Data Retention Policy
Last updated: {{ now()->format('F j, Y') }} · Compliant with NDPA 2023 Data Minimization Principles
1. Purpose
This policy defines how long Hotshots Tennis Academy retains personal data, the criteria for retention periods, and the procedures for data disposal. It ensures compliance with the Nigeria Data Protection Act (NDPA) 2023 principle of storage limitation — personal data shall not be kept longer than is necessary for the purpose for which it was collected.
2. Retention Schedule
| Data Category | Retention Period | Justification |
|---|---|---|
| Player enrollment records | Duration of enrollment + 3 years | Re-enrollment facilitation, NTF records |
| Guardian contact details | Duration of enrollment + 1 year | Communication, emergency contact |
| Medical records | Duration of enrollment + 1 year | Duty of care obligations |
| Attendance logs | Current academic year + 2 years | Performance tracking, reporting |
| Skill assessments | Duration of enrollment + 3 years | Player development history, NTF records |
| Coach notes | Duration of enrollment + 1 year | Development context |
| Payment records | 7 years from transaction date | Financial audit, tax compliance |
| Media (photos/videos) | Duration of enrollment + 1 year | Progress documentation |
| Magic link / portal access logs | 90 days from last access | Security monitoring |
| Tournament application records | Duration of enrollment + 3 years | NTF/ITF competition history |
3. Data Disposal Methods
- Anonymization: Personal identifiers (name, DOB, school) are replaced with "REDACTED" values. The record is retained for statistical purposes but cannot be linked to an individual.
- Soft Deletion: Records are marked as deleted and hidden from the active interface but retained in the database for the retention period.
- Permanent Deletion: After the retention period expires, soft-deleted records are permanently purged from the database.
- Media Deletion: Photos and videos are permanently removed from storage upon request or at the end of the retention period.
4. Data Subject Requests
Under the NDPA 2023, guardians may request:
- Early Erasure: Request data deletion before the retention period expires. The Academy will process valid requests within 30 days, subject to legal retention obligations (e.g., payment records must be kept for 7 years).
- Data Export: Request a CSV export of all data held about their child. Available via the admin panel.
- Data Purge: Request full anonymization via the "Purge Data" function, which redacts all PII, deletes coaching data, and archives the record.
5. Automated Processes
- Portal magic links expire automatically after 30 days.
- Stale sessions are pruned daily (sessions older than 24 hours).
- No automated decision-making or profiling is performed on player data.
6. Review
This policy is reviewed annually or when significant changes to data processing occur. The Academy's data protection practices are overseen by the administration team in consultation with legal counsel as needed.