Data Retention Policies

Data retention policies control how long CrystalQore keeps different types of data. After the retention period expires, data is automatically purged. Configuring retention helps with storage management, compliance (GDPR, HIPAA), and data lifecycle control.

Overview

You can set retention periods for:

• Chat messages — Instant messages and group chat history
• Call records (CDR) — Call Detail Records
• Files — Uploaded and shared files
• Audit logs — Administrative action history
• Notifications — User notifications (in-app, etc.)

Each category can have its own retention period. Expired data is removed by a scheduled job (e.g., cron or background worker).

Accessing Retention Policies

1. Log in as Superadmin
2. Navigate to Admin → Retention or Admin → Retention Policies
3. Configure retention periods for each data type

Retention Periods

Retention is typically specified in days. Common options:

Data Types and Retention

Chat Messages

• Scope — Direct messages, group chats
• Purge — Messages older than the retention period are deleted
• Consideration — Shorter retention may frustrate users; longer retention increases storage

Call Records (CDR)

• Scope — Call Detail Records (who called whom, when, duration, etc.)
• Purge — Records older than the retention period are deleted
• Consideration — Important for billing, analytics, and compliance. Align with legal requirements.

Files

• Scope — Uploaded files, attachments
• Purge — Files older than the retention period are deleted from storage
• Consideration — Ensure users are notified or have exported important files before purge

Audit Logs

• Scope — Administrative action logs
• Purge — Log entries older than the retention period are deleted
• Consideration — Many compliance frameworks require audit log retention (e.g., 1–7 years). Set accordingly.

Notifications

• Scope — In-app notifications, notification history
• Purge — Notifications older than the retention period are deleted
• Consideration — Usually safe to purge after 30–90 days; users rarely need old notifications

Compliance

GDPR

• Data minimization — Retain only as long as necessary
• Right to erasure — Retention policy supports automated deletion
• Purpose limitation — Align retention with stated purposes

HIPAA

• 6-year rule — HIPAA generally requires retaining certain records for 6 years
• Audit logs — Retain audit logs as required by your compliance program
• PHI — Ensure chat, call records, and files containing PHI follow HIPAA retention requirements

Other Frameworks

• SOC 2 — Audit log retention per control requirements
• Financial — Call records may need longer retention for billing disputes

Automatic Purge

Purge typically runs on a schedule (e.g., daily):

1. System checks each data type's retention policy
2. Identifies records older than the retention period
3. Deletes them (or archives if configured)
4. Logs the purge operation (often in audit logs)

Purge is irreversible. Ensure retention periods are correct before enabling.

Best Practices

• Document policies — Record retention decisions and rationale
• Align with legal — Get compliance sign-off on periods
• Start conservative — Prefer longer retention initially; shorten after review
• Monitor storage — Retention directly affects database and file storage size
• Export before purge — If users need historical data, support export before automatic deletion

Related Documentation