Purpose

Qetalist seeks to ensure that it retains only data necessary to effectively conduct its program activities and work in fulfilment of its mission. The need to retain data varies widely with the type of data and the purpose for which it was collected. Qetalist strives to ensure that data is only retained for the period necessary to fulfil the purpose for which it was collected and is fully deleted when no longer required. This policy sets forth Qetalist's guidelines on data retention and destruction, and is to be consistently applied throughout the organization.



Scope

The scope of this data retention and destruction policy is all information technology systems, software, databases, applications and network resources needed by Qetalist to conduct its business. The policy is applicable to all company employees, contractors and other authorized third-party organizations.



Statement of Compliance

This policy is designed to be compliant with the U.S. Data Protection Act of 1998, Freedom of Information Act of 2000, Fair and Accurate Credit Transactions Act of 2003, Personal Information Protection and Electronic Documents Act in Canada, Gramm-Leach-Bliley Act, and Europe's General Data Protection Regulation.

Data retention and destruction policy compliance is managed by the IT department, with support from Qetalist department leadership and subject matter experts. To achieve compliance, data retention and destruction programs must include appropriate procedures, and identify staffing and technology resources to meet compliance requirements



Policy

The Information Technology (IT) department is responsible for managing all data retention and destruction activities for the Company. Other departments, such as Finance and Accounting, Operations and Human Resources, are also responsible for providing the IT department with their requirements for data retention and destruction. The IT department is responsible for developing, executing and periodically testing data retention and destruction procedures. The IT department also acknowledges it will comply with appropriate industry standards for data retention and destruction in its activities.

  1. The company shall develop comprehensive data retention and destruction plans in accordance with good data management practices as defined by established standards.

  2. Data retention and destruction activities shall be performed as part of the company's data management program, which administers and manages the overall technology data management program, which includes:
    • Planning and design of data retention and destruction activities;
    • Identification of data retention and destruction teams, defining their roles and responsibilities and ensuring they are properly trained and prepared to perform their duties;
    • Planning, design and documentation of data retention and destruction plans;
    • Scheduling of updates to data retention and destruction risk analyses;
    • Planning and delivery of awareness and training activities for employees and data retention and destruction team members;
    • Planning and execution of data retention and destruction plan exercises;
    • Designing and implementing data retention and destruction maintenance activities to ensure that plans are up to date and ready for use;
    • Preparing for management review and auditing of data retention and destruction plan(s); and
    • Planning and implementation of continuous improvement activities for data retention and destruction activities and plans.

  3. Formal risk assessments (RAs) and business impact analyses (BIAs) shall include requirements for data retention and destruction activities; RAs and BIAs shall be updated at least annually to ensure they are in alignment with the business and its technology requirements.

  4. Data retention and destruction plans shall address electronic data stored on electronic media such as CDs, hard disk drives, solid state disk drives, magnetic tape and other appropriate media.

  5. Data retention and destruction plans shall address data stored on non-electronic media (e.g., paper files, microfiche).

  6. Data retention and destruction plans shall address electronic information systems (e.g., servers, routers, switches) and components (e.g., cabling and connectors, power supplies, storage racks) and other assets that are currently out of production or scheduled to be phased out of production environments.

  7. Data retention plans shall establish the storage requirements and associated metrics (e.g., length of storage, type of storage media) for electronic and non-electronic information as well as systems supporting the IT infrastructure.

  8. Data destruction plans shall establish the parameters for destruction of electronic data (e.g., overwriting, reformatting, degaussing, firmware-based erasure, physical data media destruction), non-electronic data (e.g., shredding of hard copy), and systems and components (e.g., third-party destruction services).

  9. Data retention and destruction plans shall be periodically reviewed and tested in a suitable environment to ensure that data, databases, media, systems and other relevant elements can be retained or destroyed and that Qetalist management and employees understand how the plans are to be executed as well as their roles and responsibilities.

  10. All employees must be made aware of the data retention and destruction program and their own roles and responsibilities.

  11. Data retention and destruction plans and other documents are to be kept and will reflect existing and changing circumstances.


Data Retention and Destruction Specifications

The personal data that Qetalist requires users to provide in order to sign up for the platform is encrypted in transit when it's sent to our servers to be stored in our database. Apart from our own database, this personal data is sent to Stripe, our payment services provider, in order to create and maintain customer financial transaction records in their system. All of this personal data gets deleted from our database, along with Stripe's, when a customer deletes their account from our platform; all we keep is their username, and some other account-related data for record-keeping purposes.

The other form of data that a user may choose to save on our platform is their payment methods, though it is entirely up to the user whether they want to do that or not; we do not require them to do so, but if, for the sake of their own convenience, they do decide to save their payment methods on our platform, their payment method data is handled and stored securely by our payment services provider, Stripe. This data never reaches Qetalist's servers and is sent directly to Stripe, who follow the Payment Card Industry Data Security Standard (PCI DSS) when handling and storing payment method data, and provide us with a payment method ID which we can use to request Stripe to charge the payment method only if, in future, the user decides to use it to make a payment. The user is free to remove any saved payment methods they have, at any point in time; and when they do so, that saved payment method's ID gets dissociated from the user and a dissociated payment method ID can neither be associated ever again with a user, nor can it be charged ever in the future. When a user deletes their Qetalist account, their saved payment methods' IDs are automatically dissociated and can not be used ever again.



Data Destruction Procedure

Qetalist requires users' personal data to perform its operations, so to completely delete their personal data, a user would have to delete their Qetalist account. A user's entire personal data automatically gets deleted when they delete their Qetalist account. To delete one's Qetalist account, following are the steps they must follow in the Qetalist app:

  1. Tap on the main menu button on the top left corner.

  2. When the main menu opens, tap on your username to open your profile.

  3. In the profile, tap on the lock to open it and make your profile editable.

  4. The button to delete your account would now appear at the bottom of the profile panel; tap on it.

  5. You will be shown the editor, where you'll have a checkbox confirming if you want to delete your account, and an empty field asking for your password. Check the checkbox, enter your password in the field, and hit the enter key in the keyboard.

  6. Your Qetalist account will now be deleted immediately, if you don't have any active items linked to your account, and you will be taken to the Login screen.
© Qetalist LLC