Data Retention Policy | EnrollSmartNow

This Data Retention Policy explains how long EnrollSmartNow, LLC retains different categories of data we collect, why we retain it, and how it is eventually deleted or archived.

Retention Schedule

Data Category	Retention Period	Reason
TCPA Consent Records Jornaya LeadiD, TrustedForm cert, consent text/HTML snapshot, IP, timestamp, user agent, page URL	Minimum 5 years	Legal requirement — TCPA statute of limitations is 4 years; best practice is 5 years to account for discovery delays. Required by TCPA litigation defense standards.
Lead Data Name, email, phone, ZIP, DOB, gender, vertical-specific fields	3 years after submission	Business operations, dispute resolution, buyer contract compliance.
Access Logs / Rate Limit Records	48 hours	Rate limiting and fraud prevention only. No longer needed after this period.
Audit Logs	3 years	Security auditing, compliance verification, dispute resolution.
B2B Partner Records	5 years after contract end	Contract dispute resolution, legal compliance.
Lead Distribution Logs	5 years	TCPA downstream liability documentation — must be able to demonstrate which buyer received which lead and when.
Privacy Request Records Do Not Sell requests, deletion requests	3 years	CCPA compliance verification.
Error Logs	90 days	System debugging and security monitoring.

Why We Keep Consent Records for 5 Years

The TCPA has a 4-year statute of limitations for private actions (28 U.S.C. § 1658). This means a consumer can bring a TCPA lawsuit up to 4 years after the alleged violation. We retain consent records for 5 years to ensure we can defend any such claim throughout the full limitations period, including time for discovery after a claim is filed.

Our consent records include the Jornaya LeadiD token, TrustedForm certificate URL, the exact HTML of the consent section as displayed, the verbatim consent text, IP address, timestamp, user agent, and consumer action log. These records constitute our primary legal defense that any contact with a consumer was done with proper TCPA consent.

Deletion and Archival Process

Upon expiration of the applicable retention period:

Standard lead data is permanently deleted from our active database.
TCPA consent records are archived to a secure, access-restricted storage system before deletion from the active database.
Archived records are encrypted and access is logged.
Archived records are permanently deleted at the end of the 5-year retention period.

Note: Deletion requests from consumers (CCPA/CPRA or otherwise) cannot result in deletion of TCPA consent records we are legally required to retain. We will inform you if this applies to your request.

Security of Retained Data

All retained data is protected by: encryption at rest (AES-256), encryption in transit (TLS 1.2+), access controls (role-based, least privilege), activity logging, and regular security reviews.

Contact

Questions about our data retention practices: privacy@enrollsmartnow.com