Policies
Map.ca policy

Data Retention and Deletion Policy

How long Map.ca keeps data, what happens on deletion, and how URL permanence interacts with content deletion.

Map.ca treats deletion as a real right, not a checkbox. Constitution §2 principle 6 — Collect less, protect more — sets the upstream rule: the safest data is data Map.ca never collects. This policy handles the downstream rule: when data is collected, it has a clock, and when the clock runs out or the user asks, the data goes.

Map.ca’s URL permanence principle is strong but it is not the same thing as content permanence or account permanence. The policy separates seven categories: public URL permanence (URLs do not disappear; their content can be replaced or marked archived), content deletion (the user removes specific content), account deletion (the user closes their account), archive records (immutable snapshots used for audit and dispute resolution), legal retention (records held for legally required periods), civic audit logs (kept for the period set by Civic Pin governance), and anonymized analytics (no identifying data, kept indefinitely only when truly anonymized).

Operational rules: every collected field gets a documented retention period before it ships. Deletion requests are logged. Backups are scheduled out of retention windows so a deletion is real, not a delayed restore. URL permanence does not override a person’s right to remove their personal content from public view — the URL stays; the content is updated or removed.

This policy is internal because it governs engineering and operations, but its outputs are public: the deletion paths in account settings, the appeals route for refused deletion, and the transparency report on deletion volumes.

Requirements

  • Assign every collected field to one of the seven retention categories.
  • Document the retention period for every field before it ships.
  • Log deletion requests and the action taken in response.
  • Schedule backups so deletion in production removes data from backups within the documented cycle.

Prohibitions

  • Do not retain personal data indefinitely outside the legal retention category.
  • Do not use the URL permanence rule to refuse deletion of personal content.
  • Do not restore deleted personal content from a backup without a documented legal basis.
  • Do not treat anonymized analytics as anonymized when re-identification is plausible.

Related policies

Privacy PolicyWhat Map.ca collects, why, how long it is kept, who it is shared with, and what rights people have.Data Minimization PolicyDo not collect data because it might be useful later. Collect it only because it is necessary now.Audit Logging PolicyWhat Map.ca logs for audit purposes, how those logs are protected, retained, and used.Backup and Recovery PolicyHow Map.ca backs up production systems, how often, and how recovery interacts with deletion rights.