We retain data only for as long as necessary to provide the service, meet customer instructions, and satisfy legal, regulatory, or security requirements. This page outlines default periods, configuration options, and how deletion works in practice.
This policy applies to customer data processed by MediChatApp, including Protected Health Information (PHI), end-user content (e.g., portal messages and uploaded documents), system metadata, audit logs, and backups we maintain to operate a reliable and compliant service. Customer Agreements (MSA/BAA/DPA) prevail if they specify stricter or different requirements.
Retention periods below reflect our standard defaults. Most operational data can be shortened or extended within reasonable bounds per your written instructions and applicable law. Certain records (e.g., immutable audit logs) have minimum periods for security and compliance.
| Data Category | Examples | Default Retention | Notes / Options |
|---|---|---|---|
| Patient Portal Content (PHI) | Portal messages, attachments, refills, check-in forms | 7 years | Configurable (3–10 years) to align with state/plan rules. Customer may request export or purge by patient/account. |
| Encounters & Billing Artifacts | Encounter notes, codes, charge posts, claim exports | 7 years | Often governed by payer/state retention. Coordinate with EHR of record (e.g., Intergy) for master of record alignment. |
| Operational Metadata | Message routing, delivery status, queue state | 24 months | Can be tuned (12–36 months). Useful for reporting/ROI and troubleshooting. |
| Immutable Audit Logs | Access logs, admin actions, configuration changes | 7 years (minimum) | Cryptographically chained/hashed. Shortening generally not permitted; extensions allowed. |
| System Access Logs | Auth success/fail, API events, IPs, user agents | 18 months | Configurable (12–36 months). May be retained longer upon security request or legal hold. |
| Analytics on Marketing Site | Aggregated web metrics (no PHI intended) | 13 months | Subject to your consent/config; analytics are not enabled on PHI surfaces. |
| Backups (Encrypted) | Point-in-time snapshots, database backups | 35–90 days rolling | Disaster recovery; backups expire on schedule and are auto-deleted from media. |
| Support Tickets | Issue descriptions, screenshots (redacted preferred) | 24 months | Can be purged sooner on request (excluding legal holds). |
| Keys & Secrets | Integration tokens, credentials (rotated) | Active lifetime only | Rotated per policy/incident. Upon de-scoping, removed from systems and key stores. |
We publish a live list of active subprocessors and their roles on our Subprocessors page. Hosting regions and data residency are selected to meet customer and regulatory requirements; backups and redundancy follow the same regional policies where feasible.
We’ll match your regulatory map and internal policies—down to patient-level purges and log extensions.