HOSTELELLA Legal documentation

Retention Policy

Version 1.5 Effective 27 June 2026

This policy summarizes HOSTELELLA's retention criteria. Periods may be extended where there is a legal obligation, blocking due to a claim, security investigation, audit, fraud prevention or a valid Customer instruction.

Retention matrix

CategoryIndicative periodReason
Account, profile and business membershipWhile the account is active and up to 90 days after deactivation, unless legal blocking applies.Service provision, security and support.
Documents, operational records, expenses, sales and business dataWhile the Customer maintains the service or until requested deletion/export. After deactivation, reasonable deletion within 30-90 days if no legal obligation applies.Service provision and Customer instructions.
Team, shifts, clock-ins/attendance and planning dataWhile the Customer maintains the service; operational shift data is typically of limited usefulness over time. After deactivation, reasonable deletion within 30-90 days unless legal obligation or Customer instruction.Work organization at the Customer's request (Controller); the Customer decides retention within the platform.
Absences / time off (incl. sick leave that may reveal health)While necessary for planning and per the Customer's instructions; reasonable deletion once no longer necessary or after deactivation, unless the Customer has a legal obligation.Shift planning; the Customer determines the basis and period under labor and social-security law.
Labor rules / collective agreement configured by the businessWhile the business maintains the service; versions are kept for traceability of the applied configuration.Service configuration and consistency of the shift validator.
AI usage records (requests, events and results of shift generation/extraction)Normally 12-24 months for traceability, quality and security, unless an incident or a longer legal period applies; minimized and, where possible, pseudonymized.Traceability, debugging, quality and security of AI features.
HOSTELELLA's own tax, accounting or billing dataUp to 6 years or the applicable legal period.Commercial, tax and accounting obligations.
Consents, accepted terms and legal auditDuring the contractual relationship and up to 5 years afterwards or the period needed to defend claims. After account deletion, only minimal, blocked evidence will be kept where necessary.Contractual proof, compliance and legal defense.
Security, access and technical activity logsNormally 12-24 months, unless incident, fraud or legal obligation.Security, abuse prevention and incident investigation.
Support, transactional emails and incidentsUp to 3 years from closure, unless claim or higher obligation.Support, quality, continuity and defense of claims.
Rights requests and account deletionUp to 5 years from request closure, including normalized email, user identifier, status, timestamps and minimal processing events where necessary.Proof of compliance and defense against claims.
BackupsUsual technical cycle of up to 90 days, unless legal backups or incidents.Continuity, error recovery and security.
Anonymized or aggregated dataNo fixed period as long as it does not allow identifying a person.Statistics, service improvement and internal analysis.

Deletion and blocking

When the applicable period ends, HOSTELELLA will delete, anonymize or block data as appropriate. Blocking limits processing to legal obligations, security, audit or defense of claims.

In account deletion processes, HOSTELELLA will delete operational account data and may keep, in a blocked state, minimal records of consent, accepted terms, deletion request, fraud/abuse, security and compliance where there is a legal basis or prevailing legitimate interest to demonstrate compliance or defend claims.

Data processed as a processor

When HOSTELELLA acts as a processor (including team, shift and absence data), the Customer decides the retention periods for its data within the platform. HOSTELELLA will apply reasonable deletion or export instructions, except for a legal or legitimate technical obligation. The Customer is responsible for complying with the labor and social-security retention periods applicable to it.