About this schedule
This schedule lists every category of personal data Called 2 Work DBA Zia Code LLCholds, how long we hold it, the legal basis for that period, and the mechanism that enforces deletion. It operationalizes the GDPR Art. 5(1)(e) “storage limitation” principle (personal data kept in a form which permits identification only as long as necessary) and Called 2 Work's service-provider obligations under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
Where the deletion mechanism is implemented in shipped code (a cron worker, a soft-delete transaction, a token TTL), the cross-reference column cites it so counsel and auditors can verify each row against the actual code path that enforces it.
Schedule
| Data category | Retention period | Legal basis | Deletion mechanism | Cross-reference |
|---|---|---|---|---|
| User accounts | Active for the life of the account, then a 30-day soft-delete grace period before hard delete | Contractual necessity; user-initiated deletion right | User-initiated soft-delete sets a deletedAt timestamp; a daily hard-delete worker permanently purges accounts past the 30-day grace window | Soft-delete grace + hard-delete worker shipped in PR #111 |
| Job postings | Active until expiry, then retained 90 days post-expiry | Legitimate interest in audit trail and dispute resolution for closed listings | Expiry timestamp on the Job model; a scheduled worker hard-deletes records past expiry + 90 days | |
| Job applications | Retained for 180 days after the related job posting closes or the application is withdrawn | Legitimate interest in employment-records compliance and dispute resolution | Cascade delete tied to job/application lifecycle; scheduled worker prunes records past the 180-day window | |
| Messages and chat | Retained for the lifecycle of the conversation; deleted when both participants delete their accounts or 90 days after the last activity in an abandoned thread | Contractual necessity (delivering the chat feature); legitimate interest in safety review | Cascade delete on account hard-delete; scheduled worker prunes abandoned threads | |
| Audit logs | 7 years | Security investigation, fraud prevention, and compliance recordkeeping | Append-only audit log table; scheduled worker prunes records older than 7 years | |
| Donation records | 7 years | US tax law recordkeeping requirements (IRS § 6501) | Donation records retained in the database; Stripe customer / payment records retained per Stripe's own retention policy | |
| Resumes and uploaded attachments | Until replaced by the user, or 30 days after account deletion (matches the soft-delete grace window) | Contractual necessity; user-initiated deletion right | Cloudflare R2 object delete triggered by replacement upload or by the hard-delete worker at the end of the 30-day grace window | Hard-delete worker shipped in PR #111 |
| Cookie consent records | 3 years rolling from the most recent consent action | GDPR Art. 7(1) accountability — proof that consent was obtained | Consent records timestamped on the consents table; scheduled worker prunes records older than 3 years from the last update | |
| Email magic-link tokens | 15 minutes | Authentication security | Database-backed token row with a 15-minute TTL; tokens are also single-use and invalidated on first redemption | |
| Account-deletion confirmation tokens | 24 hours | Required to verify the user's identity before processing an account-deletion request | Database-backed token row with a 24-hour TTL; single-use and invalidated on confirmation | Magic-link delete confirmation tokens shipped in PR #114 |
Acting on your data today
The schedule above describes the maximum retention windows. You do not have to wait for them to elapse: the privacy policy documents your data-subject rights, and the following user-facing endpoints let you act on them now without contacting support:
/api/me/export— download a machine-readable copy of your data (GDPR Art. 15 / CCPA right to know)./api/me/delete— initiate account deletion (GDPR Art. 17 / CCPA right to delete). Triggers the user-accounts soft-delete + hard-delete flow described in the schedule./api/me/consents— review or withdraw your cookie and processing consents (GDPR Art. 7(3) / CCPA opt-out).
The current sub-processor list identifies the third parties that process your data on our behalf; their retention is governed by the contracts referenced on that page in addition to the schedule above.
Updates to this schedule
The operator may update this schedule from time to time — typically to shorten a retention window, to add a new category when we begin processing a new kind of data, or to update a cross-reference when the enforcing code path moves. Material changes will be announced via the same channel used for privacy policy updates (in-app notice plus an email to active members), and the version and last-updated stamp at the top of this page will change accordingly.
Lengthening a retention window is treated as a material change and triggers the same notice. Shortening a window — or adding a new category that begins life with a defined window — does not require a notice but is still reflected in the version stamp.
Questions about a specific row, or requests to verify a cross-reference against the codebase, should be directed to [email protected].