Purpose and Scope
This policy outlines SBL Express’s data retention practices to ensure data minimization and compliance with data privacy standards. It applies to all API consumers and users of SBL Express.
Summary
Our data retention policy aims to promote data minimization and privacy compliance. All completed data flows are retained for no more than 30 days post-completion. By minimizing data storage, we help ensure that only relevant and necessary data is retained in the system.
While SBL Express maintains this strict retention schedule, you are responsible for keeping your own audit trails in accordance with your organization's policies and compliance needs. This policy helps us keep our service efficient and focused on protecting user data.
Data types and retention periods
| Data Type | Description | Retention Period |
|---|---|---|
| Consent Requests | Consent requests, including rejections | 30 days post-rejection or timeout |
| Tax Data | Personal tax data (as per Skatteetaten docs) | At max 30 days post-completion |
| Income Data | Personal income data (as per Skatteetaten docs) | At max 30 days post-completion |
| National ID | Used to create th consent request | 30 days post-rejection or timeout |
| Last name | Used to create th consent request | 30 days post-rejection or timeout |
Automatic deletion of flows
Data flows—defined as any process initiated by an API consumer—are temporarily stored in our database as they progress. During the flow's lifecycle, data is collected and retained until it is delivered to the consumer via webhooks.
Once a flow has reached completion (either through successful data transmission or due to a timeout of 10 days from the Consent Request initiation date), it will be marked as complete. Consent Requests that have been explicitly rejected are also classified as completed.
Each night at midnight, our batch processing job automatically deletes all completed flows and associated data. This includes:
- Flows marked as complete after successful data transmission
- Flows that have timed out
- Consent Requests that have been rejected ( will be marked as completed and therefore accepted in the first criteria)
Security of data in transit and storage
To protect data during its brief retention period, all data is encrypted in transit and securely stored until flow completion. Our practices comply with industry standards for data security.
Manual deletion of flows
If a specific flow needs to be deleted before the next scheduled deletion, you can initiate a manual deletion by calling the Delete Flow endpoint. When a flow is marked for deletion, it will be purged during the next midnight batch job.
User responsibility for data backup and audit trails
SBL Express deletes all data upon completion of each flow as outlined above. Consumers are responsible for any necessary data backups or audit trails in accordance with their compliance needs and organizational policies.