Data retention — Transcript storage policy

Definition

Data retention in the context of AI-assisted clinical or coaching sessions refers to the policy that defines how long data generated in a session (audio, transcripts, automatic notes) is accessible, in which storage (active vs. archived), when it is permanently deleted, and what rights the client has over that process. A well-designed retention policy balances the professional's legitimate access needs with the principle of data minimization.

How it's used

The retention policy is implemented at three levels:

Active retention: data is easily accessible on the platform for the professional to consult. Typical period: 30-90 days.

Archiving: data is moved to lower-cost, higher-latency storage. Still available but requires an additional step to retrieve. Typical period: until the end of the therapeutic contract or until the client's request.

Deletion: data is permanently erased. Modern privacy frameworks require that deletion be verifiable and that it include backup copies.

The professional must communicate the retention policy to the client as part of informed consent and update the client if the policy changes.

When to apply

The retention policy must be defined before beginning to process session data and must be consistent with the professional's legal obligations in their jurisdiction. Data protection frameworks generally establish the principle of "retain only as long as necessary" — meaning indefinite retention is not compatible with good privacy practices.

Historical origin

The principle of limiting the storage period of personal data is established in data protection regulatory frameworks across multiple jurisdictions. The emergence of large-scale telehealth platforms post-pandemic made this principle operationally urgent for clinics and individual practices that previously did not handle digital data at this scale.

How CauceOS supports it

CauceOS applies a default active retention of 90 days, after which transcripts are archived in secure, encrypted storage. The professional can delete the data from any session at any time from the administration panel. Clients have the right to request deletion of all their data through the platform's "Delete my data" button. Deletions are permanent and irreversible.

Professional confidentiality — data retention is part of the duty of confidentiality
Informed consent — the client must know the retention policy before consenting
Assistance disclaimer — the system's limited scope also limits the nature of data retained

References

European Data Protection Board. (2020). Guidelines 04/2020 on the use of location data. (Applicable by analogy to health data.)
Warren, S., & Brandeis, L. (1890). The right to privacy. Harvard Law Review.
Solove, D. J. (2008). Understanding Privacy. Harvard University Press.