Data Retention Schedule

1. Overview

This Data Retention Schedule describes the retention periods for all categories of data processed by MayDay-IC, operated by Blue Beard Solutions Inc. ("Company," "we," "us," or "our"). We retain personal and operational data only as long as necessary for the purposes described in this schedule or as required by applicable law, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), Internal Revenue Service (IRS) requirements, and the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

This schedule ensures compliance with federal, state, and international data retention obligations while minimizing data storage to what is strictly necessary for operational, legal, and regulatory purposes.

2. Data Retention Periods

The following table details the retention period and legal basis for each category of data processed by MayDay-IC:

Data Type	Retention Period	Legal Basis
Protected Health Information (PHI) / Patient Records	6 years from date of creation or last effective date	45 CFR 164.530(j) (HIPAA)
Incident Records	6 years	Regulatory compliance requirements
Financial / Billing Records	3 years	IRS record retention requirements
Audit Logs	6 years	HIPAA audit trail requirements
Session / Authentication Data	1 year	Security best practices
Security Alerts	3 years	Compliance and security monitoring
Account Data	Duration of active account + 90 days after deletion	Contractual obligation; grace period for account recovery
Training Exercise Data	2 years	Operational and compliance requirements
Mutual Aid Agreements	Duration of agreement + 3 years	Contractual and regulatory requirements
Digital Signatures	10 years	E-SIGN Act (15 U.S.C. § 7001 et seq.)
Consent Records	6 years	HIPAA / GDPR documentation requirements
Data Subject Requests	3 years	GDPR accountability documentation
Evidence Logs	7 years	Legal hold potential; litigation preservation
Equipment Tracking Records	5 years	Asset management and regulatory compliance

3. Retention Period Calculation

Retention periods begin from the date of creation, collection, or last modification of the data, unless otherwise specified. For data associated with active accounts or ongoing incidents, the retention period begins when the account is closed or the incident is officially resolved and demobilized.

Where multiple retention requirements apply to the same data (for example, patient records that are also part of an evidence log), the longest applicable retention period governs.

4. Data Disposal Methods

Upon expiration of the applicable retention period, data is disposed of using one or more of the following secure methods:

• Secure Deletion: Data is permanently removed from all production systems, databases, and backup storage using industry-standard secure deletion methods that prevent recovery.
• Cryptographic Erasure: Where data is encrypted at rest, the encryption keys are securely destroyed, rendering the encrypted data permanently unrecoverable without requiring physical deletion of the storage medium.
• Physical Destruction: For physical media (if applicable), devices are destroyed using NIST SP 800-88 compliant methods including degaussing, shredding, or incineration.

All data disposal actions are logged in our audit system, including the data type, disposal method, date of disposal, and the personnel or automated system responsible for the action.

5. Legal Hold Exceptions

Notwithstanding the retention periods specified above, data may be retained beyond the scheduled retention period in the following circumstances:

• Litigation Hold: When we reasonably anticipate litigation or receive notice of pending legal proceedings, all potentially relevant data is preserved until the legal matter is fully resolved and any applicable appeal periods have expired.
• Regulatory Investigation: When data is subject to an active regulatory investigation or audit by a government agency, retention is extended until the investigation or audit is concluded.
• Law Enforcement Request: When we receive a valid preservation request from law enforcement, data is retained in accordance with the request and applicable law. See our Law Enforcement Request Policy for details.
• Contractual Obligation: When a Business Associate Agreement (BAA) or other contractual arrangement specifies a longer retention period, the contractual requirement takes precedence.

Legal holds are managed by our legal team and are reviewed quarterly to determine whether continued preservation is necessary.

6. Backup and Disaster Recovery Data

Data stored in backup and disaster recovery systems follows the same retention schedule as production data, with an additional grace period of up to 90 days to allow for backup rotation cycles. When data reaches the end of its retention period, it is purged from backup systems during the next scheduled backup cycle.

7. Third-Party Data Retention

Our third-party service providers and subprocessors are contractually required to comply with data retention and deletion obligations consistent with this schedule. For details on our subprocessors, see our Subprocessor List. Data shared with third parties is subject to data processing agreements that include provisions for data return or deletion upon termination of the service relationship.

8. Data Subject Rights

You may request deletion of your personal data at any time, subject to applicable legal retention requirements. If your data is subject to a mandatory retention period (for example, PHI under HIPAA), we will inform you of the applicable retention obligation and delete the data upon expiration of the required period. For more information on your data rights, see our Privacy Policy.

9. Policy Review

This Data Retention Schedule is reviewed annually and updated as necessary to reflect changes in applicable law, regulatory guidance, or business operations. Material changes will be communicated at least 30 days before the effective date.

10. Contact Us