Cosgn
Retention
Last Updated: December 11, 2025
Applies To: All Cosgn Services and brands, including Launch In Ten™, Lvabl™, Cosgn Cloud™, Cosgn Credit™, Cosgn Pay™, Cosgn Hi™, RECOSGN™, Clloser™ and all future Cosgn brands and Services operated by Cosgn Inc.
This Schedule supplements the Privacy Policy and the Master Terms. Where there is a conflict, the Master Terms control (§0 and §21).
Retention practices apply across all Cosgn brands under the Unified Entity and Unified Processing Framework (§0; Privacy Policy “Group Companies”).
Cosgn retains information only for as long as necessary to fulfil:
- Service delivery and account administration
- Legal, tax, bookkeeping, regulatory, and audit obligations
- Security, incident response, fraud prevention, AML/ATF/FINTRAC duties
- Dispute resolution, collection, and administrative control rights under §3.4
- Data-exit, export, and restoration requirements under §5.5
All deletion and destruction follow NIST SP 800-88 (or equivalent) secure-erasure standards. Residual backup copies expire on standard backup rotation cycles.
Retention periods may vary by jurisdiction (e.g., PIPEDA, Québec Law 25, U.S. state laws, FINTRAC MSB rules, CRA/IRS tax rules).
1. Account, Billing & Payment Records
| Category | Purpose | Retention Period | Notes |
| Membership invoices, payment logs, Cosgn Credit™ ledgers | Legal, accounting, tax reporting | 7 years after account closure | Required by CRA/provincial law. Survives termination (§21). |
| PAD authorization records (Rule H1) | Verification and dispute evidence | 7 years | Audit and legal retention. |
| Refund/dispute/chargeback documentation | Legal evidence, administrative control | 7 years | Supports §6.9 chargeback rules and §3.4 enforcement. |
| Collections and recovery files | Enforcement | 7 years after resolution | Includes FINTRAC records tied to suspicious activity reporting. |
2. Project Data, Deliverables & Backups
| Category | Purpose | Retention Period | Notes |
| Active project files, websites, code, repositories, environments | Service continuity | While membership remains active | Under §5.1–§5.3 and administrative control rules. |
| Archived project backups | Recovery or reinstatement | 90–365 days after cancellation or suspension | Default 90 days; extended for active reinstatement windows (§5.5). |
| Deployment metadata, version history, build records | IP record, acceptance verification | Up to 3 years | Non-personal material retained under §4. |
| Domains/DNS configuration snapshots | Continuity, compliance, recovery | Until administrative control ends | Required under §3.4 and §5.1. |
3. Security, Infrastructure & Compliance Data
| Category | Purpose | Retention Period | Notes |
| Access/audit logs | Security, fraud prevention | 12–24 months | Extended if part of an incident; supports §7 and Privacy §9. |
| Incident reports, breach records | Risk management, regulatory filing | Resolution + 2 years | Law 25 and PIPEDA compliance. |
| AML/ATF/FINTRAC verification, monitoring, screening | Statutory compliance | 5–7 years | Required under FINTRAC MSB rules (§25). |
| Administrative-control activity logs | Enforcement & repayment protection | 7 years | Supports §3.4 and §6.9. |
4. Marketing, CASL, and Consent Records
| Category | Purpose | Retention Period | Notes |
| CASL consent logs | Proof of compliance | 3–5 years | Required by CASL; survives termination. |
| Unsubscribe/suppression records | Preventing future email | Indefinitely | Legal requirement under CASL. |
| Email/SMS engagement analytics | Performance analysis | Up to 24 months | Aggregated/anonymized after expiry. |
5. Support, Communication & Legal Requests
| Category | Purpose | Retention Period | Notes |
| Support tickets, chats, call logs | QA, training, dispute verification | 24 months | Extended if tied to an active dispute. |
| Regulatory, audit, or lawful-access files | Compliance with authorities | As required by law (typically 7 years) | §25 and Privacy §4 apply. |
| Accessibility requests/complaints | AODA/WCAG compliance | Up to 3 years | Required under §23. |
6. Deletion, Anonymization & Backup Rotation
Cosgn applies the following standards:
Secure Erasure: NIST SP 800-88 or equivalent.
Backup Overwrite: 30–90 days depending on storage cycle.
Anonymization: Certain operational metrics may be retained in anonymized form for:
– analytics
– capacity planning
– security research
– service improvement
Anonymized data is not treated as personal information (Privacy §Aggregated Data).
7. Data Exports, Portability, Reactivation
Export Window: You may request a data export within 90 days after cancellation (§5.5).
Formats: Standard formats (ZIP, CSV, JSON); delivery within 10 business days after identity and account verification.
Outstanding Balances: Exports are delivered only after outstanding fees (including Cosgn Credit™) are settled (§5.5, §3.4).
Reactivation: If membership is reactivated within 90 days, Cosgn may restore archived data where technically feasible.
Non-Guaranteed Elements: Deleted backups, expired domains, removed integrations, or deprecated environments cannot always be restored (§5.5).
8. Legal Holds & Exceptions
If an account, transaction, or domain is subject to:
- an investigation,
- a dispute,
- a chargeback,
- an administrative-control enforcement action, or
- a lawful request from regulators or law enforcement,
Cosgn may retain relevant data for as long as necessary, regardless of the standard schedule.
You will be notified unless prohibited by law (§25.1; Privacy §4).
9. Universal Summary Table
| Data Type | Retention Period |
| Account & billing records | 7 years after closure |
| Project files/backups | 90–365 days after termination |
| Security logs | 12–24 months |
| Marketing consent | 3–5 years |
| Unsubscribe records | Indefinitely |
| Support history | 24 months |
| AML/ATF records | 5–7 years |
| Legal/audit documentation | Typically 7 years |
| Administrative control logs | 7 years |
10. Contact
Privacy & Compliance Office
Cosgn Inc.
Unit 4800 — 1 King Street West
Toronto, Ontario M5H 1A1, Canada
Email: [email protected]