Data Retention & Deletion Policy
Version 2026-05-04.v1
This policy describes how long Qlinniq keeps each category of data and what happens when you withdraw your account or when a record passes its retention window.
| Category | Retention | Notes |
|---|---|---|
| Identity (name, ITS, contact) | Until withdrawal | Anonymized on withdrawal; replaced with non-identifying placeholders. |
| Preregistration responses | Up to 7 years | MHCA 2017 record-keeping; longest-applicable retention used. |
| Intake form responses (PHQ-9 / GAD-7 / general) | Up to 7 years | Required for longitudinal clinical assessment. |
| Visits, sessions, clinical notes | Up to 7 years | Standard mental-health record retention. |
| Audit logs (CERT-In) | Minimum 180 days | CERT-In Cybersecurity Directions, 2022 require 180-day retention; we hold longer for clinical records. |
| Notification + outreach logs | 2 years | Operational hygiene; not used for clinical decisions. |
| Audio recordings (when consented) | 1 year | Auto-purged unless extended retention is consented to per session. |
Patient-initiated withdrawal
On withdrawal, identifiers are anonymized within 30 days. The underlying clinical records remain in the system under their retention windows above so that statutory obligations (audit requests, regulator queries) can still be met. After the retention window elapses, the rows are hard-deleted.
Disposal
When a record passes its retention window it is purged from primary storage, with a single audit-log entry recording the purge for traceability.