Data Deletion and Retention Policy

For Almal AI and the KI4ALMAL Accessible Autonomous AI Framework

Effective Date: 17 June 2026

Version: 1.0

Policy Owner: Almal AI Information Officer / Privacy Lead

Approved by: Elizabeth Kruger

Company: Almal AI

Framework: KI4ALMAL accessible autonomous AI framework

Website: https://almalai.com/

Privacy Contact Email: Devs@almalai.com

Business Address:
210 Armarand Ave, Pegasus Building 1,
Menlyn Maine Waterkloof Glen Ext 2,
Pretoria, 0181
South Africa

Review Cycle: At least annually, and sooner if law, technology, client commitments, or operating practices change

Document Overview

This Data Deletion and Retention Policy explains how Almal AI retains, reviews, deletes, destroys, de-identifies, restricts, archives, and evidences the handling of personal information and related operational records across Almal AI and the KI4ALMAL accessible autonomous AI framework.

It is designed to support POPIA, GDPR, responsible AI governance, accessibility, client accountability, auditability, and practical system operations without repeating the full Privacy Policy or Terms of Service.

Sections Covered

1. Purpose of this Policy

The purpose of this Policy is to define Almal AI’s rules and procedures for retaining and deleting personal information, client information, AI interaction records, system records, business records, and other data processed through Almal AI and the KI4ALMAL accessible autonomous AI framework.

This Policy ensures information is not kept longer than necessary and that deletion and retention comply with legal, operational, and AI governance requirements.

2. Scope

3. Relationship with Other Documents

If conflicts arise, signed agreements apply, unless stricter legal obligations exist.

4. Legal and Governance Basis

5. Definitions

6. Roles and Responsibilities

Almal AI as Responsible Party or Controller

Almal AI may act as the responsible party or controller when it decides the purpose and means of processing. This includes Almal AI’s own business administration, enquiries, marketing, demos, contracts, billing, supplier management, security, support, compliance, governance, and internal operations.

Almal AI as Operator or Processor

Almal AI may act as an operator or processor when it processes personal information on behalf of a client through KI4ALMAL or related services. In this role, Almal AI follows the client’s lawful written instructions unless the instruction is unlawful, unsafe, technically impossible, or inconsistent with an overriding legal obligation.

Clients

Clients are responsible for defining the purpose of their AI journeys, confirming lawful basis, approving data fields, providing required privacy notices, giving lawful instructions, setting client-specific retention periods, and responding to data subject requests where the client is the responsible party or controller.

Staff, Contractors, Implementation Partners and Service Providers

Must follow policy, maintain confidentiality, and report issues.

7. Core Retention Principles

8. Data Lifecycle

  1. Collection: Only necessary data collected
  2. Processing: Used for defined purposes
  3. Storage: Controlled and secured
  4. Review: Regular checks
  5. Deletion: Remove or de-identify

9. When Information May Be Retained

10. When Data Must Be Deleted

11. Retention Schedule

Default retention applies unless overridden by client agreements or law.

12. Deletion Request Handling

Request Channels

Required Information

Outcome Options

13. Grounds for Limiting Deletion

14. Deletion Methods

15. Client-Controlled Data

Clients define retention. Almal AI acts according to instruction and must not retain data beyond agreed terms unless legally required.

16. Almal AI-Controlled Data

Almal AI sets retention for its own business records.

17. AI-Specific Retention and Deletion for KI4ALMAL

KI4ALMAL is an accessible autonomous AI framework. Because AI interactions can create conversation records, workflow records, safety records, and system records, Almal AI applies careful retention and deletion controls to AI-related information.

AI-related records may be retained only where needed for the approved purpose, client service delivery, user support, safety, governance, auditability, security, dispute handling, or legal compliance.

Where possible, Almal AI aims to minimise identifiable information and use aggregated, de-identified, anonymised, masked, or limited technical records .

17.1 AI conversations and messages

Prompts, responses, WhatsApp messages, web messages, support messages, and conversation transcripts may contain personal information or client information. These records are retained only for the applicable purpose and period, and access is limited to authorised people or systems.

17.2Workflow, intent, confidence, and safety records

KI4ALMAL may create records such as intent classifications, workflow status, confidence indicators, escalation flags, safety flags, and audit events. These records help support responsible AI operations, troubleshooting, quality review, security, and client reporting. Where suitable, these records are stored in a limited or de-identified form.

17.3 Human handoff and support records

Where an AI journey is escalated to a human support process, the related notes and records are treated as support or client workflow records. These records are retained according to the relevant support, client, legal, or operational retention period.

17.4Knowledge bases, retrieval records, and vector data

KI4ALMAL may use approved knowledge bases, source documents, retrieval records, snippets, metadata, embeddings, or vector records to help the AI provide relevant responses.

Where a source document or approved knowledge record must be removed, Almal AI takes reasonable steps to remove or rebuild related retrieval records so that deleted content is not returned by the AI system.

17.5 AI service improvement

Almal AI does not use client-owned personal information to train public or general AI models unless this is expressly agreed in writing and lawful.

Service improvement should rely on de-identified, anonymised, aggregated, synthetic, or limited technical information wherever possible.

17.6 Autonomous workflow actions

Where KI4ALMAL triggers an approved workflow action, such as creating a lead, ticket, booking, CRM record, escalation, notification, or service request, that downstream record may have its own lawful retention purpose.

Deleting an AI conversation record does not automatically delete a separate business record where that record must be retained for a lawful, contractual, security, support, or audit purpose.

18. Backups, Archives, Logs, and Caches

Backups, archives, logs, and caches may contain personal information. They may not always allow immediate individual deletion without affecting system integrity, security, or business continuity

Almal AI manages these records through controlled access, limited use, retention periods, and expiry or deletion processes.

19. Special Personal Information, Children’s Information, and Accessibility Data

Certain types of information require additional care.

This includes special personal information, children’s information, health information, disability or accessibility information, financial vulnerability information, legal matter information, and other sensitive information.

Almal AI aims to process this information only where necessary, lawful, and appropriate for the approved purpose.

20. Direct Marketing, Opt-Outs, and Suppression Records

Where a person opts out of marketing or objects to direct marketing, Almal AI will stop sending marketing through the relevant channel where required by law.

Almal AI may retain a minimal suppression record so that the person is not contacted again unlawfully. A suppression record may include limited information such as an email address, phone number, opt-out date, channel, and source. It should not include unnecessary conversation content, sensitive information, or marketing notes.

21. Legal Holds, Complaints, Disputes, and Investigations

Sometimes Almal AI may need to keep information for longer than the normal retention period. This may happen where records are needed for a complaint, dispute, suspected fraud, security incident, investigation, regulator matter, audit, legal claim, insurance matter, contractual issue, or legal obligation.

Where a lawful hold applies, deletion may be delayed or restricted until the reason for the hold no longer applies. Once the hold is lifted, the normal retention and deletion rules continue.

22. Third-Party Providers, Platforms, and Subprocessors

Almal AI may use third-party providers, platforms, and subprocessors to host, secure, monitor, integrate, process, or support Almal AI and KI4ALMAL services.

These providers may include hosting providers, messaging platforms, AI model providers, CRM systems, monitoring tools, support systems, email services, storage providers, and professional advisers.

Where third-party providers process personal information for Almal AI, Almal AI takes reasonable steps to ensure that appropriate confidentiality, security, retention, return, and deletion obligations are in place.

Some third-party platforms may also process information under their own terms, laws, retention rules, and privacy policies. Where a deletion request affects a third-party system controlled by Almal AI, Almal AI will take reasonable steps to action or instruct deletion where lawful and feasible. Client-owned third-party systems remain the responsibility of the relevant client unless otherwise agreed in writing.

23. End of Client Service and Offboarding

When a client relationship ends, Almal AI follows an orderly data exit and offboarding process. This may include export, transfer, deletion, de-identification, archiving, access removal, or retention of limited lawful records.

The exact offboarding process depends on the client agreement, lawful instructions, technical configuration, third-party systems, and applicable legal obligations.

Almal AI may retain limited records after offboarding where needed for invoices, contract proof, tax, security, audit, complaints, disputes, legal compliance, or other lawful business reasons.

24. Testing, Development, and Demonstrations

Almal AI aims to avoid using live personal information in testing, development, staging, demos, training, or sandbox environments unless it is necessary, approved, and protected. Where possible, Almal AI uses synthetic, dummy, masked, or de-identified information for testing and demonstrations.

Temporary test data should be deleted when it is no longer needed.

Personal information should not be included unnecessarily in screenshots, logs, presentations, demos, shared files, or issue reports.

25. Security Controls Supporting Retention and Deletion

Retention and deletion are supported by appropriate security controls.

Almal AI applies reasonable technical and organisational safeguards to reduce the risk of unauthorised access, unnecessary copying, uncontrolled retention, loss, or misuse of personal information.

These safeguards may include access control, authentication, role-based permissions, environment separation, encryption or equivalent protection where appropriate, secure file sharing, controlled exports, administrative logs, monitoring, incident response processes, and secure disposal of records or devices.

26. Retention Reviews

Almal AI periodically reviews retained information to identify records that should be deleted, destroyed, de-identified, restricted, or archived. Retention reviews may focus on older records, inactive accounts, old test data, exported files, shared folders, support records, AI interaction records, high-risk data, special personal information, children’s information, accessibility data, backups, logs, indexes, and client-specific records.

Where Almal AI identifies information that is no longer needed and no lawful reason for continued retention applies, Almal AI will take appropriate steps to delete, destroy, de-identify, restrict, or archive the information.

.

27. People Who Handle Personal Information

People who work with Almal AI or support KI4ALMAL may only access personal information where they are authorised and have a legitimate need to do so. Almal AI expects its staff, contractors, implementation partners, and service providers to protect confidentiality, follow access controls, avoid unnecessary copying, use information only for approved purposes, and report security or privacy concerns promptly.

28. Complaints and Regulator Matters

A person who believes Almal AI has not handled deletion, restriction, correction, or retention properly may contact Almal AI using the contact details in this Policy.

Almal AI will review the request, identify the relevant records, determine whether Almal AI or a client is responsible for the request, and respond according to applicable law and client agreements.

Where a request relates to a client-controlled KI4ALMAL workflow, Almal AI may refer the request to the relevant client or work with that client to support an appropriate response.

A person may also contact the South African Information Regulator or another applicable supervisory authority where the law allows.

29. Limits and Lawful Exceptions

Deletion and retention requests are subject to applicable law. Almal AI may not be able to delete information immediately or completely where information must be kept for legal, contractual, security, tax, audit, complaint, dispute, investigation, client, platform, or technical reasons. Where Almal AI cannot fully delete information, it may restrict access, de-identify information, retain only limited evidence, or explain the lawful reason why retention is required, where appropriate.

30. Updates to this Policy

Almal AI may update this Data Deletion and Retention Policy from time to time to reflect changes in law, regulations, AI governance expectations, client commitments, technical architecture, subprocessors, security risks, or Almal AI’s operating model. The latest version will apply from the date it is published, unless otherwise stated.

31. Contact Details

Company: Almal AI

Privacy Lead: Elizabeth Kruger

Email: Devs@almalai.com

Phone: +27 606 919 802

Address:
210 Armarand Ave
Pegasus Building 1
Menlyn Maine Waterkloof Glen Ext 2
Pretoria, 0181
South Africa

Website: https://almalai.com/