Data Retention
Last updated: March 2026 — Version 1.0
Principle
Gardspace applies the principle of storage limitation as defined in Article 5.1(e) of the GDPR. Data is kept only as long as necessary. Our default is deletion, not retention.
Session photos are deleted automatically 48 hours after session close. Medical documents are deleted automatically after 5 days. No manual action required.
Retention Schedule
| Data type | Retention period | Deletion | Legal basis |
|---|---|---|---|
| Session photos | 48h after session close | Automatic | GDPR Art. 5.1.e · COPPA |
| Medical documents | 5 days | Automatic | GDPR Art. 5.1.e · Art. 9 |
| Session logs & Daily Reports | Duration of active Care Space | On request | GDPR Art. 5.1.e · Contract |
| Handover Notes | Duration of active Care Space | On request | GDPR Art. 5.1.e |
| Nanny Passport & NTR | Duration of active account | On request | Consent · Legit. interest |
| Early Access email | Until unsubscription | On request | Consent |
| Referral tokens | No expiry V1 — revocable | On request | Legitimate interest |
| Technical logs / IP | 30 days maximum | Automatic | Legitimate interest — security & fraud prevention |
| All data after account deletion | 30 days maximum | Automatic | GDPR Art. 17 |
Children's Data — Special Rules
- Photos: deleted automatically 48 hours after session close — no exceptions
- Medical documents: deleted automatically after 5 days — no exceptions
- All child-related data: deleted within 30 days of a verified parental deletion request
- We do not retain children's personal information beyond what is necessary to fulfil the service (COPPA compliance)
How to Request Deletion
Email: privacy@gardspace.com — Subject: Data Deletion Request. We confirm within 30 days.
In-app: Account settings → Delete account. All data deleted within 30 days.
COPPA parental request: privacy@gardspace.com — Subject: COPPA Deletion Request
Third-Party Services
| Service | Role | Region | Compliance |
|---|---|---|---|
| Supabase | Database & storage | EU — Frankfurt | GDPR compliant · DPA signed |
| Vercel | Hosting | EU region | GDPR compliant · DPA signed |
| Resend | Transactional emails | EU — verified | GDPR compliant · DPA signed |
| Plausible | Analytics | EU — Germany | Cookieless · GDPR native · DPA signed |
For any question about your data: privacy@gardspace.com