Data Retention Policy

1. Purpose

This Data Retention Policy explains how long Licentio, operated by Zachary Cardoza doing business as Kaweah Tech ("Kaweah Tech," "we," "us," or "our"), retains your data, what happens when you delete your account, and why certain data may be retained after deletion.

Clinical licensure records are career-critical documents that users may need for years. Our retention practices are designed to protect both the individual user and the integrity of shared records that multiple users depend on.

2. Active Accounts

While your account is active, we retain all data associated with your account, including your profile information, licensure records, supervisory relationships, and related data.

We do not delete or deactivate accounts due to inactivity. Your account and data remain available regardless of how long it has been since your last login.

3. Account Deletion

You may request account deletion at any time through the Service's account settings or by emailing legal@licent.io. Deletion requests are handled as a privacy rights request under the CCPA and equivalent state privacy laws (see the Privacy Policy § 7.1 rights table).

3.1 What Is Deleted

The following data is permanently deleted within 45 days of your deletion request:

• Email address
• Phone number
• Password and authentication credentials (OAuth connections, OTP history)
• Non-shared events (events that are not linked to another user's records)
• Progress calculations and pathway status
• Subscription and billing metadata (Stripe handles its own retention of payment records)
• Notification preferences and application settings
• Session data and authentication tokens
• Display name, if no shared records link to your account

Note on server logs: Your IP address and request metadata associated with sign-in and activity events may persist in our 90-day server logs (see Section 5) independently of the 45-day deletion timeline above. Server logs are held for security monitoring and operational troubleshooting and are not associated with your account identity after deletion. If your deletion request is submitted shortly after authentication activity, the corresponding log entries will age out on the log retention schedule rather than on the account deletion schedule.

3.2 What Is Retained

The following data is retained after account deletion because other users depend on it for their own licensure records:

• Your display name, as it appears in other users' records (e.g., as a supervisor or supervisee name on shared events). Display name is retained only when linked to shared events; if you have no shared records, your display name is deleted along with your other personal data.
• Shared events and signoffs, meaning any event, supervision session, or approval that involves another user through a supervisory relationship

This retained data is kept for as long as the linked user's account remains active, or for six years after the last supervisory event involving that record, whichever is later. The six-year period is a Kaweah Tech policy choice calibrated to two realities: first, supervisors and supervisees may be separately advised by their professional associations or malpractice insurers to retain supervision records for several years after the supervisory relationship ends (that individual obligation sits with the licensee, not with Licentio, but our retention is sized to support it); and second, the California Board of Behavioral Sciences generally does not accept supervised experience hours earned more than six years before the date it receives a licensure application, so six years is the outer bound at which a California supervisee could still reasonably need the shared record. It is not a regulatory requirement imposed directly on Kaweah Tech. If the linked user also deletes their account and no other users depend on the shared records, all remaining data is deleted according to the standard 45-day timeline.

3.3 Legal Basis for Shared Data Retention

We retain shared licensure data as necessary to complete the transaction for which the data was collected (the supervisory collaboration between users) and to continue providing the Service to the other user, who relies on that record for their own licensure documentation. Under the California Consumer Privacy Act, this falls within the exceptions to the right to delete provided by Cal. Civ. Code § 1798.105(d)(1) (completing the transaction for which the personal information was collected, including providing a product or service requested by the consumer) and § 1798.105(d)(7) (enabling solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business).

How the shared-event acknowledgement works. At signup, you are asked to acknowledge that shared supervisory events remain in the other party's records even if you later delete your account. The acknowledgement is presented as a separate affirmative action, distinct from your agreement to the general Terms of Service, and you must complete it before the account can be created. We retain the acknowledgement record with the following metadata: a timestamp, the version of the disclosure presented to you, your account identifier, and the specific text you accepted. You may review the acknowledgement you accepted at any time through your account settings, and you may request a copy by contacting legal@licent.io. This acknowledgement, combined with the statutory exceptions above, is the legal basis for the shared-data retention described in Section 3.2.

3.4 Why Shared Data Is Retained

Licensure records serve as evidence of supervised clinical experience. When a supervisor signs off on an associate's hours, that signoff becomes part of the associate's official record. Deleting the supervisor's account should not invalidate the associate's documentation.

Similarly, if an associate deletes their account, any records that a supervisor approved or reviewed remain in the supervisor's records for their own professional documentation.

This approach mirrors how professional records work outside of digital systems: a supervisor's departure from a practice does not erase the supervision logs they signed.

3.5 Deletion Timeline

3.6 Data Export Before Deletion

We strongly recommend exporting your data before requesting account deletion. The Service provides a built-in export feature that produces a complete copy of your records in CSV and JSON formats. The export feature remains available during the 45-day grace period; contact legal@licent.io to temporarily reactivate your account for export. Once deletion is complete, your personal data cannot be recovered.

4. Backup Retention

Automated database backups may contain your data for a limited period after deletion. Backups are retained for no more than 30 days after the data is deleted from the live database. This means your personal data may persist in encrypted backups for up to 75 days from the date of your deletion request (45 days for the deletion process, plus up to 30 days of backup retention). Backups are encrypted at rest and are used only for disaster recovery or as legally required.

5. Server Logs

Server logs (IP addresses, request timestamps, error diagnostics) are retained in AWS CloudWatch for 90 days. These logs are used for security monitoring and operational troubleshooting. They are not associated with your account after deletion.

6. Analytics Data

PostHog analytics data is collected in cookieless mode using configurations intended to produce anonymized event data (see our Cookie Policy § 5 for the caveats that apply). Anonymized analytics events are retained for 24 months from the date of the event, after which they are automatically purged regardless of account status. Analytics data is not affected by account deletion because it is not maintained at the account level; it is stored at the event level and ages out on the 24-month schedule.

7. Support Communications

Support communications (emails and help tickets) are retained for 24 months from the date of the most recent message in the conversation thread, whether that message was from you or from us. This enables us to resolve related follow-up issues and maintain historical context. Transactional email delivery logs are retained for 90 days by our email provider (Amazon SES) for operational purposes.

8. Legal Holds

In rare cases, we may be required to retain data beyond the periods described here in response to legal proceedings, regulatory investigations, or lawful government requests. Legal holds are applied narrowly to the specific data relevant to the legal matter; unrelated data continues to be processed according to this Policy. Active legal holds are reviewed at least annually and released when the underlying need no longer applies, at which point the affected data resumes the standard retention schedule described above. If a legal hold applies to your data, we will notify you unless prohibited by law.

9. Changes to This Policy

We may update this Data Retention Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect.

10. Related Policies

This Data Retention Policy is part of Licentio's legal framework. Please also review our Terms of Service, Privacy Policy, and Cookie Policy.

11. Contact

For questions about data retention or to request account deletion, contact us at: