Legal

Data Retention & Destruction Policy

Effective Date: February 2026

Document Version: 1.0

This Data Retention & Destruction Policy (“Policy”) establishes the retention schedules, legal hold procedures, destruction methods, and certification requirements for all data processed by Rymeda, Inc. (“Rymeda,” “we,” “us”) through the Rymeda platform.

This Policy implements the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR Parts 160 and 164; the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §56 et seq.; the General Data Protection Regulation (“GDPR”), Articles 5(1)(e) and 17; the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), Cal. Civ. Code §1798.105; and NIST Special Publication 800-88 Rev. 1 (Guidelines for Media Sanitization).

The guiding principle of this Policy is data minimization: we retain data only for as long as necessary to fulfill the purpose for which it was collected, to comply with legal and regulatory obligations, and to support legitimate clinical, operational, and business needs. When retention periods expire and no legal hold applies, data is destroyed using certified methods appropriate to its classification.

1. Definitions

Retention Period: The minimum duration for which a specific category of data must be preserved, measured from the triggering event (e.g., date of last clinical activity, account closure, or end of employment).

Legal Hold: A directive to preserve all forms of relevant data when litigation, audit, investigation, or regulatory action is reasonably anticipated or pending. A legal hold supersedes all retention schedules and destruction timelines.

Cryptographic Erasure: The destruction of encryption keys used to protect data, rendering the encrypted data permanently unreadable without requiring physical destruction of the storage media.

Logical Deletion: Marking a record as deleted (via status field or deletion flag) so it is no longer accessible through normal application queries, while the underlying data remains in storage pending physical purge.

Physical Purge: The irreversible removal of data from storage media such that reconstruction is not feasible, including overwriting, degaussing, or cryptographic erasure.

Destruction Certificate: A formal record documenting the date, data categories, destruction method, authorizing officer, and witness for each data destruction event.

Data Anonymization: The irreversible process of transforming personal data such that the data subject is no longer identifiable, directly or indirectly. Anonymized data is no longer subject to HIPAA or GDPR.

2. Scope

This Policy applies to all data created, received, maintained, or transmitted by or through the Rymeda platform, regardless of format or storage medium. This includes:

Protected Health Information (PHI) and electronic PHI (ePHI)
Clinical records, charts, notes, and AI-generated medical reports
Voice recordings and transcriptions
Patient demographic and insurance information
User account data and authentication records
Financial and billing records (invoices, claims, CPT/ICD-10 codes)
Audit logs and security event records
Communications (secure messages, email notifications)
Provider credentials and verification records
Operational data (appointments, tasks, runbooks)
Analytics and platform usage data
Backup and disaster recovery copies

This Policy applies to all Rymeda workforce members, authorized users, subprocessors, and any third party that stores or processes Rymeda data.

3. Retention Schedule

The following table establishes the minimum retention periods for each data category. Data may be retained longer than the minimum where required by an active legal hold or specific regulatory obligation. Retention periods are measured from the triggering event specified for each category.

Data Category	Retention Period	Measured From	Legal Basis	Platform Data
Clinical Records (Adults)	7 years	Date of last clinical activity or patient discharge	CA Bus. & Prof. Code §2240.1; CMIA §56.101; HIPAA §164.530(j)	`ClinicalChart`, `ClinicalNote`, `Patient`, `VitalSign`, `LabResult`, `TreatmentPlan`, `Problem`, `Medication`, `Allergy`
Clinical Records (Minors)	7 years or until age 19	Whichever is later: 7 years from last activity or until the patient reaches age 19	CA Bus. & Prof. Code §2240.1; CA Health & Safety Code §123145	Same as Clinical Records (Adults), identified by `date_of_birth`
Voice Recordings	7 years	Date of recording (same schedule as associated clinical record)	CA Penal Code §632; HIPAA §164.530(j); CMIA §56.101	`VoiceNote` (audio in S3, transcript + metadata in MongoDB)
AI-Generated Content	7 years	Date of generation (same schedule as associated clinical record)	CA AB 3030; HIPAA §164.530(j); clinical record retention parity	`MedicalReport`, `OrisTask`, `DailyRunbook`, AI-generated `ClinicalNote` (where `ai_generated: true`)
Financial & Billing	7 years	Date of transaction or claim adjudication	26 USC §6501 (IRS); CA Rev. & Tax Code §19060; HIPAA §164.530(j)	`Invoice`, `LineItem` (CPT codes), `Claim` (ICD-10/CPT), `InsuranceInfo`, Stripe payment records
Audit Logs	6 years	Date of the audited event	HIPAA §164.530(j) (6-year documentation retention); CMIA §56.101	`audit_logs`, `security_events`, AWS CloudWatch logs, support audit records
Account Data	Active + 30 days	Account closure or last activity date	GDPR Art. 5(1)(e) (storage limitation); CCPA §1798.105	User profile, `users` collection, AWS Cognito identity, session records, login history
Provider Credentials	Relationship + 7 years	End of provider’s relationship with the organization	CA Bus. & Prof. Code §2240.1; CMS credentialing requirements	`VerificationRecord`, `StaffMember`, NPI/NPPES data, credential documents (license, insurance, DEA, board certification)
Employment Records	4 years post-termination	Date of termination or separation	29 CFR §1602.14 (EEOC); CA Lab. Code §1174	Internal workforce records, training completion, access authorization records
Communications	3 years	Date of message or communication	Business records retention; clinical relevance assessment	`SecureMessage`, `MessageThread`, SendGrid email logs, notification records
Analytics	24 months	Date of collection	GDPR Art. 5(1)(e); data minimization principle	Plausible Analytics (cookie-free, EU-hosted), `analytics_events`, `search_queries`, `trending_searches`, platform usage metrics

Minor Patient Records

Under California law, clinical records for minor patients must be retained for the longer of (a) 7 years from the date of last clinical activity, or (b) until the patient reaches age 19. The system uses the date_of_birth field from the Patient record to calculate the applicable retention period and prevent premature destruction of minor patient records.

4. Retention Period Extensions

Retention periods defined in Section 3 represent minimums. Data may be retained beyond the minimum period in the following circumstances:

Active Legal Hold: Data subject to a legal hold (Section 5) is retained indefinitely until the hold is released by the Legal department
Ongoing Investigation: Data relevant to an active compliance investigation, security incident, or breach analysis is retained until the investigation is closed
Regulatory Request: Data subject to a regulatory inquiry, audit, or examination is retained until the matter is resolved plus any applicable appeal period
Contractual Obligation: Where a Business Associate Agreement (BAA) or other contractual obligation specifies a longer retention period, the longer period governs
Clinical Continuity: Clinical records for patients with active treatment plans or ongoing care relationships are not eligible for destruction regardless of the elapsed retention period
Pending Deletion Request: GDPR or CCPA deletion requests do not override clinical record retention requirements where HIPAA mandates continued retention

5. Legal Hold Procedures

A legal hold is a directive to preserve all potentially relevant data when litigation, governmental investigation, regulatory audit, or other legal proceeding is reasonably anticipated or pending. Legal holds override all standard retention schedules and automated destruction processes.

5.1 Hold Initiation

Legal holds are issued by the Legal department or Privacy Officer upon reasonable anticipation of litigation, investigation, or regulatory action
The hold notice specifies: the matter name, data categories subject to the hold, affected organizations or users, and the scope of preservation
All automated destruction processes for the affected data categories are immediately suspended
The hold is documented in the compliance system with a unique hold identifier, issue date, and issuing authority

5.2 Hold Scope

Data Preservation: All data within the hold scope is preserved in its current state, including backups, audit logs, and metadata
Backup Protection: Backup lifecycle policies are suspended for held data — affected backups are excluded from routine rotation and overwrite
Access Continuity: Legal holds do not change data access controls. Held data remains accessible only to users with existing authorized access
Deletion Requests: GDPR Article 17 (Right to Erasure) and CCPA §1798.105 deletion requests for data subject to a legal hold are acknowledged but deferred until the hold is released, as permitted under GDPR Art. 17(3)(e) and CCPA §1798.105(d)(4)

5.3 Hold Release

Legal holds are released only by the Legal department upon resolution of the underlying matter
Upon release, data reverts to its standard retention schedule. The retention clock resumes from the point at which it was suspended
Data that has exceeded its retention period during the hold becomes eligible for destruction immediately upon hold release, subject to the standard destruction process
Hold release is documented with: release date, releasing authority, and confirmation of resumed destruction eligibility

6. Data Destruction Methods

When a retention period expires and no legal hold applies, data is destroyed using methods appropriate to its classification and storage medium. All destruction methods are designed to render data permanently unrecoverable.

Method	Applicable To	Process	Standard
Cryptographic Erasure	All data encrypted with per-tenant AWS KMS keys (primary method)	Destruction of the per-tenant KMS encryption key, rendering all data encrypted under that key permanently unreadable. Key deletion is scheduled with a 7-day waiting period per AWS KMS policy, allowing cancellation if initiated in error	NIST SP 800-88 Rev. 1 (Cryptographic Erase)
Database Logical Delete → Physical Purge	MongoDB collections (structured data)	Phase 1 — Logical Deletion: Record status set to `deleted` or `removed`; data excluded from application queries. Soft-delete flags (`deleted: true`, `status: "deleted"`) prevent access while preserving for audit review. Phase 2 — Physical Purge: After confirmation of no legal hold or dependency, records are permanently removed from the database	Internal procedure; NIST SP 800-88 (Clear)
S3 Object Deletion	Amazon S3 objects (voice recordings, documents, attachments)	Permanent object deletion via S3 API. S3 lifecycle policies enforce automatic deletion of temporary processing artifacts (transcription intermediaries, presigned URL artifacts) within 24 hours. Versioned buckets require deletion of all object versions	AWS S3 deletion; NIST SP 800-88 (Purge for cloud)
GDPR Anonymization	User account data upon GDPR Article 17 deletion request	Irreversible anonymization: email replaced with `deleted_{id}@deleted.rymeda.com`, name set to “Deleted User,” phone/bio/avatar removed, status set to `deleted`, original email hash preserved for audit only. Associated posts soft-deleted, comments content replaced with “[Deleted],” messages marked `sender_deleted`, all sessions invalidated	GDPR Art. 17; CCPA §1798.105
Physical Media Destruction	Physical storage media (if applicable — e.g., decommissioned hardware)	Degaussing, shredding, or incineration by a certified destruction vendor. Rymeda’s cloud-native architecture minimizes physical media; applicable primarily to decommissioned devices	NIST SP 800-88 Rev. 1 (Destroy)

6.1 Temporary Data & Processing Artifacts

Certain data is created as part of processing pipelines and is not subject to long-term retention:

Artifact	Retention	Destruction Method
S3 presigned upload/download URLs	1 hour (3,600 seconds)	Automatic expiration — URL becomes invalid
Voice transcription intermediaries	24 hours	S3 lifecycle policy — automatic deletion
AI processing queue artifacts	24 hours	S3 lifecycle policy — automatic deletion
GDPR data export files	7 days	Automatic deletion after download availability expires
Support impersonation sessions	5–120 minutes (configurable, default 30)	Automatic session invalidation at expiration
Rate limiter session data (ORIS guardrails)	60 seconds	In-memory cleanup — stale sessions automatically purged

7. Deletion Rights (GDPR & CCPA)

Rymeda honors data subject deletion rights under GDPR Article 17 (Right to Erasure) and CCPA §1798.105 (Right to Delete), subject to applicable legal exceptions.

7.1 Deletion Request Process

Deletion requests are submitted through the platform or by contacting legal@rymeda.com
Identity verification is performed before processing any deletion request
Requests are acknowledged within 3 business days and processed within 30 days (GDPR) or 45 days (CCPA)
A confirmation of deletion is provided to the data subject upon completion

7.2 Deletion Scope

Upon a verified deletion request, the following actions are taken:

User profile anonymized (email, name, phone, bio, avatar removed or replaced)
Associated posts and content soft-deleted
Message content replaced with “[Deleted]”
All active sessions invalidated
GDPR deletion record created with: deletion ID, original email hash (for audit), reason, authorized by, timestamp, and data summary
Audit log entry created with severity: "critical"

7.3 Exceptions to Deletion

HIPAA Retention Override

GDPR and CCPA deletion rights do not override HIPAA-mandated clinical record retention requirements. The following data is exempt from deletion requests:

Clinical records required to be retained under HIPAA §164.530(j) or California medical record retention laws
Audit logs required under HIPAA §164.312(b) (minimum 6-year retention)
Data subject to an active legal hold
Financial records required for tax compliance (7-year IRS retention)
Data necessary to establish, exercise, or defend legal claims (GDPR Art. 17(3)(e))
Data required for compliance with a legal obligation (GDPR Art. 17(3)(b); CCPA §1798.105(d))

Where deletion is partially restricted, we delete all data that is not subject to a retention exception and inform the data subject of the specific basis for continued retention.

8. Destruction Certification

Every data destruction event is formally certified to maintain a verifiable chain of custody and demonstrate regulatory compliance. Destruction certificates are retained for 6 years per HIPAA §164.530(j).

8.1 Certificate Contents

Each destruction certificate records the following:

Field	Description
Certificate ID	Unique identifier for the destruction event
Destruction Date	Date and time (UTC) the destruction was executed
Data Categories	Classification of data destroyed (e.g., Restricted PHI, Confidential ePHI, Financial)
Record Count	Number of records or objects destroyed
Destruction Method	Method used (cryptographic erasure, logical delete + physical purge, S3 deletion, anonymization, physical destruction)
Standard Compliance	Applicable standard (NIST SP 800-88 Rev. 1 — Clear, Purge, or Destroy)
Authorized By	Name and title of the officer who authorized the destruction
Executed By	Name and title of the person or system that performed the destruction
Witness	Name and title of the independent witness who verified the destruction
Legal Hold Check	Confirmation that no active legal hold applies to the destroyed data

8.2 Certificate Retention

Destruction certificates are retained for a minimum of 6 years from the destruction date
Certificates are stored in encrypted, append-only storage separate from the data they document
Certificates are available for regulatory audit upon request
The certificate register is reviewed quarterly by the Compliance team

9. Backup & Disaster Recovery Data

Backup copies are subject to the same retention and destruction requirements as primary data, with the following considerations:

Backup Encryption: All backup copies are encrypted with AES-256 using the same per-tenant KMS keys as primary storage. Cryptographic erasure of the primary key also renders backup data unrecoverable
Backup Rotation: Automated backup lifecycle policies manage retention and rotation. Daily backups are retained for 30 days; weekly backups for 90 days; monthly backups for 1 year
DR Copies: Disaster recovery copies replicated across AWS regions inherit the retention schedule of their source data
Destruction Cascading: When primary data is destroyed, the destruction process includes verification that corresponding backup and DR copies are also queued for destruction at the next rotation cycle or via explicit deletion
Legal Hold on Backups: Backups containing data subject to a legal hold are excluded from rotation until the hold is released

10. Subprocessor Data Retention

Third-party subprocessors that process Rymeda data are contractually bound to retention and destruction requirements consistent with this Policy. For a complete list of subprocessors, see our Subprocessor List.

Subprocessor	Data Retained	Retention Policy	Deletion on Termination
OpenAI (Whisper / GPT)	Zero — Zero Data Retention (ZDR)	No data retained after API response	N/A — no data to delete
Google (Gemini)	Zero — HIPAA BAA, no training use	No data retained after API response	N/A — no data to delete
MongoDB Atlas	All structured data (encrypted)	Per Rymeda retention schedule	Deletion within 30 days of termination per DPA
AWS (S3, Cognito, KMS)	Objects, auth tokens, encryption keys	Per Rymeda retention schedule + S3 lifecycle policies	Deletion per AWS BAA terms
Stripe	Payment data (PCI DSS L1)	Per Stripe data retention and PCI requirements	Deletion request supported; subject to regulatory holds
SendGrid (Twilio)	Email delivery logs	30 days (delivery logs), no message body retained	Automatic expiration of logs
100ms	Telehealth session metadata	Per 100ms data retention policy	Deletion within 30 days of termination
Plausible Analytics	Aggregate, anonymous metrics only	24 months (no personal data)	N/A — no personal data collected

11. Exceptions

Exceptions to this Policy may be granted in limited circumstances:

Regulatory Requirement: Where a federal or state regulation requires a retention period different from this Policy, the longer period governs
Contractual Obligation: Where a customer agreement specifies a longer retention period, the contractual period governs for that customer’s data
Research Authorization: De-identified data may be retained beyond standard periods for authorized research purposes under a data use agreement and IRB approval
Technical Limitation: Where immediate destruction is not technically feasible (e.g., data embedded in encrypted backups awaiting rotation), destruction is completed at the earliest technically feasible time

All exceptions must be documented with: the data category, the basis for the exception, the extended retention period, the approving authority (Privacy Officer or Legal), and a review date.

12. Roles & Responsibilities

Role	Responsibilities
Privacy Officer	Owns this Policy. Approves retention exceptions. Reviews destruction certificates. Manages legal holds. Responds to deletion requests
Legal Department	Issues and releases legal holds. Advises on regulatory retention requirements. Reviews Policy annually
Compliance Team	Monitors retention schedule adherence. Conducts quarterly certificate register reviews. Processes GDPR/CCPA deletion requests. Maintains audit trail
Engineering	Implements automated retention enforcement (S3 lifecycle policies, database purge jobs, backup rotation). Maintains destruction tooling. Executes technical destruction
All Workforce Members	Report data that may be subject to legal hold. Do not independently delete clinical or regulated data. Follow data handling procedures per training

13. Policy Review & Audit

This Policy is subject to regular review and audit to ensure continued compliance with evolving legal, regulatory, and operational requirements.

Annual Review: Comprehensive review of all retention schedules, destruction methods, and certification procedures at minimum once per calendar year
Regulatory Updates: Policy is updated within 30 days of applicable regulatory changes at the federal or state level that affect retention periods or destruction requirements
Quarterly Certificate Review: The Compliance team reviews all destruction certificates issued in the preceding quarter to verify completeness and accuracy
Annual Destruction Audit: Internal audit of the destruction process, including sampling of destruction certificates, verification of backup rotation compliance, and legal hold register review
Subprocessor Review: Annual verification that all subprocessors comply with their contractual data retention and destruction obligations
Version Control: All policy versions are retained with effective dates, and material changes are communicated to affected stakeholders

Contact

For questions about this Data Retention & Destruction Policy, to submit a data deletion request, or to report a retention concern:

Legal Team

legal@rymeda.com

Related Policies

Privacy Policy →Clinical Data Governance Policy →HIPAA Notice of Privacy Practices →Breach Notification Policy →Incident Response Policy →Subprocessor List →Data Processing Agreement →Business Associate Agreement →Information Security Policy →AI Transparency & Ethics Policy →