Retention schedule

Retention is the discipline of holding personal data only as long as a lawful basis exists. The Suite ships a default schedule mapped to Kenyan obligations and a daily cron that flags candidates for the DPO's review before the actual purge.

Retention evidence
Auto-purge cron run logs.

The shipped retention schedule

CategoryRetainAuthorityAction at expiry
Member identity + KYC7 years post account closurePOCAMLA + KDPAAnonymise
Loan + savings transactions7 yearsCompanies Act + KRAArchive then anonymise
AML records (STR/CTR)10 yearsPOCAMLAArchive (cannot anonymise)
Audit logs (mail.message)7 yearsISO 27001 + SOC 2Archive to cold storage
HR records7 years post separationEmployment ActAnonymise
Marketing dataUntil consent withdrawnKDPADelete on toggle
iBANK session logs1 yearOperationalDelete
Cookies (non-essential)13 monthsEU + KDPABrowser-side TTL
Suspicious activity reports10 yearsPOCAMLAArchive
CRB submissions5 yearsCRB ActAnonymise

The retention cron

Runs daily at 02:30. For each category, queries records past their retention window and flags them as candidates for DPO review. Nothing is purged automatically — the DPO must approve each batch before the second cron (weekly at Sunday 03:00) executes deletions or anonymisations.

Note — Two-stage flow prevents accidental mass deletions. The flag-cron is read-only; the purge-cron requires DPO sign-off on the queue.

Worked scenarios

Scenario — Florence reviews the weekly retention queue

Setting: Friday afternoon, DPO is doing her weekly admin.

CharacterRole
Florence AchiengDPO

Timeline

  1. Fri 14:00: Opens MFI → Privacy → Retention queue. 47 candidates listed (members whose accounts closed 7+ years ago).
  2. 14:05: Filters out 12 with open CTR holds (POCAMLA 10-year still binding).
  3. 14:10: Spot-checks 5 random candidates — all confirmed closed, no balances, no holds. (Sample passes)
  4. 14:15: Bulk-selects the remaining 35 → Action → Approve anonymisation. (35 marked anonymise_approved=True)
  5. Sun 03:00: Purge cron runs. 35 records anonymised. Certificate batch generated.
  6. Mon 09:00: Florence reviews the certificate batch + signs as record-keeping.

Outcome — Retention discipline maintained; 35 expired records anonymised cleanly with audit trail.

Reference

When categories conflict (longest wins)

If member hasThen retain at leastBecause
Any CTR in last 10 years10 years from last CTRPOCAMLA
Any tax doc in last 7 years7 years from doc dateKRA
Active CRB negative listing5 years from listingCRB Act
Open AML caseIndefiniteInvestigation in progress
Pending court orderUntil court releasesStatutory hold

Troubleshooting

SymptomLikely causeFix
Cron stuck — no flags created for 3 daysCron disabled or workers throttledSettings → Technical → Scheduled actions → Retention flag cron → Run manually; check logs.
Purge cron deleted records DPO hadn't approvedAnonymise_approved flag manipulated by another scriptRestore from last night's backup; investigate which user/system flipped the flag (audit chatter on the records).
ODPC asks for proof of last quarter's anonymisationsStandard auditMFI → Privacy → Reports → Anonymisation certificates → filter by date; export PDF.
Some records flagged but cannot be anonymisedFK constraint — e.g., still referenced by an open support caseClose dependents first; re-run the purge for those records.

See also

Was this page helpful?