Keeping data forever is neither legal nor ethical. For compliance, define retention windows in advance and automate cleanup technically.
The best policy is one that is written and automatically enforced. Retention left to human memory is the weakest link during a privacy audit.
Buaze’s current stance
- Customer IP: anonymized automatically after 90 days.
- Review data: retained unless the customer requests deletion (business relationship).
- Audit log: 2 years.
- Email metadata: kept minimally for delivery tracking.
- Anonymous reviews never appear in the customer list.
Write down your policy
Document which field is kept how long and under what condition it is anonymized. It guides the internal team and accelerates audit responses.
Customer requests
A customer can request data deletion, a copy or a change in processing purpose. These are handled manually, but the response timeline must follow a clear procedure.
Kontrol listesi / Checklist
- Written retention policy exists.
- IP anonymization cron is live.
- Audit log retention is documented.
- Customer request process is defined.
- Annual policy review happened.
SSS / FAQ
Can everything be deleted?
Yes, with exceptions like financial records that have legal retention. Confirm scope with legal counsel.
Can anonymous reviews be used in marketing?
They can support operational analysis as long as the customer cannot be re-identified through combinations.