Trust · Data retention

What we keep, and for how long.

Australian Privacy Principle 11.2 requires us to destroy or de-identify personal information once we no longer need it. Here's exactly what that means for each thing we hold.

Last updated 16 May 2026

Account profile (name, email, AHPRA number, profession)

Retention: Lifetime of account
Why: Required to provide the service and to generate compliant Statements of Completion.
On account deletion: Hard-deleted within 30 days of account deletion request.

CPD activities (titles, dates, hours, descriptions)

Retention: Lifetime of account
Why: Core function of the service. You can export to CSV at any time from /activities.
On account deletion: Hard-deleted within 30 days of account deletion.

Evidence files (certificates, attendance proofs)

Retention: Lifetime of account
Why: Required for AHPRA audit defence if you are selected.
On account deletion: Hard-deleted from Supabase Storage within 30 days of account deletion.

Reflective practice notes and AI-assist drafts

Retention: Lifetime of account
Why: Reflections are personal CPD output. Drafts you discarded are not retained.
On account deletion: Hard-deleted within 30 days of account deletion.

Simulation transcripts (AI Standardised Patient)

Retention: Lifetime of account
Why: Used to generate the structured debrief and for your review.
On account deletion: Hard-deleted within 30 days of account deletion.

AI prompts and responses (Reflection Assistant)

Retention: Not stored
Why: Token counts are logged for billing reconciliation; prompt bodies are never written to our database.
On account deletion: N/A — nothing to delete.

Audit log (admin actions, security-sensitive events)

Retention: 24 months from event date
Why: Required to investigate disputes, demonstrate access controls, and support breach forensics.
On account deletion: Audit rows referencing a deleted account are anonymised (user_id set null) but retained until 24-month expiry.

Sign-in logs (auth events, IP, user agent)

Retention: 90 days (Supabase default)
Why: Brute-force detection, anomaly investigation, account-takeover review.
On account deletion: Aged out automatically by Supabase.

Rate-limit counters

Retention: Sliding-window per limit (typically 1 hour)
Why: Throttling protection only.
On account deletion: Aged out automatically.

Push notification tokens (mobile app)

Retention: Lifetime of account, refreshed on each app launch
Why: Required to deliver renewal alerts and other push notifications.
On account deletion: Deleted on sign-out from the mobile app, or within 30 days of account deletion.

Patient feedback responses

Retention: Kept indefinitely while linked to the practitioner's campaign
Why: Responses are genuinely anonymous (no IP, no cookies, no identifier of any kind). The practitioner owns their campaign data.
On account deletion: Hard-deleted within 30 days of the practitioner's account deletion. Individual responses cannot be deleted on respondent request because we have no way to identify which response is theirs.

Stripe billing records (transactions, invoices)

Retention: 7 years
Why: Australian tax law (Income Tax Assessment Act) requires 5+ years; Stripe retains for chargeback resolution.
On account deletion: Retained by Stripe under their own privacy policy. We retain only the Stripe customer ID and subscription status, which is hard-deleted on account closure.

Account deletion stubs

Retention: Kept indefinitely
Why: Anonymous row recording profession + framework + deletion date. No user ID, no email, no name. Used solely for service-level analytics (cohort attrition).
On account deletion: N/A — already anonymous at creation.

Supabase database backups

Retention: Rolling 30-day point-in-time recovery
Why: Disaster recovery; required for service continuity.
On account deletion: Deleted records age out of backups as the 30-day window rolls forward.

How to delete your account

Sign in and visit Account → Security. The delete flow requires you to type DELETE to confirm. Once confirmed, your user record and every table referencing it cascade-delete inside the same database transaction; evidence files are removed from storage shortly after. The change is irreversible — we cannot recover a deleted account.

Before deleting, export your CPD log from /activities so you retain a personal copy. AHPRA may still ask for evidence years after a CPD year closes.

Requests and questions

To request deletion of a specific record (rather than your whole account), to ask what we hold about you under APP 12, or to challenge our retention of any item under APP 11.2, email support@practicacpd.com.au from your registered address. We will respond within 30 days.

Back to Trust & compliance.