Data Retention and Deletion Policy

1. Purpose and Scope

This policy governs the retention, archival, and deletion of consumer data processed by Artomai Inc., operating as WorkSimpli ("WorkSimpli," "we," "us," "our"). It applies to all personal information and business records collected from or on behalf of WorkSimpli customers, their employees, vendors, and clients.

Two regulatory frameworks shape this policy, and they can conflict:

PIPEDA (Personal Information Protection and Electronic Documents Act) requires that personal information not be retained longer than necessary for the purpose for which it was collected. Individuals have the right to request deletion of their personal information.

Income Tax Act §230 requires employers and businesses to retain payroll records, tax filings, and books of account for a minimum of six years following the end of the relevant tax year.

Where a user requests deletion of data that is subject to a CRA retention obligation, the statutory requirement prevails. The user will be notified of the specific legal basis for continued retention and the date on which the hold expires.

2. Definitions

"Regulatory data" means records that WorkSimpli is required by federal or provincial statute to retain, including payroll records, tax slips (T4, T4A), journal entries, general ledger transactions, and supporting documentation required by CRA for audit purposes.

"Non-regulatory PII" means personal information collected for operational purposes that is not subject to a statutory retention requirement, such as custom fields, personal notes, and user preferences.

"Active data" means data associated with a current, paid WorkSimpli subscription that the customer can access and modify through the application.

"Archived data" means data that has passed its active-use period but remains subject to a regulatory retention obligation. Archived data is held in encrypted cold storage, is not accessible through the application, and is retained only for the duration required by law.

"Hard delete" means the permanent and irrecoverable removal of data from all production systems, backups, and archives.

"Soft delete" means data that has been flagged as deleted and removed from application visibility but remains in the database until the applicable retention period expires, at which point it is hard deleted.

3. Retention Schedule

The table below sets out the retention period, legal basis, and deletion method for each category of data processed by WorkSimpli.

4. Deletion Procedures

4.1 Automated Retention Enforcement

WorkSimpli operates a scheduled retention process that evaluates each data category against its prescribed retention period and performs the applicable action (archive or delete). Routine retention enforcement does not require manual intervention.

4.2 Subscription Cancellation Flow

When a customer cancels their subscription, data proceeds through the following stages:

Cancellation confirmed. Data remains fully accessible until the end of the current billing period.

Billing period ends. A 7-day read-only grace period begins. The account owner is notified by email.

Grace period expires. The account is suspended. Data is retained but is no longer accessible through the application.

60 days post-suspension. Non-regulatory data is scheduled for hard deletion. The account owner receives a 14-day advance warning by email.

Regulatory data. Payroll records, GL transactions, and tax records are transferred to encrypted cold archive for the remainder of the applicable retention period as set out in Section 3.

4.3 Category-Specific Procedures

Payroll records and tax slips. Archived to encrypted cold storage after 6 years. A final review is conducted before hard deletion to confirm that no outstanding CRA audit or reassessment applies.

Journal entries and GL transactions. Soft-deleted in the production database after 6 years, then transferred to encrypted archive. Hard deleted once the review confirms no regulatory hold is in effect.

Bank transaction data. Hard deleted after the current fiscal year plus one additional year. Plaid access tokens are deleted immediately upon disconnection of the bank link.

Employee PII. Non-tax fields (phone number, personal email, emergency contact) are anonymized once the retention period expires. Fields required for tax record integrity (name, SIN, address at time of employment) remain in encrypted archive for the full 6-year period.

Social Insurance Numbers. Encrypted at rest using AES-256 for the duration of the retention period. Hard deleted (not anonymized) after 6 years from the end of the relevant tax year.

Account and billing data. Hard deleted 60 days after subscription cancellation. No archive copy is maintained.

Non-regulatory PII. Hard deleted 60 days after subscription cancellation or upon receipt of a user deletion request, whichever is earlier.

5. Consumer Deletion Requests

WorkSimpli processes deletion requests in accordance with PIPEDA Principle 4.3.8 (right of access) and Principle 4.5 (limiting use, disclosure, and retention).

5.1 How to Request Deletion

Deletion requests may be submitted through the account settings page within WorkSimpli or by email to privacy@artomai.com.

5.2 Processing Timeline

Requests are acknowledged within 5 business days and completed within 30 calendar days of receipt.

5.3 Regulatory Hold Disclosure

Where a deletion request covers data that is subject to a regulatory retention obligation, WorkSimpli will:

(a) identify the specific data categories that cannot yet be deleted;

(b) disclose the legal basis for continued retention (ITA §230, CRA employer record-keeping);

(c) provide the expected date on which the regulatory hold expires and deletion will occur; and

(d) delete all non-regulated data within the 30-day processing window.

5.4 Identity Verification

WorkSimpli verifies the identity of the requester before processing any deletion request. For in-app requests, verification is performed through the authenticated session. For requests submitted by email, verification is performed through email confirmation and identity validation.

6. Regulatory Holds

6.1 CRA 6-Year Requirement

The Income Tax Act §230(1) requires every person carrying on a business in Canada to keep records and books of account for six years from the end of the last taxation year to which they relate. For employers, this obligation extends to payroll records, T4 and T4A information returns, and supporting documentation.

This statutory obligation overrides any deletion request or PIPEDA-based right to erasure for the affected data categories. WorkSimpli will not delete payroll records, tax slip data, journal entries, or general ledger transactions before the 6-year retention period has elapsed, whether or not the customer has cancelled their subscription or submitted a deletion request.

6.2 CRA Audit or Reassessment

If WorkSimpli receives notice of a CRA audit, reassessment, or investigation affecting specific customer data, the retention period for that data is extended until the matter is fully resolved. The affected customer will be notified of the hold unless notification is prohibited by law.

6.3 Legal Proceedings

Where WorkSimpli becomes aware of actual or reasonably anticipated legal proceedings involving customer data, a litigation hold will be placed on the relevant records. The hold supersedes the standard retention schedule and remains in effect until the matter concludes and legal counsel authorizes its release.

7. Data Security During Retention

All data subject to this policy, whether active, archived, or pending deletion, is protected by the following controls:

(a) encryption at rest (AES-256) for all database storage and backups;

(b) encryption in transit (TLS 1.2 or higher) for all connections;

(c) row-level security enforcing company-scoped data isolation; and

(d) access logging for all queries against archived data.

Archived data in cold storage is encrypted using a key that is separate from the production encryption key. Access to archived data requires a documented and audited retrieval process.

8. Review Cadence

This policy is reviewed (a) annually, on or before the anniversary of the effective date; (b) upon any amendment to CRA record-keeping requirements, PIPEDA guidance, or provincial privacy legislation affecting our obligations; and (c) upon any material change to WorkSimpli's data processing activities, including the introduction of new data categories, third-party integrations, or jurisdictional expansion.

The current version of this policy is available at /data-policy.

9. Contact