Use this page to map each major HEA-World data category to purpose, role, retention, notice, evidence, and gaps. This is an accountability workspace, not a final legal position.
⚠️ Partial Notices exist but DSAR path is manual only.
Retention rule
TTL, cleanup policy, permanent until deletion, or manual review needed.
Map to KV/R2 registry, cleanup job, or policy note.
Retention Posture by Dataset
Dataset
Current Retention
Status
Chat messages (KV)
Legacy dual-write (chat:{id}:{ts}) — still written for compatibility alongside chatHistory:. Recommend deprecating dual-write and one-time cleanup.
⚠️ Deprecate dual-write
Chat history (KV)
Archive to encrypted R2, then delete KV — cron conversation-archive enforces encrypt→write→verify→delete ordering; chatHistory only deleted when no active sessions remain for visitor
✅ Archive engine
Conversation archives (R2)
3-year retention target
⚠️ Sweep not yet active
Chat budget/RAG traces
14-day TTL
✅ Auto-expire
WhatsApp sessions
24h TTL
✅ Auto-expire
CRM contacts/leads (R2)
Permanent
⚠️ No delete path
Billing records (KV)
Permanent — retained per EU tax/accounting obligation (7-10 year minimum)
✅ Retained — legal obligation
Connector tokens (KV)
Delete on disconnect
✅ Revocation path exists
Trial rate limiters (KV)
Permanent (no TTL) — should add 30-day TTL at write time (counters only, no PII)
🔵 Add TTL
Minimisation decision
Required, optional, sensitive, or avoidable.
Avoidable or sensitive fields need owner decision.