This Data Retention Policy explains how long 3C Consulting d.o.o. ("Backrow") keeps different categories of personal data, and what happens when retention periods end. It applies to data processed in connection with the Backrow applicant tracking platform (the "Service") and our website, and is incorporated by reference into our Terms of Service, Data Processing Addendum (DPA), and Privacy Policy.
If there is any conflict between this policy and the DPA with respect to customer-controlled data, the DPA prevails.
1. Principles
We apply the following principles to retention:
- Purpose-bound: we keep personal data only as long as needed for the purpose for which it was collected.
- Minimization: where practical, we delete or anonymize data once it is no longer needed.
- Legal compliance: we keep data for longer where required by law (for example, tax and accounting records under Croatian law).
- Customer control: for candidate data inside the Service, the hiring company chooses the retention period and whether records are deleted or anonymized at the end of it.
- Defensible deletion: we delete from production systems first, then rely on the backup-rotation cycle to purge residual copies.
2. Candidate data inside the Service
Our customers (hiring companies) are the controllers of candidate data. They configure retention inside the Service.
2.1 Retention period
Each customer selects a retention period for candidate records, for example 6 months, 12 months, or 24 months from the last relevant activity on the record (such as the most recent application, interaction, or stage change). The Service applies the selected period automatically.
2.2 End-of-retention action
At the end of the retention period, the customer's chosen end-of-retention action is applied:
- Permanent deletion. The record is removed from production systems and cannot be recovered. Residual copies may remain in encrypted backups until the backup-rotation cycle described in Section 5 completes.
- Anonymization. Personal data is stripped from the record such that the remaining information can no longer be attributed to an identified or identifiable individual without the use of additional information. Anonymized records may be retained by the customer for aggregate reporting (for example, hiring funnel metrics).
Important: whether "anonymization" in practice is true anonymization under GDPR Recital 26 depends on what data is stripped. Customers enabling anonymization should review what remains in their records (for example, free-text notes, CV attachments) and satisfy themselves that re-identification is not reasonably possible. Where it is, the remaining data is pseudonymous and continues to be personal data.
2.3 Notice
Backrow notifies the customer's Authorized Users at least 14 days in advance of scheduled deletions or anonymizations, so the customer can review, export, or override where needed. Candidates are not notified automatically. Customers that wish to inform candidates of scheduled actions may do so outside the Service.
2.4 Candidate deletion requests
When a candidate requests deletion of their data, the request goes to the hiring company (as controller), not to Backrow. Each customer configures a data-deletion email address that should appear in the privacy information presented to candidates at the point of application. Once the customer acts on the request inside the Service, deletion follows the same path as scheduled end-of-retention deletion.
3. Account and service-provision data
This is data about our direct customers and their Authorized Users — Backrow acts as controller for this data.
| Data category | Retention period | Trigger |
|---|---|---|
| User account data (name, work email, role, hashed password, workspace membership) | For the duration of the subscription; deleted or anonymized within 30 days after termination | Termination / account closure |
| Audit logs of user activity in the Service (sign-ins, key administrative actions) | 12 months from the event, unless required for longer for a legal claim or investigation | Rolling window |
| Support tickets and related communications | Up to 3 years from the last interaction on the ticket | Ticket closure + 3 years |
| Feedback and product research communications | Up to 3 years; anonymized where possible for longer-term retention | Rolling window |
4. Billing and financial records
Billing records are retained for the period required by Croatian tax and accounting law — in practice, up to 11 years from the end of the financial year in question. This covers invoices, credit notes, payment records, VAT records, and related correspondence.
Card numbers are not stored by Backrow. Card data is handled directly by Stripe, our payment processor. Stripe's retention of card data is governed by Stripe's own terms and its PCI DSS obligations.
5. Backups
The Service is backed up on a rolling basis to protect against data loss. Backups are encrypted at rest and access is strictly controlled.
- Daily backups: retained for 30 days.
- Weekly / point-in-time recovery snapshots: retained for up to 35 days.
- Long-term archival: none for routine operations; backups are rotated and overwritten.
When data is deleted from production, residual copies in backups are not immediately removed. They are overwritten through the normal backup rotation, typically within 35 days. During that window, restored-from-backup copies are not used except in a disaster-recovery scenario and are re-subjected to deletion immediately after restoration.
6. Website, analytics, and security logs
| Data category | Retention period |
|---|---|
| Website analytics (Fathom, aggregated, cookieless) | Aggregated data retained indefinitely; no personal data stored |
| Product analytics (PostHog, authenticated sessions) | Up to 12 months from the event |
| Error monitoring (Sentry) | Up to 90 days from the event; errors containing personal data are scrubbed where practicable |
| Security logs (WAF, auth, intrusion detection) | Up to 12 months from the event, unless required for longer for investigation or legal claim |
7. Marketing data
We retain marketing contact data (business email, company, role, engagement metrics) until you unsubscribe or otherwise object to processing. After unsubscribe, we retain a minimal suppression record to honor your opt-out, typically indefinitely but limited to what is necessary to prevent future contact.
8. AI-assisted features — processing data
When a customer has enabled AI features, relevant content is sent to model providers (OpenAI, Anthropic) for inference. Under our API-level arrangements with these providers, such content is not used to train models, and is retained only for short operational periods (typically zero or a matter of days, as configured by Backrow). Outputs of the AI features (for example, generated scores or summaries) are stored in the customer's workspace and are subject to the same retention rules as other candidate data (Section 2).
9. Legal holds and extended retention
We may retain specific data for longer than the periods above where required to:
- comply with a legal or regulatory obligation;
- establish, exercise, or defend legal claims;
- respond to a lawful request from a competent authority;
- investigate or prevent fraud, abuse, or a security incident.
During a legal hold, affected data is isolated and not subject to routine deletion. The hold is lifted when the underlying reason ends.
10. Termination of a customer subscription
On termination or expiration of a customer's subscription:
- For 30 days after termination, the customer can export data through the Service.
- After this 30-day window, data is deleted or anonymized from production systems.
- Residual copies in backups are overwritten through the backup rotation described in Section 5.
- Billing and tax records are retained for the legal period set out in Section 4.
11. How we verify deletion
Where a customer needs written confirmation of deletion for audit or regulatory purposes, we can provide a deletion certificate on request at support@backrow.app, confirming that production-system deletion has occurred and that residual backup copies are subject to rotation.
12. Changes to this policy
We may update this policy when our practices or the retention periods change. The "Last updated" date at the top shows when it was last changed. Material changes will be notified to customers by email or in-product notification at least 30 days before they take effect.
13. Contact
For questions about this policy, or to request a deletion certificate, contact support@backrow.app. Full legal and contact details are in the Imprint section of our Terms of Service.