Data retention policy builder
Select the data types you collect and the regulations that apply to your business. Get recommended retention periods with regulatory context — ready to copy or download.
Data retention policy builder
Data types you collect
Regulations that apply
Select at least one data type and one regulation above to generate your policy table.
Retention policy reference table
How to use this table
The periods shown are the recommended maximum retention durations for each data type under each regulatory framework. In practice, your policy should specify three things for each category: the retention period, the trigger event (e.g. "from the date the account is closed"), and the deletion method (e.g. "secure erasure or anonymisation").
Where two regulations apply and give different periods, default to the stricter (shorter) period unless a specific law in your jurisdiction requires longer. Tax and financial record laws often override privacy-law minimisation principles and set a floor you cannot go below.
Review your retention schedule at least annually — regulatory requirements change, and your data processing activities may change too.
About this tool
This tool generates a retention period reference table based on the data types you collect and the regulatory frameworks that apply to your business. It covers GDPR (EU/UK), CCPA (California), HIPAA (US healthcare), SOX (US financial), and general best-practice recommendations. Periods are based on publicly available regulatory guidance and common industry practice. The output is a starting point for a formal retention policy — not a substitute for legal advice.
Frequently asked questions
Is the output of this tool legally binding or sufficient for compliance?
No. This tool generates indicative guidance based on publicly available regulatory summaries. Actual retention obligations depend on your specific jurisdiction, industry, the exact type of data collected, your business structure, and how courts and regulators have interpreted the rules in your region. Always have your retention policy reviewed by a qualified privacy lawyer or data protection officer before implementing it.
My business operates in multiple countries — which jurisdiction should I select?
Select all jurisdictions that apply to your customer base or employee base. If you have EU customers, GDPR applies to those records. If you have California customers, CCPA may apply. Where two rules conflict, apply the stricter one — that is the safest approach and is generally what regulators expect.
What does "best practice" mean in this context?
Where no specific regulation mandates a retention period, "best practice" is a common industry standard derived from statutory limitation periods, security guidance from bodies like NIST and ENISA, and widespread industry convention. It is a reasonable default if you operate across multiple jurisdictions without a dominant single framework.
GDPR says data should not be kept "longer than necessary" — why does this tool give specific periods?
GDPR does not set fixed periods for most data types; it requires you to determine what is necessary for your specific purpose. The periods listed here reflect two things: (1) other legal obligations (e.g. tax laws) that override GDPR's minimisation principle and effectively set a floor, and (2) commonly accepted interpretations of "necessary" for each category, based on regulatory guidance and enforcement decisions. Your specific situation may justify shorter or longer periods.
What about data types not listed here?
This tool covers the most common categories. For specialist data — clinical trial records, immigration documents, pension records — consult your legal counsel directly. You can also add unlisted types to your output manually after downloading.