Data Deletion Policy

1. Purpose

This policy sets out how Edsthetic handles deletion of school, staff, and student data held in Writeiq and Allocateiq. It implements the deletion rights of schools under the Edsthetic Data Processing Agreement and supports school obligations under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP 11.2).

Schools remain the data controllers. Edsthetic acts as data processor. Deletion rights and timelines set out here are commitments Edsthetic makes to schools; they do not override any school-level retention obligations the school may have under Victorian, New South Wales, or Commonwealth record-keeping law.

2. Scope

This policy covers:

Student writing submissions and assessment results held in Writeiq
Learning support schedules, NCCD evidence, and student records held in Allocateiq
Staff account records (names, email prefixes, role, PIN hashes)
School configuration data (school name, licence key, branding assets)
AI cost tracking telemetry (aggregated per-school cost data, no student content)
Operational logs (Sentry error traces, PostHog analytics events)

It does not cover:

Data the school has exported outside Edsthetic (e.g. downloaded marking reports held on school devices)
Aggregate, de-identified statistics used to monitor product performance, where no individual student or school can be re-identified

3. Deletion triggers

Edsthetic deletes school data in four situations.

3.1 School request (on-demand deletion)

A school coordinator or principal can request deletion of any specific data item or the entire school record at any time by emailing hello@edsthetic.com.au. Requests are acknowledged within two business days and completed within fourteen calendar days.

Supporting evidence for deletion (signed confirmation, date of deletion, operator) is retained for six years to meet audit requirements.

3.2 Licence expiry or non-renewal

When a school's licence expires and is not renewed:

Day 0 (expiry): read and write access is suspended; school data is retained but no longer accessible via the product
Day 60: school is notified by email that deletion will proceed in 30 days unless renewed
Day 90: all school data is deleted, including student records, submissions, staff accounts, and configuration

The 90-day window allows a school to renew, export data, or migrate to another system before permanent deletion.

3.3 Pilot expiry with no conversion

Pilot licences have an explicit data_delete_after date, set to 60 days after pilot end. If the pilot does not convert to a paid licence, all pilot data is deleted on that date. This is shorter than the 90-day post-expiry window because pilot data carries lower production value.

3.4 Contractual termination

If the Edsthetic Data Processing Agreement is terminated by either party, Edsthetic deletes all school data within 30 days of the effective termination date, unless a shorter period is agreed in writing.

4. What gets deleted

When deletion is triggered, the following are removed:

All rows in the school_data table for the school (config, tasks, submissions, staff records, student data)
All rows in the submissions table belonging to the school
All rows in the school_ai_costs table for the school
Any records in admin_alerts referencing the school's licence key
The school's row in admin_schools
The school's licence record
Staff authentication records held in protected school_data keys (wc-staff-pins, wc-lso-pins)
Any uploaded files in Supabase Storage bound to the school's licence key (lesson plan PPTXs, scanned submissions)
Associated Sentry and PostHog events subject to their retention (Sentry: 90 days default; PostHog: non-identifying events only)

Deletion is executed via the edsthetic-delete-school edge function, which requires two independent confirmations from an Edsthetic operator with the Owner role, names the school explicitly, and logs the action to admin_alerts with the operator identity.

5. Backup retention

Supabase takes automated daily backups of the production database. After a school's data is deleted from the live database:

Daily backup snapshots retain the deleted data for up to 7 days
Backups are access-controlled: no Edsthetic staff can read individual school data from a backup without initiating a full point-in-time restore to a separate environment
Backups rotate automatically; 7 days after deletion, no backup copy of the school's data remains

A school may request deletion confirmation of the original data; confirmation that backup rotation has completed can be provided 7 days later.

6. Sentry and PostHog retention

Operational logs differ from school data and follow each subprocessor's retention policy:

Sentry: error traces retained 90 days from capture. Sentry traces sent from Writeiq and Allocateiq are scrubbed of PIN hashes, licence keys, and authorisation headers before transmission.
PostHog: event records retained per PostHog's default policy. Edsthetic captures only anonymous page views and tab-navigation events from the admin panel; no student data, no submission content, no names are sent to PostHog.

Neither Sentry nor PostHog contain student content or identifying information about students. Deletion of these operational logs is not required to fulfil a school deletion request.

7. Verification and audit

After completing a deletion:

The requesting school receives an email confirmation naming the deletion operator, date, and scope
A row is written to admin_alerts with category school_deleted, licence key, school name, and operator identity
This record is retained for six years from the deletion date

A school may request an audit report of their deletion at any time within the retention window.

8. Exceptions

Edsthetic will not delete data where retention is required by Australian law, including but not limited to:

Cases under active investigation by law enforcement with a lawful order
Records required to resolve an active billing or contractual dispute
Operational records required for Edsthetic's own tax and ABN compliance (these never include student data)

In such cases, the affected data is placed under legal hold and retained only for the duration of the obligation.

9. Contact for deletion requests

Schools should send deletion requests to hello@edsthetic.com.au with the school name, the data scope (full deletion vs specific items), and the reason.

Requests from a school email domain matching the school's registered coordinator email are treated as verified. Requests from other email addresses will be verified by a callback to the school's registered coordinator phone number before action.

10. Review

This policy is reviewed annually by the Edsthetic co-founders. Material changes will be communicated to schools by email at least 30 days before they take effect.