VelisAds Network

Data Retention Policy

Effective date: February 17, 2026 | Version: 2026.02-global

This Data Retention Policy defines how operational, financial, privacy, and security records are retained, archived, and securely deleted across VelisAds Network systems.

Retention periods must align with legal obligations, contractual duties, and operational necessity.

Scope and Applicability

  1. Applies to account data, traffic logs, reports, payment records, and audit evidence.
  2. Applies to structured databases, file storage, logs, backups, and exports.
  3. Applies to production and non-production systems containing real or regulated data.
  4. Applies to subprocessors handling retention tasks under contractual obligations.
  5. Applies to legal hold and regulator preservation requests.
  6. Applies to full lifecycle from collection through secure destruction.

Mandatory Requirements

Retention Schedule Management

  • Every dataset must have a documented retention period and business rationale.
  • Retention periods must satisfy legal, tax, and contractual requirements.
  • Indefinite retention is not allowed without explicit legal justification.
  • Retention catalogs must be reviewed by data owners and compliance teams.

Deletion and Anonymization

  • Expired records must be removed or anonymized using controlled workflows.
  • Deletion jobs must generate auditable completion evidence.
  • Anonymization must prevent practical re-identification in normal use.
  • Catch-up cleanup must run after prolonged processing interruptions.

Backup and Legal Hold Handling

  • Backups with regulated data must follow defined retention windows.
  • Legal holds must be scoped, documented, and reviewed periodically.
  • Released legal holds should trigger controlled post-hold deletion.
  • Archive access must enforce least privilege and full auditability.

Prohibited Practices

  1. Retaining expired data in active systems without legal necessity.
  2. Deleting records that are subject to active legal hold.
  3. Maintaining hidden shadow datasets outside approved inventories.
  4. Restoring expired records to production without retention revalidation.
  5. Destroying security or compliance evidence required for investigations.
  6. Using unapproved tools for mass deletion of critical records.
  7. Exposing archived sensitive data without proper access control.
  8. Disabling lifecycle jobs to avoid policy enforcement.

Governance, Monitoring, and Enforcement

  1. Data owners are accountable for retention mapping and classification quality.
  2. Lifecycle automation health is monitored with failure alerts.
  3. Legal holds are tracked in a central register with owner and release status.
  4. Internal audits validate both retained and deleted record samples.
  5. Vendor contracts must include return or deletion obligations.
  6. Deletion evidence is retained to demonstrate policy execution quality.
  7. Material deviations require documented risk acceptance and remediation plan.
  8. Policy updates are versioned and announced with effective dates.

Global Source Links and Standards

  1. EU GDPR Regulation (EU) 2016/679
  2. California Privacy Protection Agency (CPPA)
  3. NIST Privacy Framework
  4. NIST SP 800-88 Media Sanitization
  5. ISO 15489 Records Management
  6. ISO/IEC 27701
  7. ICO UK GDPR Guidance
  8. OECD Privacy Framework

Operational Interpretation and Regional Mapping

These requirements should be interpreted as global baseline controls for a live ad operations platform. Teams must map each requirement to local legal obligations, contractual duties, and traffic-source constraints before enabling production delivery at scale.

When regional regulations impose stricter standards, the stricter standard applies. Where legal ambiguity exists, operations should default to least-risk handling and documented escalation to legal or compliance owners.

Policy-to-Workflow Mapping

  • Map each policy control to one concrete workflow checkpoint.
  • Define accountable owner, review cadence, and evidence source.
  • Link policy failures to clear remediation and rollback actions.
  • Track policy exceptions with expiry and approval metadata.

Evidence and Audit Quality

  • Keep verifiable logs for approvals, enforcement, and account state changes.
  • Maintain immutable records for policy acceptance and version changes.
  • Preserve incident evidence with timestamp accuracy and actor context.
  • Support regulator and partner audits with structured evidence retrieval.

Release and Change Governance

  • Run policy impact review before major workflow or billing changes.
  • Gate high-risk releases behind compliance and security readiness checks.
  • Document rollback criteria for policy or abuse regressions.
  • Communicate material policy updates with effective-date clarity.

Extended Compliance Checklist

  1. Confirm access controls for admin, publisher, advertiser, and support roles.
  2. Verify domain ownership, sitemap coverage, and install-code integrity before launch.
  3. Validate ad creatives, landing behavior, and category eligibility rules.
  4. Ensure budget, spend, and settlement paths align with billing model selection.
  5. Run fraud and abuse controls for both ad-serving and click attribution pathways.
  6. Confirm user data handling for consent, retention, and rights-response timelines.
  7. Check payout safeguards, webhook integrity, and transaction audit visibility.
  8. Review security events, incident triage flow, and postmortem documentation quality.
  9. Ensure policy pages remain reachable, indexable, and version-consistent in sitemap.
  10. Require periodic policy refresh training for operational and support teams.

Policy FAQ for Operations Teams

How often should this policy be reviewed?

Review before each major release and at recurring governance intervals, especially when billing logic, targeting controls, or verification workflows change.

What happens if live behavior conflicts with policy text?

Live enforcement should default to safer behavior immediately, then trigger incident review and documented correction to either implementation or policy wording.

How should teams handle partner-specific requirements?

Apply partner requirements as stricter overlays where needed, while preserving baseline platform controls and maintaining auditable policy-to-process mapping.