<b>How long am I allowed to keep user data I collect?</b>
Q: I store click and lead data for reporting. Is there a limit?
A: There's no single number, but the governing principle under GDPR is storage limitation: keep personal data only as long as you have a documented purpose, then delete or anonymize it. "Forever, just in case" is the violation people stumble into.
Practical guidance for affiliate data:
— Operational data tied to payouts and dispute windows: keep through your clawback period plus a reasonable buffer, often a few months, since you genuinely need it to resolve chargebacks.
— Raw personal identifiers like full IPs and emails: these carry the most risk; hash or truncate them once the operational need passes.
— Aggregated reporting: anonymized stats with no individual identifier fall outside the rule, so keep those as long as useful.
The defensible position is a written retention schedule — purpose, period, deletion method. If a user requests erasure and you can show data already aged out on schedule, you're covered.
Short version: keep identifiers only as long as a real purpose lasts, then anonymize. Write the schedule down so it's defensible.
Still stuck? Drop your case in the comments.
Clean Traffic Desk
@CleanTrafficDesk
<b>How long am I allowed to keep user data I collect?</b>
Этот пост опубликован в Telegram-канале Clean Traffic Desk. Подписаться можно по ссылке: @CleanTrafficDesk.