Data Retention Schedule

IMPORTANT: CareSwaps Role Under HIPAA
CareSwaps operates as a Business Associate under HIPAA (45 C.F.R. Parts 160 and 164), not as a Covered Entity. CareSwaps is a healthcare technology platform that provides transfer coordination software for families. CareSwaps is not a healthcare provider, patient broker, referral agency, placement service, medical advisor, or care coordinator. This Data Retention Schedule governs how long CareSwaps retains different categories of data collected or processed through the platform.

1. Purpose & Scope

This Data Retention Schedule describes the retention periods for all categories of data processed by the CareSwaps platform, including Protected Health Information (PHI), Personally Identifiable Information (PII), operational data, and financial records.

Retention periods are determined by the following factors:

HIPAA requirements for Business Associates (45 C.F.R. § 164.530(j) — 6 years for policies, procedures, and documentation)
Colorado state record retention requirements
Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) — data minimization and purpose limitation
Anti-Kickback Statute (42 U.S.C. § 1320a-7b) and Colorado Anti-Kickback Law (C.R.S. § 24-31-809) — documentation of fee structures and agreements
IRS requirements for financial and tax records
Legitimate business operational needs

2. Data Retention Schedule

2.1 Protected Health Information (PHI)

PHI is stored exclusively in BAA-covered systems (Google Workspace — Gmail, Sheets, Drive, Apps Script) and Jotform (HIPAA Gold).

Data Category	Examples	Storage Location	Retention Period	Disposal Method
PHI Client Intake Records	Resident name, DOB, care needs, insurance, medical conditions, POA/MDPOA status	Google Sheets (Master PHI), Jotform	6 years from last service date	Secure deletion with audit log
PHI Transfer Coordination Records	Facility assignments, transfer dates, swap matching details linked to patient identity	Google Sheets (Master PHI)	6 years from transfer completion	Secure deletion with audit log
PHI Communication Records	Emails containing patient names, care details, or health information	Gmail (hello@careswaps.com), Paubox	6 years from communication date	Secure deletion with audit log
PHI HIPAA Consent & Authorization Forms	Signed consent forms, HIPAA authorization, transport disclosure agreements	Jotform (HIPAA Gold), Google Drive	6 years from last service date or consent expiration, whichever is later	Secure deletion with audit log

2.2 Personally Identifiable Information (PII) — Non-PHI

PII that does not qualify as PHI, collected from family applicants and platform users.

Data Category	Examples	Storage Location	Retention Period	Disposal Method
PII Applicant Contact Information	Name, email, phone, relationship to resident	Google Sheets (Master PHI), CRM Sheet	Duration of active subscription + 3 years	Secure deletion
PII Account Credentials	Login email, hashed passwords (if applicable)	Google Workspace	Duration of account + 1 year	Secure deletion
PII Marketing Leads	Names, emails from waitlist signups or outreach	CRM Sheet, Instantly.ai (getcareswaps.com only)	2 years from last engagement, or upon opt-out	Deletion from all systems

2.3 De-Identified Operational Data

De-identified data compliant with HIPAA Safe Harbor (45 C.F.R. § 164.514(b)). Contains no direct patient identifiers.

Data Category	Examples	Storage Location	Retention Period	Disposal Method
OPS Swap Records (De-Identified)	Swap IDs (SW-###), status, facility names, dates, bed counts	Airtable (no BAA — de-identified only)	7 years from swap completion	Standard deletion
OPS Client Records (De-Identified)	Client IDs (CS-###), status, subscription dates	Airtable	7 years from account closure	Standard deletion
OPS Platform Usage Logs	Matching query counts, feature usage, login events	Google Workspace, Make.com logs	3 years	Automated purge
OPS Automation Logs	Make.com scenario execution logs, webhook payloads (de-identified IDs only)	Make.com	30 days (Make.com default), extended logs in Google Drive for 2 years	Automatic platform purge / manual deletion

2.4 Financial & Billing Records

Data Category	Examples	Storage Location	Retention Period	Disposal Method
FIN Payment Records	Stripe transaction IDs, payment amounts, subscription status	Stripe (payment processor — exempt from BAA for payment processing)	7 years (IRS requirement)	Per Stripe data retention policies
FIN Invoices & Receipts	Subscription invoices, overage charges, refund records	Stripe, Google Drive	7 years	Secure deletion
FIN Refund Documentation	7-day cooling-off refund requests, cancellation records	Stripe, Google Sheets	7 years	Secure deletion

2.5 Legal & Compliance Records

Data Category	Examples	Storage Location	Retention Period	Disposal Method
Technology Services Agreements	Facility contracts, client subscription agreements	Google Drive	Duration of agreement + 6 years	Secure deletion with audit log
Business Associate Agreements	BAAs with facilities, sub-BA documentation	Google Drive	6 years from termination of agreement (HIPAA requirement)	Secure deletion with audit log
HIPAA Policies & Procedures	Privacy policies, security procedures, breach response plans	Google Drive	6 years from date superseded or last effective	Secure archival then deletion
AKS Compliance Documentation	Fee structure documentation, FMV opinions, legal opinion letters	Google Drive	Indefinite (retain for duration of business operations + 10 years)	Secure archival
Audit Logs	PHI access logs, system access records, data modification logs	Google Workspace, Airtable (Audit Log table)	6 years	Secure deletion
Breach Notifications	Breach investigation records, notification documentation	Google Drive	6 years from breach resolution	Secure deletion with audit log
Data Subject Requests	Access, deletion, correction, opt-out requests under CPA/CCPA	Google Sheets, Gmail	3 years from request fulfillment	Secure deletion

3. Retention Principles

3.1 Minimum Necessary Standard

CareSwaps applies the HIPAA minimum necessary standard to data retention. Data is retained only as long as necessary to fulfill the purpose for which it was collected, comply with legal obligations, or meet legitimate business needs. When retention periods expire, data is promptly disposed of using the designated method.

3.2 Data Minimization

Consistent with the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), CareSwaps limits the collection and retention of personal data to what is adequate, relevant, and reasonably necessary for the specified purposes. Data is not retained "just in case" — each category has a defined purpose and retention period.

3.3 De-Identification Preference

Where feasible, CareSwaps converts PHI and PII to de-identified format under HIPAA Safe Harbor (45 C.F.R. § 164.514(b)) when the identifiable form is no longer required. De-identified data may be retained for longer periods for analytics and platform improvement without the risks associated with identifiable data.

3.4 Legal Hold Override

If CareSwaps receives a litigation hold, government investigation notice, or audit notification, the scheduled disposal of relevant data will be suspended until the hold is released. The CareSwaps Privacy Officer is responsible for implementing and communicating legal holds.

4. Disposal Methods

Method	Description	Used For
Secure Deletion with Audit Log	Permanent deletion from all systems (including backups within 90 days) with written record of deletion event, data categories destroyed, date, and authorizing party.	PHI, HIPAA documentation, BAAs, legal records
Secure Deletion	Permanent deletion from all systems. No recovery possible after 90-day backup cycle.	PII, financial records, account data
Standard Deletion	Deletion from primary systems. May persist in automated backups per platform retention.	De-identified operational data, non-sensitive records
Automated Purge	System-managed expiration per platform settings (e.g., Make.com 30-day log retention).	Automation logs, temporary processing data

5. Your Rights

Under the Colorado Privacy Act and other applicable laws, you have the right to:

Access: Request confirmation of whether CareSwaps processes your personal data and obtain a copy.
Deletion: Request deletion of personal data, subject to legal retention requirements. Where HIPAA or other law requires retention, CareSwaps will explain the applicable obligation.
Correction: Request correction of inaccurate personal data.
Data Portability: Obtain your personal data in a portable, readily usable format.
Opt-Out: Opt out of the processing of personal data for targeted advertising, sale, or profiling (CareSwaps does not sell personal data or engage in targeted advertising).

To exercise any of these rights, contact: hello@careswaps.com

                Note on PHI Retention: Certain health information may be subject to minimum retention requirements under HIPAA (6 years for Business Associate documentation). If you request deletion of PHI and a legal obligation requires continued retention, CareSwaps will notify you of the specific obligation and the expected date when deletion can occur. CareSwaps will restrict access to such data to the minimum necessary during the extended retention period.
            

6. Review & Updates

This Data Retention Schedule is reviewed at least annually and updated to reflect changes in legal requirements, business operations, or data processing activities. Material changes will be communicated via the CareSwaps website and, where required, by direct notice to affected individuals.

Questions about this schedule should be directed to: hello@careswaps.com

7. Governing Law

This Data Retention Schedule is governed by the laws of the State of Colorado, including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), the Colorado Anti-Kickback Law (C.R.S. § 24-31-809), and applicable provisions of HIPAA (45 C.F.R. Parts 160 and 164) and the Anti-Kickback Statute (42 U.S.C. § 1320a-7b). In the event of a conflict between this schedule and applicable law, the law controls.