Data Deletion and Retention Policy
For Almal AI and the KI4ALMAL Accessible Autonomous AI Framework
Effective Date: 17 June 2026
Version: 1.0
Policy Owner: Almal AI Information Officer / Privacy Lead
Approved by: Elizabeth Kruger
Company: Almal AI
Framework: KI4ALMAL accessible autonomous AI framework
Website: https://almalai.com/
Privacy Contact Email: Devs@almalai.com
Business Address:
210 Armarand Ave, Pegasus Building 1,
Menlyn Maine Waterkloof Glen Ext 2,
Pretoria, 0181
South Africa
Review Cycle: At least annually, and sooner if law, technology, client commitments, or operating practices change
Document Overview
This Data Deletion and Retention Policy explains how Almal AI retains, reviews, deletes, destroys, de-identifies, restricts, archives, and evidences the handling of personal information and related operational records across Almal AI and the KI4ALMAL accessible autonomous AI framework.
It is designed to support POPIA, GDPR, responsible AI governance, accessibility, client accountability, auditability, and practical system operations without repeating the full Privacy Policy or Terms of Service.
Sections Covered
- Purpose and scope
- Legal and governance basis
- Roles: Almal AI, clients, users, operators, and processors
- Retention principles
- Data lifecycle for KI4ALMAL
- Retention schedule
- Deletion request handling
- Client-controlled data
- AI-specific records
- Backups, logs, indexes, and derived data
- Special personal information, children, and accessibility data
- Legal holds and disputes
- Third-party providers
- Internal controls and audit evidence
- Appendices and operational checklists
1. Purpose of this Policy
The purpose of this Policy is to define Almal AI’s rules and procedures for retaining and deleting personal information, client information, AI interaction records, system records, business records, and other data processed through Almal AI and the KI4ALMAL accessible autonomous AI framework.
This Policy ensures information is not kept longer than necessary and that deletion and retention comply with legal, operational, and AI governance requirements.
2. Scope
- All personal information, client data, AI records, logs, and integrations
- Almal AI staff, contractors, providers, and partners
- KI4ALMAL AI framework, WhatsApp journeys, workflows, dashboards
- Data from enquiries, sales, support, and operations
- Client-controlled and Almal AI-controlled data
- Production, testing, backups, and third-party systems
- Electronic and physical records
3. Relationship with Other Documents
- Privacy Policy
- Terms of Service
- Client agreements
- Security and governance policies
If conflicts arise, signed agreements apply, unless stricter legal obligations exist.
4. Legal and Governance Basis
- POPIA (South Africa)
- POPIA Regulations
- GDPR (where applicable)
- Contractual, tax, employment, and compliance laws
- Responsible AI governance principles
5. Definitions
- Almal AI: The company providing business, AI, technology, governance, consulting, implementation, and platform-related services.
- KI4ALMAL: Almal AI’s governed, accessible autonomous AI framework used for AI agents, workflows, WhatsApp journeys, dashboards, integrations, reporting, and human handover where relevant.
- Personal information / personal data: Information relating to an identified or identifiable person, and where POPIA applies, also information relating to an identifiable juristic person where relevant.
- Data subject: The person or entity to whom personal information relates.
- Responsible party / controller: The party that determines why and how personal information is processed.
- Operator / processor: A party that processes personal information on behalf of a responsible party or controller and according to lawful instructions.
- Client-controlled data: Personal information or business data processed by Almal AI on behalf of a client where the client determines the purpose and means of processing.
- Almal AI-controlled data: Information processed by Almal AI for its own business, legal, operational, security, compliance, sales, support, or administration purposes.
- Deletion: The removal of information from active systems so that it is no longer available for normal use.
- Destruction: The secure disposal of records in a way that prevents reconstruction in an intelligible form.
- De-identification: The removal or transformation of identifiers so that the information can no longer reasonably identify a data subject, subject to safeguards.
- Anonymisation: A stronger form of de-identification where re-identification is not reasonably possible.
- Restriction: The marking, blocking, isolation, or limitation of processing of personal information without deleting it, where the law or operational need requires temporary restriction.
- Retention period: The period for which a record may be kept before it must be reviewed, deleted, destroyed, de-identified, anonymised, archived, or lawfully retained.
- Legal hold: A temporary instruction to suspend deletion because records may be needed for legal, regulatory, audit, dispute, security, investigation, or compliance reasons.
- Backup: A copy of data retained for continuity, disaster recovery, and system restoration purposes.
- AI interaction record: A prompt, response, conversation transcript, intent classification, retrieval trace, workflow state, confidence indicator, safety flag, escalation record, or related AI processing record.
- Operational log: A technical event record used for security, monitoring, debugging, audit, system performance, or integration reliability.
6. Roles and Responsibilities
Almal AI as Responsible Party or Controller
Almal AI may act as the responsible party or controller when it decides the purpose and means of processing. This includes Almal AI’s own business administration, enquiries, marketing, demos, contracts, billing, supplier management, security, support, compliance, governance, and internal operations.
Almal AI as Operator or Processor
Almal AI may act as an operator or processor when it processes personal information on behalf of a client through KI4ALMAL or related services. In this role, Almal AI follows the client’s lawful written instructions unless the instruction is unlawful, unsafe, technically impossible, or inconsistent with an overriding legal obligation.
Clients
Clients are responsible for defining the purpose of their AI journeys, confirming lawful basis, approving data fields, providing required privacy notices, giving lawful instructions, setting client-specific retention periods, and responding to data subject requests where the client is the responsible party or controller.
Staff, Contractors, Implementation Partners and Service Providers
Must follow policy, maintain confidentiality, and report issues.
7. Core Retention Principles
- Purpose limitation
- Data minimisation
- Storage limitation
- Secure deletion
- Controlled de-identification
- Client instruction compliance
- Accessibility
- AI accountability
- Security and auditability
- Legal holds override deletion
8. Data Lifecycle
- Collection: Only necessary data collected
- Processing: Used for defined purposes
- Storage: Controlled and secured
- Review: Regular checks
- Deletion: Remove or de-identify
9. When Information May Be Retained
- Legal or contractual requirements
- Business necessity
- Security or audit needs
- Consent exists
- De-identified analytics
10. When Data Must Be Deleted
- Purpose fulfilled
- No legal basis remains
- Incorrect or unlawful data
- Consent withdrawn
- Client instruction
11. Retention Schedule
Default retention applies unless overridden by client agreements or law.
12. Deletion Request Handling
Request Channels
- Website
- Support channels
Required Information
- Identity details
- Relevant contact channel
- Data to be deleted
Outcome Options
- Delete
- De-identify
- Restrict
- Reject (lawful grounds)
13. Grounds for Limiting Deletion
- Legal requirements
- Audit, tax, or dispute
- Security or fraud prevention
14. Deletion Methods
- Database deletion
- File removal
- Backup expiration
- Secure destruction of paper
15. Client-Controlled Data
Clients define retention. Almal AI acts according to instruction and must not retain data beyond agreed terms unless legally required.
16. Almal AI-Controlled Data
Almal AI sets retention for its own business records.
17. AI-Specific Retention and Deletion for KI4ALMAL
KI4ALMAL is an accessible autonomous AI framework. Because AI interactions can create conversation records, workflow records, safety records, and system records, Almal AI applies careful retention and deletion controls to AI-related information.
AI-related records may be retained only where needed for the approved purpose, client service delivery, user support, safety, governance, auditability, security, dispute handling, or legal compliance.
Where possible, Almal AI aims to minimise identifiable information and use aggregated, de-identified, anonymised, masked, or limited technical records .
17.1 AI conversations and messages
Prompts, responses, WhatsApp messages, web messages, support messages, and conversation transcripts may contain personal information or client information. These records are retained only for the applicable purpose and period, and access is limited to authorised people or systems.
17.2Workflow, intent, confidence, and safety records
KI4ALMAL may create records such as intent classifications, workflow status, confidence indicators, escalation flags, safety flags, and audit events. These records help support responsible AI operations, troubleshooting, quality review, security, and client reporting. Where suitable, these records are stored in a limited or de-identified form.
17.3 Human handoff and support records
Where an AI journey is escalated to a human support process, the related notes and records are treated as support or client workflow records. These records are retained according to the relevant support, client, legal, or operational retention period.
17.4Knowledge bases, retrieval records, and vector data
KI4ALMAL may use approved knowledge bases, source documents, retrieval records, snippets, metadata, embeddings, or vector records to help the AI provide relevant responses.
Where a source document or approved knowledge record must be removed, Almal AI takes reasonable steps to remove or rebuild related retrieval records so that deleted content is not returned by the AI system.
17.5 AI service improvement
Almal AI does not use client-owned personal information to train public or general AI models unless this is expressly agreed in writing and lawful.
Service improvement should rely on de-identified, anonymised, aggregated, synthetic, or limited technical information wherever possible.
17.6 Autonomous workflow actions
Where KI4ALMAL triggers an approved workflow action, such as creating a lead, ticket, booking, CRM record, escalation, notification, or service request, that downstream record may have its own lawful retention purpose.
Deleting an AI conversation record does not automatically delete a separate business record where that record must be retained for a lawful, contractual, security, support, or audit purpose.
18. Backups, Archives, Logs, and Caches
Backups, archives, logs, and caches may contain personal information. They may not always allow immediate individual deletion without affecting system integrity, security, or business continuity
Almal AI manages these records through controlled access, limited use, retention periods, and expiry or deletion processes.
- Backups are used for business continuity, recovery, and security purposes.
- Backups are not used for active marketing, normal user access, or everyday reporting.
- Backup data normally expires through a defined rotation period, unless a legal, security, contractual, or operational reason requires longer retention.
- If deleted information is restored from backup, Almal AI will take reasonable steps to re-apply the deletion or restriction instruction where applicable.
- Logs are limited where possible and should not contain full message content unless needed for troubleshooting, audit, security, or legal reasons.
- Caches, search indexes, and retrieval indexes are cleared, expired, or rebuilt where reasonably required so deleted information is not easily retrievable.
- Archives are access-restricted and reviewed according to applicable retention rules.
19. Special Personal Information, Children’s Information, and Accessibility Data
Certain types of information require additional care.
This includes special personal information, children’s information, health information, disability or accessibility information, financial vulnerability information, legal matter information, and other sensitive information.
Almal AI aims to process this information only where necessary, lawful, and appropriate for the approved purpose.
- We collect only the information needed for the relevant service, support request, client workflow, or legal purpose.
- We apply stricter access controls where sensitive or high-risk information is involved.
- We prefer shorter retention periods unless a legal, contractual, client, support, or safety reason requires longer retention.
- We use de-identification, masking, aggregation, restriction, or deletion where appropriate.
- We do not use children’s information for unnecessary profiling, marketing, or unsupported automated decisions.
- Accessibility support information is kept only for as long as it is needed to provide support, improve access, or meet an approved lawful purpose.
20. Direct Marketing, Opt-Outs, and Suppression Records
Where a person opts out of marketing or objects to direct marketing, Almal AI will stop sending marketing through the relevant channel where required by law.
Almal AI may retain a minimal suppression record so that the person is not contacted again unlawfully. A suppression record may include limited information such as an email address, phone number, opt-out date, channel, and source. It should not include unnecessary conversation content, sensitive information, or marketing notes.
21. Legal Holds, Complaints, Disputes, and Investigations
Sometimes Almal AI may need to keep information for longer than the normal retention period. This may happen where records are needed for a complaint, dispute, suspected fraud, security incident, investigation, regulator matter, audit, legal claim, insurance matter, contractual issue, or legal obligation.
Where a lawful hold applies, deletion may be delayed or restricted until the reason for the hold no longer applies. Once the hold is lifted, the normal retention and deletion rules continue.
22. Third-Party Providers, Platforms, and Subprocessors
Almal AI may use third-party providers, platforms, and subprocessors to host, secure, monitor, integrate, process, or support Almal AI and KI4ALMAL services.
These providers may include hosting providers, messaging platforms, AI model providers, CRM systems, monitoring tools, support systems, email services, storage providers, and professional advisers.
Where third-party providers process personal information for Almal AI, Almal AI takes reasonable steps to ensure that appropriate confidentiality, security, retention, return, and deletion obligations are in place.
Some third-party platforms may also process information under their own terms, laws, retention rules, and privacy policies. Where a deletion request affects a third-party system controlled by Almal AI, Almal AI will take reasonable steps to action or instruct deletion where lawful and feasible. Client-owned third-party systems remain the responsibility of the relevant client unless otherwise agreed in writing.
23. End of Client Service and Offboarding
When a client relationship ends, Almal AI follows an orderly data exit and offboarding process. This may include export, transfer, deletion, de-identification, archiving, access removal, or retention of limited lawful records.
The exact offboarding process depends on the client agreement, lawful instructions, technical configuration, third-party systems, and applicable legal obligations.
Almal AI may retain limited records after offboarding where needed for invoices, contract proof, tax, security, audit, complaints, disputes, legal compliance, or other lawful business reasons.
24. Testing, Development, and Demonstrations
Almal AI aims to avoid using live personal information in testing, development, staging, demos, training, or sandbox environments unless it is necessary, approved, and protected. Where possible, Almal AI uses synthetic, dummy, masked, or de-identified information for testing and demonstrations.
Temporary test data should be deleted when it is no longer needed.
Personal information should not be included unnecessarily in screenshots, logs, presentations, demos, shared files, or issue reports.
25. Security Controls Supporting Retention and Deletion
Retention and deletion are supported by appropriate security controls.
Almal AI applies reasonable technical and organisational safeguards to reduce the risk of unauthorised access, unnecessary copying, uncontrolled retention, loss, or misuse of personal information.
These safeguards may include access control, authentication, role-based permissions, environment separation, encryption or equivalent protection where appropriate, secure file sharing, controlled exports, administrative logs, monitoring, incident response processes, and secure disposal of records or devices.
26. Retention Reviews
Almal AI periodically reviews retained information to identify records that should be deleted, destroyed, de-identified, restricted, or archived. Retention reviews may focus on older records, inactive accounts, old test data, exported files, shared folders, support records, AI interaction records, high-risk data, special personal information, children’s information, accessibility data, backups, logs, indexes, and client-specific records.
Where Almal AI identifies information that is no longer needed and no lawful reason for continued retention applies, Almal AI will take appropriate steps to delete, destroy, de-identify, restrict, or archive the information.
.27. People Who Handle Personal Information
People who work with Almal AI or support KI4ALMAL may only access personal information where they are authorised and have a legitimate need to do so. Almal AI expects its staff, contractors, implementation partners, and service providers to protect confidentiality, follow access controls, avoid unnecessary copying, use information only for approved purposes, and report security or privacy concerns promptly.
28. Complaints and Regulator Matters
A person who believes Almal AI has not handled deletion, restriction, correction, or retention properly may contact Almal AI using the contact details in this Policy.
Almal AI will review the request, identify the relevant records, determine whether Almal AI or a client is responsible for the request, and respond according to applicable law and client agreements.
Where a request relates to a client-controlled KI4ALMAL workflow, Almal AI may refer the request to the relevant client or work with that client to support an appropriate response.
A person may also contact the South African Information Regulator or another applicable supervisory authority where the law allows.
29. Limits and Lawful Exceptions
Deletion and retention requests are subject to applicable law. Almal AI may not be able to delete information immediately or completely where information must be kept for legal, contractual, security, tax, audit, complaint, dispute, investigation, client, platform, or technical reasons. Where Almal AI cannot fully delete information, it may restrict access, de-identify information, retain only limited evidence, or explain the lawful reason why retention is required, where appropriate.
30. Updates to this Policy
Almal AI may update this Data Deletion and Retention Policy from time to time to reflect changes in law, regulations, AI governance expectations, client commitments, technical architecture, subprocessors, security risks, or Almal AI’s operating model. The latest version will apply from the date it is published, unless otherwise stated.
31. Contact Details
Company: Almal AI
Privacy Lead: Elizabeth Kruger
Email: Devs@almalai.com
Phone: +27 606 919 802
Address:
210 Armarand Ave
Pegasus Building 1
Menlyn Maine Waterkloof Glen Ext 2
Pretoria, 0181
South Africa
Website: https://almalai.com/