Data Retention Policy

 

Managing Document and Personal Data Retention

Lifeogeny, LLC ( “Lifeogeny,” “we,” “us,” or “our”), has published this Data Retention Policy to inform our users, customers, and website visitors from the European Economic Area (collectively, “Data Subjects”) about how Lifeogeny processes and retains specific categories of Personal Data (as described below), our retention periods for their Personal Data, our reasoning behind those retention periods, and the minimum standards to be applied when destroying certain types of information within Lifeogeny.  

Purpose and Scope

Under the terms of the General Data Protection Regulation (the “GDPR”), Lifeogeny is required to process Personal Data from Data Subjects in a fair manner which notifies Data Subjects of the purposes of the data processing and also to retain the Personal Data for no longer than is necessary to achieve those purposes.

Under these rules, Data Subjects have a right to be informed about how their Personal Data is processed and this policy is meant to provide Data Subjects with information on our data retention periods or criteria used to determine the retention periods.

This policy applies to all business units, processes, and systems in all countries in which we conduct business and have dealings or other business relationships with third parties. This policy applies to all Lifeogeny officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers who may collect, process, or have access to data (including Personal Data and/or Sensitive Personal Data, as those terms are defined below). It is the responsibility of all of the above persons to familiarize themselves with this policy and ensure adequate compliance with it.

This policy applies to all records used and maintained at Lifeogeny, regardless of physical format, including:

  1. Appointment books and calendars

  2. Invoices

  3. Audio and video recordings

  4. Letters and other correspondence

  5. Computer programs

  6. Magnetic tape

  7. Contracts

  8. Memory in mobile phones and PDAs

  9. Electronic files

  10. Online postings, including social media platforms

  11. E-mails

  12. Performance reviews

  13. Handwritten notes

  14. Voicemails

Please contact Lifeogeny at legal@lifeogeny.com to obtain the Company’s Records Retention Schedule.  A record must not be retained beyond the Retention Period indicated in the Record Retention Schedule, unless a valid business reason (or a litigation hold or other special situation) calls for its continued retention.

For questions on document retention or if you are unsure whether to retain a certain record, contact our Data Protection Officer (“DPO”), at development@lifeogeny.com. 

Definitions

Personal Data” means any information relating, directly or indirectly, to an identified or identifiable Data Subject, including name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Sensitive Personal Data” means any Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or data concerning a natural person’s sex life or sexual orientation.

Operational Personal Data” means any Personal Data that is used by Lifeogeny for the purpose of operating its systems and services, including, but not limited to, internal identifiers that Lifeogeny’s systems and/or services use as references for or to leads, events, clicks, or actions performed by users, customers, and/or website visitors.

Metric Personal Data” means any Personal Data that is used by Lifeogeny for the purpose of measuring the performance of its systems and services or the systems and services of Lifeogeny’s users, customers, and/or website visitors.

Marketing Personal Data” means any Personal Data that is used by Lifeogeny or Lifeogeny’s users, customers, and/or website visitors solely for marketing purposes.

Contract Duration” is the length of time from the date a contract or agreement is executed between Lifeogeny and any users, customers, website visitors, or relevant third party and the date that such contract or agreement is terminated.

Retention Period” is the length of time between the expiration of the Contract Duration and the time when the Personal Data is purged. If the Retention Period is described as “Permanent,” the data type is held indefinitely.

Document Retention Procedure:

As a company, Lifeogeny is required to retain certain records, usually for a specific amount of time. We must retain these records because they contain information that:

  • Serves as Lifeogeny’s corporate memory

  • Have enduring business value (for example, they provide a record of a business transaction, evidence Lifeogeny’s rights or obligations, protect our legal interests, or ensure operational continuity

  • Must be kept in order to satisfy legal, accounting, or other regulatory requirements

We must balance these requirements with our statutory obligation to only keep records for the period required and to comply with data minimization principles. Our DPO determines the time period for which the documents and electronic records should be retained. If there is no justification for retaining Personal Data, then those records should be routinely deleted. Information should never be kept "just in case" a use can be found for it in the future. If we want to retain information about Data Subjects to help us to provide better service in the future, we will obtain consent in advance.

Further retention of Personal Data is lawful only when compatible with the purpose(s) for which it was originally collected. In some cases, no separate legal basis will be required — for exercising the right of freedom of expression and information; for compliance with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority vested in Lifeogeny as a data controller; on the grounds of public interest in the area of public health; for archiving purposes in the public interest, scientific, or historical research or statistical purposes; or for the establishment, exercise, or defense of legal claims.

Erasure of Personal Data:

On a regular basis, we review all data, whether held electronically or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. Overall responsibility for the destruction of data falls to our DPO.

Once a timing decision is made to dispose Personal Data (see Records Retention Schedule contained in Appendix A), the information is deleted, shredded, or otherwise destroyed to a degree proportionate to the information’s value to others and level of confidentiality. Thus, the method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain Sensitive Personal Data shall be disposed of as confidential waste (cross-cut shredded and incinerated; secure electronic deletion); some expired or superseded contracts may only warrant in-house shredding. The Records Retention Schedule defines the mode of disposal. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the DPO subcontracts for this purpose, but the DPO shall fully document and approve the destruction process.

Appropriate controls shall be in place that prevent the permanent loss of essential information as a result of malicious or unintentional destruction of information — these controls are described further in our Privacy Policy.

Records which may be routinely destroyed, unless subject to an on-going legal or regulatory inquiry, are:

  • Announcements and notices of day-to-day meetings and other events

  • Requests for ordinary information, such as travel directions

  • Reservations for internal meetings 

  • Transmission documents, such as fax cover sheets and routing slips that accompany documents, but do not add substantive value

  • Superseded address lists, distribution lists, etc.

  • Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases and day files

  • Stock in-house publications which are obsolete or superseded

  • Trade magazines, vendor catalogues, flyers, and newsletters from vendors or other external organizations

In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.

Right of Erasure:

Data Subjects have the right, under certain circumstances, to have their Personal Data erased and no longer processed (for more detail, please see our Data Subject Rights Management Policy). This right applies in, for example, the following circumstances:

  • Where the Personal Data is no longer necessary in relation to the purposes for which it is/was collected or otherwise processed

  • Where a Data Subject has withdrawn his/her consent or objects to the processing of Personal Data 

  • Where the processing of Personal Data does not otherwise comply with the GDPR

Breach, Enforcement, and Compliance

The DPO has the responsibility of ensuring that Lifeogeny’s employees comply with this policy.  It is also the responsibility of the DPO to assist with official inquiries from any data protection and/or governmental authority. Any suspicion of a breach of this policy must be reported immediately to DPO. All instances of suspected breaches of this policy shall be investigated and action taken, as appropriate.

Failure to comply with this policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss, damage to Lifeogeny’s reputation, and personal injury, harm, or loss. Non-compliance with this policy by permanent, temporary or contract employees or any third parties, who have been granted access to Lifeogeny’s premises or information may therefore result in disciplinary proceedings or termination of employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

**Destruction Levels

Level I documents are those that contain information that is of the highest security and confidentiality and those that include any Personal Data, especially Sensitive Personal Data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.

Level II documents are proprietary documents that contain confidential information, such as parties’ names, signatures, and addresses, or which could be used by third parties to commit fraud, but which may not contain any Personal Data. The documents should be cross-cut shredded and then placed into locked garbage containers for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.

Level III documents are those that do not contain any confidential information or Personal Data and/or are published Lifeogeny documents. These should be strip-shredded or disposed of i.e. through a recycling company and include, for example, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.