Document Retention Policy

1. Purpose and Scope

1.1 Purpose

This Document Retention Policy ("Policy") establishes the requirements and procedures governing the retention, storage, preservation, and disposal of all records and documents created, received, or maintained in connection with the Record Label Registry ("the Service"), operated by THRY ARCHIVE LLC ("THRY ARCHIVE," "we," "us," or "our") at recordlabelregistry.com.

The purpose of this Policy is to ensure that THRY ARCHIVE LLC maintains records in compliance with applicable federal, state, and international laws and regulations; preserves records necessary to protect the legal and business interests of the organization and its users; ensures the systematic and timely disposal of records that are no longer required for business, legal, or regulatory purposes; and provides a consistent, transparent framework for the management of organizational data throughout its lifecycle.

1.2 Scope

This Policy applies to all records and documents generated, received, maintained, or otherwise held by THRY ARCHIVE LLC in connection with the operation of the Record Label Registry. This includes, without limitation:

• Electronic records: database entries, application logs, email communications, digital files, API transaction records, and all data stored within cloud infrastructure.
• Physical records: printed correspondence, signed agreements, and any tangible documents related to the Service.
• Structured data: records stored in relational databases, spreadsheets, and other organized data systems.
• Unstructured data: email messages, support correspondence, free-text notes, uploaded documents, and similar materials not stored in a fixed schema.

This Policy applies to all personnel, including employees, contractors, agents, and third-party service providers who create, receive, or maintain records on behalf of THRY ARCHIVE LLC.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings set forth below:

2.1 Record

Any information, regardless of format or medium, that is created, received, or maintained by THRY ARCHIVE LLC in the transaction of business or the conduct of affairs relating to the Record Label Registry. Records include, but are not limited to, database entries, files, logs, reports, and communications.

2.2 Document

A subset of records that is fixed in a tangible or electronic medium and serves as evidence of a transaction, decision, or communication. Documents include contracts, policies, correspondence, invoices, and similar materials.

2.3 Retention Period

The minimum duration for which a record or document must be preserved before it becomes eligible for disposal. Retention periods are determined by applicable law, regulatory requirements, contractual obligations, and legitimate business needs.

2.4 Disposal

The act of permanently destroying or deleting a record in accordance with authorized procedures, such that the record cannot be reconstructed, retrieved, or accessed. Disposal methods include secure electronic deletion, cryptographic erasure, and physical destruction.

2.5 Legal Hold

A directive issued to preserve all records and documents that may be relevant to pending or reasonably anticipated litigation, investigation, audit, or regulatory proceeding. A legal hold supersedes all applicable retention schedules and disposal procedures.

2.6 Custodian

Any individual or role within THRY ARCHIVE LLC who is responsible for the creation, maintenance, storage, or disposal of records. Custodians include system administrators, department heads, and any personnel designated as responsible for specific categories of records.

2.7 Personal Data

Any information that relates to an identified or identifiable natural person, as defined under applicable privacy laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Personal data includes names, email addresses, IP addresses, account credentials, and other information that can be used to directly or indirectly identify an individual.

2.8 Business Record

A record created or maintained in the ordinary course of business operations, including internal communications, operational reports, financial documents, and administrative records necessary for the management and operation of the Service.

2.9 Transactional Record

A record that documents a specific transaction between THRY ARCHIVE LLC and a user or third party. Transactional records include payment records, invoices, verification applications, registration submissions, and service agreements.

3. Retention Schedule

3.1 General Provisions

The following retention schedule establishes the minimum retention periods for each category of data maintained by the Record Label Registry. Records may be retained beyond the stated retention period where required by law, legal hold, ongoing contractual obligation, or legitimate business need. No record shall be disposed of prior to the expiration of its applicable retention period unless authorized in writing by the Data Protection Lead or Chief Executive Officer.

3.2 Schedule of Retention Periods

3.3 Commencement of Retention Periods

Unless otherwise specified, retention periods commence on the date of creation of the record or, for records associated with a specific event (such as account closure, verification completion, or dispute resolution), on the date of the triggering event. Where a record falls within multiple categories, the longest applicable retention period shall govern.

3.4 Aggregated and Anonymized Data

Data that has been irreversibly aggregated or anonymized such that it can no longer be associated with any identified or identifiable individual is not subject to the retention periods set forth in this Policy. Such data may be retained indefinitely for analytical, statistical, or research purposes.

4. Storage and Security

4.1 Infrastructure

All electronic records maintained by the Record Label Registry are stored within secure cloud infrastructure. The primary data store is a PostgreSQL database hosted by Neon, with the application layer hosted on Vercel. Physical security for all infrastructure is managed by the underlying cloud providers (AWS for Neon database services; Vercel infrastructure for application hosting).

4.2 Encryption

All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Database connections require SSL/TLS encryption. Sensitive credentials, API keys, and authentication tokens are stored using environment-level encryption and are never committed to source control.

4.3 Access Controls

Access to records is restricted by role-based permissions enforced at both the application level and the infrastructure level. Only authorized personnel with a legitimate business need may access records containing personal data or sensitive business information. Administrative access is logged and subject to periodic review.

4.4 Backups

Regular automated backups are performed in accordance with the backup schedule established by the infrastructure provider. Backup integrity is verified through periodic restoration testing. Backup retention follows a 30-day rolling cycle, after which backup media are securely overwritten.

4.5 Incident Response

In the event of a security incident affecting records subject to this Policy, THRY ARCHIVE LLC will follow its incident response procedures, including containment, investigation, notification to affected parties where required by law, and remediation. Security incidents are documented and retained in accordance with the audit log retention period specified in Section 3.2.

5. Legal Holds

5.1 Issuance

When litigation, government investigation, regulatory inquiry, or audit is pending or reasonably anticipated, a legal hold shall be issued to preserve all records that may be relevant to the matter. A legal hold supersedes all retention schedules and disposal procedures set forth in this Policy. Only authorized personnel, specifically the Chief Executive Officer or designated legal counsel, may issue a legal hold.

5.2 Notification

Upon issuance of a legal hold, all affected custodians shall be notified in writing. The notification shall identify the scope of the hold, the categories of records subject to preservation, and the anticipated duration. Custodians must acknowledge receipt of the legal hold notice and confirm their understanding of their preservation obligations.

5.3 Duration

A legal hold remains in effect until formally released in writing by the individual or office that issued the hold. Upon release, records that have exceeded their applicable retention periods may be disposed of in accordance with the procedures described in Section 6.

5.4 Non-Compliance

Failure to comply with a legal hold is a serious violation of this Policy and may result in disciplinary action, up to and including termination of employment or contract. Non-compliance may also expose THRY ARCHIVE LLC to adverse legal consequences, including sanctions, adverse inference instructions, or monetary penalties.

6. Disposal Procedures

6.1 Authorization

Records shall only be disposed of after the expiration of the applicable retention period and with appropriate authorization. No records subject to a legal hold, pending investigation, or active dispute shall be disposed of regardless of the expiration of the retention period.

6.2 Electronic Records

Electronic records shall be disposed of through secure deletion methods that render the data unrecoverable. This includes cryptographic erasure for encrypted data stores and verified deletion for database records. All electronic disposals shall be logged in the audit system with a record of the data category, disposal date, method of disposal, and the identity of the authorizing individual.

6.3 Database Records

Database records shall be permanently removed through hard deletion operations. Where partial retention is required (for example, where certain fields must be retained for legal compliance while others are eligible for disposal), anonymization shall be applied to the disposable fields. All database deletions shall be accompanied by an audit trail entry documenting the operation.

6.4 Backup Media

Backup media containing records eligible for disposal shall be cycled out in accordance with the backup retention schedule (30-day rolling cycle). Records stored in backups that have exceeded their retention period will be disposed of as the backup media rotates through its scheduled lifecycle. Emergency disposal of specific records from backup media is available where legally required.

6.5 File Storage

Files stored in cloud storage or local file systems shall be disposed of through secure wipe procedures that comply with NIST SP 800-88 Guidelines for Media Sanitization, where applicable. Secure wipe operations shall be verified and documented.

6.6 Certificates of Destruction

Certificates of destruction are available upon request for any disposal operation. Certificates document the category of records destroyed, the date of destruction, the method of destruction, and the responsible party. Requests for certificates of destruction should be directed to privacy@recordlabelregistry.com.

6.7 Disposal Logging

All disposal actions are recorded in the system audit log. Disposal log entries include the data category, volume of records disposed, date and time of disposal, method of disposal, identity of the authorizing party, and confirmation of successful completion. Disposal logs are retained for the duration specified for audit logs in Section 3.2.

7. Data Subject Requests

7.1 Right to Erasure

Data subjects may request the erasure of their personal data pursuant to Article 17 of the General Data Protection Regulation (GDPR) or applicable provisions of the California Consumer Privacy Act (CCPA). Erasure requests shall be processed within 30 days of receipt of a verified request, in accordance with the procedures described in our Privacy Policy.

7.2 Exemptions from Erasure

Certain categories of data are exempt from erasure requests where retention is required for compliance with legal obligations or the exercise or defense of legal claims. Exempt categories include:

• Records required to be retained under applicable tax, financial, or corporate laws for the duration of the applicable statutory retention period.
• Records necessary for the establishment, exercise, or defense of legal claims.
• Records required for fraud prevention and detection purposes.
• Financial and billing records within the applicable tax retention period (7 years per IRS requirements).
• Records subject to an active legal hold.

7.3 Partial Erasure and Anonymization

Where full deletion of a record conflicts with a legal retention obligation, partial erasure shall be applied. Partial erasure involves the anonymization or pseudonymization of personal data fields while retaining the non-personal components of the record necessary for legal compliance. Anonymization shall be performed in a manner that renders re-identification of the data subject impossible using reasonably available means.

7.4 Documentation of Erasure Requests

All erasure requests and their outcomes are documented and retained for 12 months in accordance with the data export requests retention period specified in Section 3.2. Documentation includes the date of the request, the identity of the requestor (where verified), the categories of data affected, and the action taken (full erasure, partial erasure, or denial with stated reason).

8. Exceptions and Extensions

8.1 Grounds for Extension

Records may be retained beyond their scheduled retention period under the following circumstances:

• The records are the subject of, or relevant to, an active legal dispute, claim, or proceeding.
• The records are subject to a regulatory investigation, audit, or inquiry by a governmental authority.
• The records are required to fulfill an ongoing contractual obligation that extends beyond the standard retention period.
• A legal hold has been issued that encompasses the records in question.

8.2 Documentation and Review

All retention extensions must be documented in writing, specifying the reason for the extension, the categories of records affected, and the expected duration of the extension. Extensions are reviewed quarterly by the Data Protection Lead to determine whether the conditions necessitating the extension remain in effect.

8.3 Duration of Extensions

Temporary extensions are limited to the duration of the triggering event plus 90 calendar days. At the conclusion of the triggering event (such as resolution of a dispute or completion of an investigation), the 90-day grace period allows for orderly review and disposal of the affected records. Permanent exceptions require written approval from the Chief Executive Officer and must be reviewed annually.

9. Roles and Responsibilities

9.1 Data Protection Officer / Privacy Lead

The Data Protection Officer or designated Privacy Lead is responsible for overseeing compliance with this Policy, coordinating responses to data subject requests, managing legal holds, conducting periodic audits of retention practices, and serving as the primary point of contact for all data protection inquiries. The Privacy Lead reports to the Chief Executive Officer on matters of retention compliance and data protection.

9.2 System Administrators

System Administrators are responsible for implementing and maintaining technical retention controls within the application and database infrastructure. This includes configuring automated purge schedules, managing backup retention cycles, ensuring the integrity of disposal operations, and maintaining audit logs of all retention-related system activities.

9.3 Department Heads

Department Heads are responsible for ensuring that all personnel within their functional area understand and comply with this Policy. Department Heads shall ensure that records created or maintained within their area of responsibility are managed in accordance with the applicable retention schedules and that disposal procedures are followed.

9.4 All Employees and Contractors

All employees, contractors, and agents of THRY ARCHIVE LLC are required to comply with this Policy. Compliance obligations include adhering to the retention schedules applicable to records within their custody or control, cooperating with legal hold directives, reporting potential violations to the Data Protection Lead, and completing any required training on records management and data protection.

10. Policy Review and Updates

10.1 Review Schedule

This Policy shall be reviewed at least annually, or more frequently upon the occurrence of a significant regulatory change, material change to business operations, security incident, or organizational restructuring that affects data retention practices.

10.2 Version History

A complete version history of this Policy is maintained, documenting each revision, the date of the revision, a summary of changes made, and the identity of the approving authority. Prior versions of this Policy are retained and are available upon request by contacting privacy@recordlabelregistry.com.

10.3 Notification of Changes

Users of the Record Label Registry will be notified of material changes to this Policy at least 30 days in advance of the effective date of the change. Notification will be provided through the Service and, where appropriate, by email to registered account holders. Continued use of the Service following the effective date of a material change constitutes acceptance of the updated Policy.

11. Compliance and Enforcement

11.1 Monitoring and Auditing

THRY ARCHIVE LLC conducts regular audits of retention compliance to ensure that records are being retained and disposed of in accordance with this Policy. Audits may include review of automated retention controls, sampling of records across data categories, verification of disposal logs, and assessment of legal hold compliance.

11.2 Non-Compliance

Non-compliance with this Policy may result in disciplinary action, up to and including termination of employment or contract. The severity of disciplinary action shall be proportionate to the nature and extent of the violation, considering factors such as whether the non-compliance was intentional, the volume of records affected, and any resulting harm to the organization or data subjects.

11.3 Reporting Violations

Any individual who becomes aware of a potential violation of this Policy is required to report the violation promptly to the Data Protection Lead at privacy@recordlabelregistry.com. Reports may be made anonymously. Retaliation against individuals who report violations in good faith is prohibited.

11.4 Regulatory Penalties

Failure to comply with applicable data retention laws and regulations may expose THRY ARCHIVE LLC to regulatory penalties, fines, and legal liability. Applicable regulations include, but are not limited to, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Internal Revenue Code Section 6501, and other federal and state record-keeping requirements. THRY ARCHIVE LLC is committed to maintaining full compliance with all applicable data retention obligations.

12. Contact Information

For questions, concerns, or requests related to this Document Retention Policy, including requests for certificates of destruction, prior policy versions, or data subject rights inquiries, please contact: