Home Fraud Defense™ Data Retention Policy

Version: 1.2 Effective Date: May 4, 2026 Owner: Compliance Lead

This policy governs how long Home Fraud Defense, LLC ("HFD") retains data and when it must be archived, anonymized, or deleted. Consistent application of this policy is the foundation of our legal-defense posture. Selective deletion is prohibited.

1. Retention Schedule

1.a Anonymous tool submissions (open scanners)

Data category	Retention period	Enforcement
Phone-number lookups (`phone_lookups`)	24 hours	Daily purge job (03:30 UTC) + on-startup sweep
Email-address lookups (`email_lookups`)	24 hours	Daily purge job + on-startup sweep
URL / link lookups (`url_lookups`)	24 hours	Daily purge job + on-startup sweep
Scan records (`scans`)	24 hours	Daily purge job + on-startup sweep
Message-review submissions (`message_reviews`, including reviewer outcomes)	24 hours	Daily purge job + on-startup sweep
Raw third-party API responses (ATTOM, BatchData, IPQS, Safe Browsing, etc.)	Not retained	Schema does not contain a `raw_response` column; responses are parsed, scored, and discarded in-process
User-saved deed reports (`deed_reports`)	30 days	Daily purge job
Page-view analytics (`page_views`)	90 days	Daily purge job

The above periods are enforced by runRetentionPurge in artifacts/api-server/src/scheduler.ts, which runs daily at 03:30 UTC and once at every server start.

1.b Account-bound and legal-defense data

Data category	Retention period	Rationale
Account record (email, name, hashed password)	Active life of account + 24 months after closure	User support, anti-fraud, and reactivation
Audit events (sign-ins, scans, views, admin actions)	7 years from event date	Statute-of-limitations defense for tort and contract claims in most U.S. jurisdictions
Terms / Privacy / AI-Disclosure acceptances	Indefinite	Required to enforce arbitration and liability provisions
Communications log (transactional emails)	5 years	Service operation, dispute resolution
Fraud-registry submissions — approved & displayed	Indefinite, subject to dispute review	Public-interest publication
Fraud-registry submissions — rejected	24 months	Track repeat false reporters
Fraud-registry submissions — withdrawn by submitter	24 months audit copy, then archive	Same as above
Property Visibility Report suppression requests (`dispute_requests`, type = property-visibility-report-suppression)	7 years	Defense narrative for owner-name display & removal compliance
Pro-saved screening records (`screening_records`)	7 years	E&O / regulatory record-keeping for licensed professionals
Payment records	7 years (Stripe-managed)	Tax / audit
IP addresses & user-agents (general logs)	24 months	Operational debugging
IP addresses in audit events	7 years (with audit event)	Required for defense narrative
Backup snapshots	90 days rolling	Disaster recovery — anonymous-tool data may persist in encrypted backups for the backup window even after the active-database row has been purged
Litigation-hold records	Until written release of hold	Spoliation prevention

1.c What we never retain

Raw third-party API responses (the raw_response columns were dropped from phone_lookups, email_lookups, and url_lookups on May 3, 2026).
Payment-card numbers (handled by Stripe).
AI-model training data derived from user submissions. HFD does not train any model on user content. Submissions are processed by third-party AI providers under their own zero-retention or short-retention terms and are not added to any HFD-controlled training corpus.

2. Lifecycle Actions

Three actions are available in the admin tools. They must be used as defined and always logged.

2.1 Archive

Effect: Sets archived_at, archived_by, archive_reason. Hides the row from default admin grids.
Preserves: All fields, all audit events, all TOS acceptances, all submissions.
Reversible. Use this as the default when "removing" a user from active operations.
Required reason text.

2.2 PII Purge

Effect: Replaces name, email, phone, profile photo, and other direct identifiers with deleted-user-{hash} placeholders. Sets pii_purged_at, pii_purged_by, purge_reason. Audit events remain linked by stable user ID.
Use when: A verified data-subject access right requires deletion (CCPA/CPRA right to delete, GDPR Art. 17 erasure, equivalent).
Required reason text — typically references the request ID.
Irreversible.

2.3 Hard Purge

Effect: Deletes the user row entirely, but inserts an immutable tombstone audit event with the original user ID, the snapshot of the row at deletion (hashed), and the reason.
Use when: Required by law (e.g., child data inadvertently collected), or after PII purge has been in place for the full audit retention period.
Required reason text + dual approval (admin + compliance lead).
Irreversible.

2.4 Litigation Hold

Effect: Sets litigation_hold = true, litigation_hold_reason, litigation_hold_set_at, litigation_hold_set_by. Blocks all of 2.1, 2.2, 2.3 for the affected record(s).
Triggered by any of:
- Receipt of complaint, subpoena, court order, demand letter, or pre-suit preservation request.
- Reasonable anticipation of litigation involving the user, account, property, or submission.
- Internal fraud, security, or HR investigation involving the record.
Released only by: Compliance Lead, in writing, after litigation/investigation closes.

3. Routine Disposal

Records that have aged past their retention period are reviewed quarterly. Disposal is performed in batch, logged in the audit stream, and accompanied by a written disposal certificate retained for 7 years.

4. Exceptions

Any deviation from this policy requires written approval from the Compliance Lead and a contemporaneous record of the rationale, stored in the same audit stream.

5. Review

This policy is reviewed annually and on any material change in applicable law or business practice.

6. Contact

Home Fraud Defense, LLC 9362 W Sands Drive, Peoria, AZ 85383 Email: info@homefrauddefense.org · Telephone: (623) 263-2382