Data retention and compliance
State machine for customer data lifecycle under GDPR and privacy laws.
Personal data flows through a legal and operational lifecycle. This template shows how customer data states transition under privacy regulations like GDPR, CCPA, and internal retention policies. A customer's record starts Active when they sign up, moves to Inactive if abandoned, and is Deleted after a retention window expires — or immediately if they request deletion. Export and Anonymize branches handle Subject Access Requests and Right-to-Erasure obligations.
The state machine forces teams to answer critical questions upfront: How long do you keep inactive accounts? Are deletion requests immediate or queued? What does anonymization mean — hashing? Truncation? Separate each state clarifies the operational rules and the legal justification.
When to use this template
- Privacy compliance audits — regulators ask for exactly this: when does data get deleted, what's the retention period, how do you prove compliance? This diagram is the answer.
- Deletion request handling — when a customer asks to be forgotten, trace the path through this state machine to ensure every system (app, database, backups, logs, email archives) respects it.
- Data breach incident response — if you suffer a breach, this diagram clarifies which data states need to be notified, which can be recovered from backups, and which can be safely ignored (already anonymized).
How to adapt it
Customize the retention windows and state names to your geography and policy:
- Replace "90 days" in the Inactive note with your actual retention window — 30 days, 6 months, whatever your lawyers say.
- Add a Right to Rectification branch from Active that allows customers to correct their data, then loops back to Active.
- Insert a Right to Restrict state between Active and Inactive if your policy allows customers to freeze their account without deletion.
Visual edits regenerate clean code, so you can adjust the retention windows, add your company's specific states, and even export it straight into your privacy documentation or DPA (Data Processing Agreement) without syntax.
Mermaid code
Copy it anywhere Mermaid is supported — GitHub, Notion, or your docs.
stateDiagram-v2
[*] --> Active: Customer provides data
Active --> Inactive: Account inactive 90 days
Inactive --> Deleted: Retention period expired
Active --> ExportRequested: GDPR request
ExportRequested --> Exported: Export generated
Exported --> Active: Customer downloads
Active --> DeletionRequested: GDPR deletion
DeletionRequested --> Anonymized: Data anonymized
Anonymized --> [*]
Deleted --> [*]
note right of Active
Searchable, queryable
Backups included
end note
note right of Inactive
Inaccessible to customer
In backups only
90-day retention window
end note
note right of Anonymized
Irreversibly hashed
Kept for analytics
Cannot re-identify
end note
Frequently asked questions
- What is data retention and why do privacy laws require it?
- Data retention is the policy of how long you keep customer data after they delete their account or stop using your service. GDPR and CCPA require you to delete or anonymize data after a specific period to minimize privacy risk. If you kept all data forever, a breach would expose years of historical information. By setting a retention window — 30 days, 6 months, whatever your business needs — you legally and operationally limit the blast radius.
- What's the difference between deletion and anonymization?
- Deletion means the data is gone — irreversibly removed from databases and backups. Anonymization means the data is hashed or encrypted so it cannot be linked back to a person. Regulators accept anonymized data for analytics and research because you cannot re-identify individuals. Choose deletion if you want zero residual risk; choose anonymization if you need to keep historical metrics but want to eliminate personal data.
- How do I prove compliance with this retention policy?
- Keep audit logs of every deletion and anonymization — when it happened, what data was deleted, which systems received the request. Many breaches happen because deletion requests were lost in email. Use this state machine to route deletion requests through your code and log every state transition. Regulators will ask for these logs during audits.
- What happens to backups and archived data under GDPR?
- Backups must also respect retention — if you keep daily snapshots, you cannot restore a 5-year-old backup to retrieve deleted personal data. Many teams put deleted data in an "Inactive" state in primary systems but keep it in isolated, encrypted archives for disaster recovery. This diagram's Inactive state represents that limbo: searchable in production, but legally off-limits for regular queries and not exposed to customer exports.