Records Management

GDPR – Records Management Policy: YourBackup

1. Scope

1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by YourBackup in the conduct of its business activities. It applies to all staff, contractors, consultants, and third parties who are given access to our documents, records, and information processing facilities.

1.2. YourBackup is committed to maintaining the confidentiality of its information and ensuring that all records within the platform are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), YourBackup ensures that all records are only kept for as long as is necessary to fulfill the purpose(s) for which they were intended.

1.3. This policy outlines how records—specifically those related to user authentication, third-party social platform connections (OAuth tokens), and data archives—are stored, accessed, monitored, retained, and disposed of.

1.4. Records are defined as all documents and digital data points which facilitate the business carried out by YourBackup, including connection metadata and sync logs. Hard copies are only printed if required under law; otherwise, all processing is electronic.

2. Legal Framework

2.1. This policy has due regard to legislation including, but not limited to:

• General Data Protection Regulation (2016)
• Relevant national data protection acts (e.g., Personal Data Protection Act of Austria/Datenschutzgesetz)

2.2. This policy will be implemented in accordance with:

• YourBackup Privacy Policy
• YourBackup Security and Compliance Policy
• YourBackup Terms and Conditions

3. Responsibilities

3.1. YourBackup as a whole is responsible for maintaining its records and recordkeeping systems in line with statutory requirements.

3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.

3.3. The Data Protection Officer (DPO) supports the management of records and reviews compliance annually.

3.4. All staff members are responsible for ensuring that any records for which they are responsible (e.g., customer support logs, system telemetry) are accurate and maintained securely.

4. Management of Personal Data

4.1. YourBackup operates as a data utility allowing users to link third-party social platforms (e.g., Google, TikTok). YourBackup acts as a data processor for the purpose of fetching, monitoring, and exporting user data from these third-party services.

4.2. The following information is stored by YourBackup:

• User Auth Data: Username, hashed password, and “Remember Me” session tokens.
• Connection Metadata: Service brand (Google, TikTok, etc.), connection status (Green/Amber/Red), and “Last successful sync” timestamps.
• OAuth Tokens: Encrypted access and refresh tokens used to maintain the link between YourBackup and third-party platforms.
• User Activity on Connected Platforms: Activity such as browsing history, likes and so forth the user performed on the connected platforms. This is used only for the user’s personal utility of backing up said data.
• Data Archives: Temporary portable formats created when a user clicks “Download Data.”

4.3. YourBackup will only process data according to user instructions (e.g., triggering a sync or an export). The user may instruct YourBackup to perform certain duties, like syncing, on a regular basis.

5. Retention of Personal Data

5.1. Active Accounts: Data is retained as long as the user account is active to provide the data utility service. Accounts which have not been logged into within 365 days are automatically deleted.

5.2. Account Termination: In accordance with the YourBackup “Danger Zone” protocol, clicking the “Delete Account” button triggers an immediate wipe. All stored OAuth tokens, connection metadata, and stored data archives are removed from active production databases immediately.

5.3. Backups and Logs: For operational reasons, anonymized user-related data may appear in system logs and encrypted backups for a maximum length of 1 month before being ultimately purged.

5.4. Financial Records: Data indispensable for bookkeeping and financial duties (e.g., subscription invoices) will be retained for a period of seven (7) years.

6. Storing and Protecting Personal Data

6.1. Technical Security: All digital data is encrypted at rest. OAuth tokens are subject to additional layers of encryption.

6.2. Cloud Security: YourBackup utilizes secure cloud environments (e.g., Google Cloud Platform) that are GDPR-compliant. Data is logically isolated to ensure users only access their own digital footprint.

6.3. Access Control: All electronic devices used by YourBackup staff are password-protected and encrypted. Staff do not use non-encrypted personal devices for business purposes.

6.4. Authentication: User authentication is handled via secure forms (Sign Up/Login) utilizing ensuring users are aware of their security context.

7. Subprocession Security

7.1. YourBackup conducts audits of all subprocessors (e.g., cloud providers, API aggregators) to ensure they provide a level of security appropriate to the sensitive nature of social media data.

7.2. Key Subprocessors:

• Cloud Infrastructure: Google Ireland Limited (Google Cloud Platform) for data storage and access.

8. Data Incidents

8.1. If YourBackup becomes aware of a Data Incident (e.g., a breach of OAuth tokens), we will notify affected users promptly and without undue delay.

8.2. Notifications will include details of the incident and recommended steps for users (e.g., revoking permissions via the third-party service).

9. Information Audit

9.1. YourBackup will conduct an information audit on a regular basis to ensure all data (especially exported archives) are being managed or deleted according to this policy.

9.2. The DPO is responsible for completing this audit.

10. Disposal of Data

10.1. Digital Destruction: Electronic records are disposed of via cryptographic erasure or physical destruction of the underlying storage media by the cloud provider.

10.2. User-Initiated Deletion: When a user deletes their account via the Settings Dashboard, the “immediate wipe” protocol ensures that the link to their digital footprint is severed and the data is rendered unreconstructable.

11. Monitoring and Review

11.1. This policy will be reviewed on an annual basis by the Managing Partner and DPO.

11.2. Any changes to this policy will be communicated to users via the YourBackup dashboard.

---

Last Updated: April 2026

Next Review Date: April 2027