When a subject rights request is received information must be collected in order to respond to the request. To maintain an auditable log of received requests and the responses they received much of that information is retained indefinitely. Collected information that may fall into the category of personal information however is subject to the following retention limits:
| Information Collected | Retention Limit |
| Requester Email | 730 Days |
| Requester First Name | 730 Days |
| Requester Last Name | 730 Days |
| Requester Phone Number | 730 Days |
| Requester Type (Customer, Employee, etc.) | 730 Days |
| Request Description | 730 Days |
| Requester Country of Residence | 730 Days |
| Requester State/Province/Territory | 730 Days |
| Requester PII – Custom Field | 730 Days |
| Requester Sensitive PII – Custom Field | 730 Days |
| Requester non-PII – Custom Field | 730 Days |
| Requester Proof of Identity/Other Attachments | 730 Days |
| Requester Secure Messaging Portal Attachments | 730 Days |
| Subject Rights Manager Secure Messaging Portal Attachments | 730 Days |
| Subject Rights Manager Request Attachments | 730 Days |
| Subject Rights Manager Attachments on Action Items | 730 Days |
| Subject Rights Assignee Attachments on Action Items | 730 Days |
| Automated Data Store Summary Files on Action Items | 730 Days |
| Automated Data Store Deletion Files on Action Items | 730 Days |
| Reporting Dashboard Metrics | Indefinitely |
Note: Data Processing and storage occur in AWS (Virginia, US).
Upon completion or rejection of the request, Osano deletes the personal information from the customer’s admin application and only retains the assigned unique number used to identify the request within the Osano platform. Once the 730-day period is reached all PII is deleted from the platform.