Effective Date: Jan 1 st 2025
Last Updated: Jan 1 st 2025

1. Purpose

The purpose of this Data Retention Policy is to ensure that AIMS Innovations manages and retains data in compliance with applicable laws, regulations, and ethical standards, including those related to Protected Health Information (PHI), research data, and other sensitive information. This policy outlines the retention, deletion, and secure handling of data hosted onour platform.

2. Scope

This policy applies to all data collected, processed, or stored by AIMS Innovations, including but not limited to:

• Protected Health Information (PHI)
• Research data
• User-generated content
• Operational data related to platform usage
• Communications and metadata

It is applicable to employees, contractors, researchers, and any third parties who use or access our platform.

3. Regulatory Compliance

AIMS Innovations is committed to complying with all applicable data retention requirements, including but not limited to: Health Insurance Portability and Accountability Act (HIPAA): For data that includes Protected Health Information (PHI), AIMS Innovations ensures compliance with HIPAA by:

• Encrypting all PHI both in transit and at rest to protect against unauthorized access.
• Restricting access to PHI to authorized personnel based on a legitimate need-to-know basis.
• Retaining PHI for a minimum of six (6) years from the date of creation or last use, or longer if required by applicable state laws or contractual obligations.
• Implementing secure processes for the disposal of PHI, including data overwriting and physical destruction of media when no longer needed.
• Conducting regular risk assessments to identify and mitigate potential threats to PHI security.

General Data Protection Regulation (GDPR):

For users and data originating from the EU, AIMS Innovations ensures compliance with GDPR standards by:

• Implementing processes to support the “right to be forgotten” and data portability requests.
• Ensuring data minimization, meaning only data necessary for specific purposes is collected and retained.
• Conducting Data Protection Impact Assessments (DPIAs) to evaluate risks associated with data processing.
• Retaining personal data only for as long as necessary and securely deleting it upon the completion of the specified purpose or upon user request, unless otherwise legally required.
• Providing transparency to users about data collection and processing practices through clear privacy policies.

ISO 27001 Compliance:

AIMS Innovations adheres to the ISO 27001 standard for Information Security Management Systems (ISMS) by:

• Conducting comprehensive risk assessments to identify and address security risks associated with data retention.
• Documenting policies and procedures for the secure handling, retention, and deletion of data.
• Implementing robust controls for the encryption, storage, and transfer of sensitive information.
• Performing regular internal and external audits to verify compliance with ISO 27001 standards.

Institutional Review Board (IRB) Requirements:

For research data governed by Institutional Review Boards (IRBs), AIMS Innovations complies with the following:

• Retaining research-related data for a minimum of three (3) years after the completion of the study or as required by the IRB.
• Providing tools to support researchers in meeting IRB-mandated compliance requirements, including secure storage and audit trails.
• Ensuring secure access and data handling for research teams to maintain confidentiality and integrity.
• Collaborating with institutions and researchers to address additional data retention or compliance requirements specific to their studies.

Other Applicable Laws and Standards:

• State Laws and Regulations: Where applicable, state-specific data retention laws for health-related data and research records are observed.
• Sponsor or Institutional Policies: Retention requirements set by research sponsors,funding agencies, or institutions will be adhered to.

 

4. Data Categories and Retention Periods

Data Type	Retention Period
Protected Health Information (PHI)	Minimum of six (6) years from the date of creation or last use, or as required by HIPAA or applicable state laws.
Research Data	Minimum of three (3) years post-study completion or as required by the IRB or funding agency.
User Account Information	Retained for the duration of the account’s active status and deleted within 30 days of account closure, except where retention is legally required.
Operational and Metadata	Retained for up to one (1) year for auditing and analytics purposes, unless anonymized.
Communications	Retained for two (2) years or as required for compliance purposes.

5. PHI and Sensitive Data

• Encryption and Security: All PHI and sensitive data are encrypted both in transit and at rest to ensure compliance with HIPAA and other applicable laws.
• Access Control: Access to PHI is restricted to authorized users with a legitimate need-to- know basis.
• Retention Period: PHI is retained for the minimum period required by law or contract, after which it is securely deleted unless otherwise required by an active IRB or legal mandate.
• For more details, see our Comprehensive Security Protocol Policy here.

6. Data Deletion and Disposal

• User-Initiated Deletion: Users may request data deletion at any time. However, certain data may be retained to meet legal or regulatory obligations (e.g., IRB, GDPR, or HIPAA requirements).
• Automated Deletion: Upon account closure, our system will:

1. Prompt the user to download any necessary data.
2. Permanently delete all associated data within 30 days unless retention is required.

• Secure Disposal: Data that has exceeded its retention period will be securely deleted using industry-standard methods, including data overwriting and physical destruction of hardware where applicable.

8. User Responsibilities

While AIMS Innovations strives to adhere to specified retention periods, certain circumstances may require data to be retained beyond these periods, including but not limited to:

• Legal Holds: If data is subject to ongoing litigation, government investigations, or legal proceedings, it will be retained until the resolution of these matters, regardless of standard retention periods.
• Contractual Obligations: Data may be retained to fulfill obligations specified in agreements with research sponsors, funding agencies, or institutional partners.
• Regulatory Requirements: In cases where specific regulatory bodies or standards mandate extended retention periods, data will be preserved accordingly.
• Ethical Considerations: Research-related data may be retained beyond standard periods to ensure the integrity of scientific findings, enable reproducibility, or address unforeseen ethical concerns.
• User-Specific Requests: In certain cases, users or researchers may request extended data retention for ongoing studies or compliance with institutional policies.
• Operational Necessities: Data required for audits, compliance checks, or other operational purposes may be retained temporarily beyond standard periods until those needs are met.

Any retention beyond standard periods will be conducted in strict compliance with applicable laws, contractual terms, and institutional policies, with appropriate safeguards in place to protect the data. For more details, see our Comprehensive Security Protocol Policy here.

8. User Responsibilities

• Users are responsible for downloading and securely storing their data before account closure.
• Users must comply with all applicable laws, regulations, and agreements related to the data they upload or process on the platform.
• Users are encouraged to regularly review their stored data to ensure it remains relevant and complies with retention requirements.
• Users should immediately report any suspected data breaches or unauthorized access to AIMS Innovations for prompt investigation and action.

9. Platform Responsibilities

• AIMS Innovations will provide tools to facilitate secure data management, including export and deletion options.
• The platform will notify users of data retention periods and provide warnings before automated data deletion.
• AIMS Innovations will ensure compliance with data retention policies by:
  • Conducting regular training for employees and contractors on data handling and security best practices.
  • Maintaining an up-to-date and detailed record of all data retention and deletion activities.
  • Implementing automated mechanisms to securely delete data upon reaching the end of its retention period unless otherwise specified by law or contractual obligations.
  • Managing data transfers to third parties by ensuring third-party processors comply with AIMS Innovations’ data security standards and retention policies.
• The platform will provide a clear and accessible mechanism for users to request support regarding data management issues or policy clarifications.

8. User Responsibilities

• Users are responsible for downloading and securely storing their data before account closure.
• Users must comply with all applicable laws, regulations, and agreements related to the data they upload or process on the platform.
• Users are encouraged to regularly review their stored data to ensure it remains relevant and complies with retention requirements.
• Users should immediately report any suspected data breaches or unauthorized access to AIMS Innovations for prompt investigation and action.

10. Audits and Monitoring

AIMS Innovations will conduct regular audits to:

• Ensure compliance with this Data Retention Policy and applicable laws, including HIPAA, GDPR, and ISO 27001.
• Identify and address potential risks related to data retention, deletion, and security.
• Verify the secure disposal of data that has reached the end of its retention period through documented methods such as data overwriting, degaussing, or physical destruction.
• Evaluate and refine data handling practices to align with evolving regulatory standards and technological advancements.
• Conduct periodic internal and external audits, including third-party assessments, to maintain certification for ISO 27001 and compliance with GDPR and HIPAA.
• Provide detailed audit logs and records for user review upon request, where permitted by law.

Audits will be documented, and any findings will be addressed promptly through corrective action plans to mitigate risks and ensure adherence to this policy.

11. Policy Updates

This policy will be reviewed and updated:

• Annually: To ensure alignment with changes in laws, regulations, and best practices.
• As Needed: In response to updates in technology, new compliance requirements, or changes in business operations.
• Transparency: Users will be notified of significant updates via email or platform announcements, with a summary of key changes provided.
• Feedback: AIMS Innovations encourages feedback from users and stakeholders to improve the policy and its implementation. Feedback can be sent to our compliance team at compliance@aimsinnovations.com

Policy updates will be archived for transparency and made available upon request for compliance verification. AIMS Innovations will maintain a detailed record of all historical versions of this policy for accountability and auditing purposes.

12. Contact Information

For questions or concerns regarding this Data Retention Policy, please contact us at: AIMS Innovations Compliance Team Email: compliance@aimsinnovations.com Phone: 917-352-3779 Address: 16192 Coastal Hwy Lewes, DE 19958