Data Retention
This page sets out how long Setara keeps different categories of data and how data is destroyed or de-identified when no longer needed. Retention periods are set by the owner in one place and apply across the service.
Retention principle
We keep personal information only for as long as necessary for the purposes described in our Privacy Policy, then securely destroy or de-identify it. This reflects Australian Privacy Principle 11.2.
Retention by data class
| Data class | Retention | Notes |
|---|---|---|
| Account and contact data (user profile, organisation, role) | Duration of the customer relationship | Kept for the duration of the customer relationship, then securely destroyed when no longer needed. |
| Ingested investigation data (uploaded files, OSINT, third-party data) | Duration of the matter or as instructed | Retained only for as long as needed for the customer's matter or as instructed by the customer, then deleted or returned. |
| AI-generated outputs (entity maps, timelines, briefings) | No longer than the source data | Retained for no longer than their underlying source data. |
| System and audit logs | Minimum necessary | Retained for the minimum period needed for security, integrity and legal compliance. |
| Website analytics and cookie data | Minimum necessary | Retained for the minimum period necessary and in line with cookie consent. |
Legal retention minimums
Where a law requires us to keep certain records for a minimum period (for example, tax and financial records), we keep those records for that minimum period only.
Secure destruction and de-identification
When the retention period ends, we destroy or de-identify personal information using methods proportionate to the sensitivity of the data and the storage media involved. Where backups exist, deletion is applied on the next scheduled backup cycle.
Customer data return or deletion on contract close
On contract close, Customers can request the return or deletion of their data. We confirm completion in writing. Specific timing and format are set out in the order form or the Data Processing Agreement, which is available on request to privacy@setara.com.au.