periods

We define specific retention periods for different categories of data, based on legal, contractual, and operational requirements:

4.1. Customer Data

Data Category	Retention Period	Legal Basis/Justification
Account Information	Duration of account activity + 1 year	Legitimate interest for legal and audit purposes
Transaction/Fiscal Data	7 years	Legal obligation (tax and commercial legislation)
Support Records and Communications	1 year after resolution	Legitimate interest for ongoing support and dispute resolution

4.2. Employee Data

Data Category	Retention Period	Legal Basis/Justification
Employment Records	Duration of employment + 5 years	Legal obligation (labor and social security legislation)
Payroll Data	10 years	Legal obligation (tax and labor legislation)

4.3. Corporate Data

Data Category	Retention Period	Legal Basis/Justification
Contractual Documents	Duration of contract + 10 years	Legal obligation (civil legislation) and legitimate interest
Corporate Records	Permanent or as per applicable legislation	Legal obligation and legitimate interest

5. Deletion Procedures

We implement secure procedures for the deletion of personal data when they reach the end of the retention period or upon valid request from the data subject:

5.1. Deletion Methods

Electronic Data: We use secure deletion techniques that prevent data recovery.
Physical Media Data: We implement secure destruction procedures, such as shredding or incineration.
Databases: We perform logical and/or physical deletion of records as needed.

5.2. Anonymization

In some cases, we may opt for anonymization instead of deletion, especially for statistical and research purposes. Anonymization is performed in a way that the data can no longer be associated with a specific individual.

5.3. Exceptions to Deletion

Under certain circumstances, we may retain data beyond the standard period, such as:

When required by law or regulation;
To respond to judicial or administrative proceedings;
To establish, exercise, or defend legal rights;
When there is a legitimate public interest.

6. Data Subject Rights

Data subjects have specific rights related to the retention and deletion of their data:

Right to deletion: Request the deletion of their personal data, subject to legal exceptions;
Right to information: Obtain information about applicable retention periods;
Right to revoke consent: Revoke consent at any time;
Right to portability: Obtain their data in a structured and transferable format.

To exercise these rights, data subjects can use our Data Subject Request Portal or contact our Data Protection Officer directly.

7. Review and Audit

This policy will be reviewed annually or when significant changes occur:

We conduct periodic audits to ensure compliance with retention periods;
We document all data deletions for compliance purposes;
We maintain deletion records to demonstrate compliance with the LGPD.