Draft for legal review

Retention Policy

Default retention schedule for driver license images and related portal records.

Retention must be approved by legal.

The schedule below reflects the system defaults. Counsel should confirm final periods for California dealer records, finance/leasing records, warranty and deal jacket obligations, litigation holds, tax/accounting obligations, and FTC/GLBA requirements.

Default schedule

Purpose	Default retention	Rationale for review
Test drive	90 days	Short operational need unless incident, claim, dispute, or legal hold applies.
Trade appraisal	90 days	Short operational need unless attached to a completed transaction.
Service loaner	90 days	Short operational need unless damage, citation, claim, or dispute requires retention.
Credit application	365 days initially	Potential GLBA/FTC Privacy Rule, adverse action, lender, and audit obligations; legal must confirm.
Deal jacket	2555 days initially	Approximately seven years for sold deal recordkeeping; legal must confirm final dealership schedule.
Other	90 days	Default short retention unless a specific approved purpose requires longer.

Deletion process

Daily retention cleanup identifies records past delete_after when status permits deletion.
Encrypted image files are deleted from private storage.
Encrypted sensitive fields are redacted where applicable.
A minimal audit tombstone is retained: record id, store, created date, deleted date, and deletion reason.

Legal holds

Records subject to litigation, investigation, chargeback, fraud review, finance/leasing audit, warranty, tax, regulatory, or police request holds must not be destroyed until released by legal.
Managers should mark records attached to sold deals or otherwise needed before cleanup.

Backups

Backups are encrypted and kept locally for 14 daily copies by default.
Deleted records may remain in encrypted backups until those backups age out.
Off-server encrypted backups should be configured and reviewed under vendor/security requirements.

Secure disposal

Electronic DL files should be destroyed or erased so the information cannot reasonably be read or reconstructed.
Paper or exported copies should not be created from this portal except under a written legal/business process.

Staff handling rules

No driver license image may be emailed, texted, downloaded, saved to a phone camera roll, stored in a public folder, or uploaded to an unapproved system. Access must remain limited to authorized personnel with an assigned-store business need. Any suspected unauthorized access, disclosure, lost device, or exposed backup must be escalated immediately under Hardin incident response procedures.