Data Retention Policy

Draft applications

180 days of inactivity; hard-deleted at 365 days

Drafts that receive no updates for 180 days are flagged as inactive. If still inactive at day 365, the draft record (including any partial document uploads) is permanently deleted to prevent accumulation of stale personal information.

Submitted applications — under review

Until a decision is issued

Retained in full during active review. Verification communications with references, banks, sureties, insurers, and regulators are logged in the audit trail.

Rejected applicants

3 years from the date of rejection

After 3 years, the application record, document uploads, and encrypted identifiers are deleted. Associated audit-log entries describing the rejection decision are retained under the audit-log rule below.

Withdrawn applications

3 years from the date of withdrawal

Same treatment as rejected applicants.

Approved subcontractors — active relationship

For the life of the business relationship

Application data, supporting documents, tier assignments, score history, and associated audit events are retained for as long as the subcontractor has an active pre-qualification or outstanding contract obligations to KenHome, its owners, or its project stakeholders.

Approved subcontractors — post-relationship

7 years after the end of the relationship

After the subcontractor’s pre-qualification is not renewed and no active projects remain, records are retained for an additional 7 years to satisfy statutes of limitation applicable to construction (typically 4–10 years depending on jurisdiction), audit obligations to ISDs and federal agencies, and insurance/bonding claims windows.

Expired pre-qualifications (no renewal)

3 years after expiration

If the subcontractor had no awarded projects and does not renew, the profile is retained for 3 years to support renewal at a later date, after which it is deleted. Profiles with any awarded work follow the 7-year post-relationship rule above.

Superseded uploaded documents

3 years from the date the document was replaced

When a subcontractor uploads a renewed COI, license, EMR, OSHA 300A, bonding letter, or financial statement, the prior version is retained for 3 years to support historical review, then deleted.

Bid invitations and responses

7 years from the bid due date

Retention of bid-invitation records, response status, and award decisions is aligned with construction statute-of-limitation windows and may be extended if litigation is reasonably anticipated.

Audit log

7 years from the event date

Every administrative action — status change, tier assignment, score calculation, score override, note, bid invitation, login and logout — is retained for 7 years for compliance, accountability, and statutory purposes.

Password reset tokens

Token: 60 minutes after creation; record: 90 days

A password reset token is usable for 60 minutes after it is issued and is invalidated on use. The record of the reset request (excluding the token value) is retained for 90 days for security monitoring.

Session tokens (cookies)

Rolling 30 days from last activity

Applicant and admin sessions are signed JWTs stored only in HTTP-only cookies; they are not persisted server-side. Sessions auto-expire after 30 days of inactivity.

Encrypted identifiers (EIN, SSN last-4, parent EIN)

Tied to the parent record’s retention

Encrypted at rest with AES-256-GCM. When the parent record is deleted, the ciphertext and any associated key references are removed. Keys are rotated periodically; rotation does not make historical ciphertext unreadable while retention remains in effect.

Transactional email archives

12 months (with our email provider)

Delivery receipts, bounce and complaint events, and message bodies are retained with our email provider (Resend) for up to 12 months for deliverability troubleshooting, then deleted on their side. KenHome does not maintain a separate long-term archive of outbound emails.

Server and security logs

90 days

Infrastructure logs (HTTP access, error traces) are retained for 90 days by the hosting provider for debugging and abuse monitoring. Sensitive query data is not logged.