Data Retention Policy
Effective Date: March 1, 2026
This Data Retention Policy describes how SOFTBLITZ PESQUISA DESENVOLVIMENTO E CONSULTORIA DE SOFTWARE DO BRASIL LTDA - ME ("SoftBlitz," "we," "us") retains, archives, and disposes of personal and business data collected through the CronusAI platform ("Platform"). This policy is aligned with applicable U.S. federal and state laws, including the Fair Labor Standards Act (FLSA), Internal Revenue Code (IRC), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).
1. Purpose
The purpose of this Data Retention Policy is to establish consistent standards for the retention, archiving, and secure disposal of data processed through the Platform. Retention periods are set to comply with applicable legal requirements, support legitimate business operations, and minimize the risk of retaining data beyond its useful life.
Under CCPA § 1798.100(a)(3), businesses must disclose the length of time they intend to retain each category of personal information, or if that is not possible, the criteria used to determine such periods.
2. Retention Principles
Data retention at CronusAI is governed by the following principles:
- Legal compliance: Data is retained for at least the minimum period required by applicable laws and regulations.
- Purpose limitation: Data is retained only as long as necessary for the purposes for which it was collected.
- Minimization: Upon expiration of a retention period, data is securely deleted or anonymized unless a legal hold or extended retention obligation applies.
- Accountability: All retention periods are documented, reviewed annually, and adjusted as regulations change.
3. Data Categories
The Platform processes the following categories of data, each subject to specific retention requirements:
- Employee records: Name, contact information, identification numbers (SSN), employment history, role, and status.
- Payroll and compensation data: Salary, tax withholdings, payment records, bank information, and benefits.
- Time and attendance records: Clock-in/out records, absences, overtime, and work schedules.
- Employment contracts: Digital contracts, versions, signatures, and related analysis.
- Employee documents: Uploaded identity documents, proof of residence, certifications, and related metadata.
- KYC and verification data: Identity verification results, confidence scores, and session data from third-party providers.
- Technical data: IP addresses, device information, browser user agent strings, and access logs.
- Analytics data: AI-generated productivity insights, workforce analytics, and aggregated reports.
- Audit logs: Records of administrative actions, data access events, and system changes.
- Policy acceptance records: Timestamps and hashes of accepted terms and policies.
4. Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Employee records | Duration of employment + 7 years | IRS record retention; EEOC (1 year minimum per 29 CFR § 1602.14) |
| Payroll records | 3 years from date of entry | FLSA (29 U.S.C. § 211(c); 29 CFR § 516.5) |
| Basic employment records (hours, wages) | 2 years | FLSA (29 CFR § 516.6) |
| Tax records (W-2, 1099, withholdings) | 7 years from filing date | IRC § 6501(a) (3-year assessment period) + buffer; IRS Publication 15 |
| Time and attendance records | 3 years | FLSA (29 CFR § 516.5) |
| Employment contracts | Duration of contract + 6 years | Statute of limitations for contract claims (varies by state; 6 years in New York per CPLR § 213) |
| Employee documents | Duration of employment + 3 years | I-9 retention: 3 years from hire or 1 year from termination, whichever is later (8 CFR § 274a.2(b)(2)(i)(A)) |
| KYC verification data | Duration of employment + 5 years | AML/BSA best practices; vendor data retention policies |
| Technical data (IP, device, logs) | 1 year | Operational necessity; no mandatory minimum |
| Analytics data | 2 years | Operational; anonymized after period |
| Audit logs | 5 years | SOC 2 requirements; internal governance |
| Policy acceptance records | Duration of relationship + 7 years | Evidentiary purposes; contract statute of limitations |
| Account credentials | Until account deletion | Operational; hashed and not recoverable |
5. Legal Retention Requirements
Several federal and state laws impose specific retention mandates:
Fair Labor Standards Act (FLSA): Requires retention of payroll records for 3 years (29 CFR § 516.5) and supplementary basic employment records for 2 years (29 CFR § 516.6).
Internal Revenue Code: The IRS generally recommends retaining employment tax records for at least 4 years from the date the tax becomes due or is paid, whichever is later (IRC § 6501). We retain for 7 years as an industry-standard buffer.
EEOC Regulations: Under 29 CFR § 1602.14, personnel and employment records must be retained for 1 year from the date of the record or from the date of the personnel action, whichever is later.
I-9 Compliance: Form I-9 must be retained for 3 years after the date of hire, or 1 year after the date employment ends, whichever is later (8 CFR § 274a.2(b)(2)(i)(A)).
CCPA/CPRA: While CCPA does not prescribe specific retention periods, it requires businesses to disclose retention periods and not retain personal information longer than is reasonably necessary (CCPA § 1798.100(a)(3)).
State-specific requirements: California, New York, and Texas may impose additional retention requirements for certain employment records. We apply the longest applicable period.
6. Deletion Procedures
Upon expiration of a retention period and absent any legal hold:
- Automated review: The Platform flags data approaching retention deadlines for review on a quarterly cycle.
- Verification: The data governance team confirms that no legal holds, pending litigation, or regulatory inquiries require extended retention.
- Secure deletion: Data is permanently deleted from production databases using cryptographic erasure or secure overwrite methods. Database records are hard-deleted (not merely soft-deleted).
- Confirmation: Deletion is logged in the audit trail with the date, scope, and authorizing party.
For data subject deletion requests under CCPA (§ 1798.105), we process verified requests within 45 calendar days, with the option to extend by an additional 45 days with notice.
7. Anonymization
Where data has analytical or statistical value beyond its retention period, we may anonymize it rather than delete it. Anonymization is performed such that the data can no longer be associated with a specific individual, directly or indirectly, in compliance with CCPA's definition of "deidentified" information (§ 1798.140(m)).
Anonymized data is excluded from retention period requirements and may be retained indefinitely for business intelligence, product improvement, and aggregate reporting purposes.
8. Archiving
Data that has passed its active use period but remains within its legal retention window may be moved to archival storage:
- Cold storage: Archived data is stored in encrypted cold storage with restricted access.
- Access controls: Only authorized personnel with a documented business need may access archived data.
- Retrieval: Archived data can be retrieved upon legal request, regulatory inquiry, or authorized business need within 72 hours.
9. Backup Retention
Database backups are retained for a maximum of 30 days on a rolling basis. Backup media is encrypted at rest using AES-256 encryption. When backups age beyond the retention window, they are securely destroyed.
In the event that a data subject requests deletion, we note that backup cycles may retain copies for up to 30 days after deletion from production systems. Deleted data in backups is not actively restored and is overwritten as backup rotation occurs.
10. Audit Log Retention
Audit logs documenting access to personal data, administrative actions, and security events are retained for 5 years. This retention period supports:
- SOC 2 Type II compliance requirements for audit evidence.
- Internal investigations and forensic analysis.
- Regulatory inquiries and legal proceedings.
Audit logs are stored in append-only storage with tamper-evident integrity checks. Access to audit logs is restricted to security personnel and authorized administrators.
Contact Information
For questions about this Data Retention Policy, contact our Data Protection Officer:
- Email: dpo@orbittai.com
- Address: Av Paulista 1471, Conj 1110, Bela Vista, São Paulo – SP, CEP 01311-927, Brasil
This policy is reviewed annually and updated as necessary to reflect changes in applicable law, regulatory guidance, or business practices. The "Effective Date" at the top of this document indicates the date of the most recent revision.