HARD CALL LLC DATA RETENTION AND DELETION POLICY

1. INTRODUCTION

1.1 This Data Retention and Deletion Policy ("Policy") describes how HARD CALL LLC, organized and operating from the Commonwealth of Massachusetts ("Hard Call," "we," "us," or "our"), retains, archives, de-identifies, and deletes information, including Personal Data and message content, in connection with our communication-processing platform, websites, applications, and related services (collectively, the "Services").

1.2 This Policy is designed to withstand scrutiny from regulators, courts, privacy and security professionals, and external counsel, and is intended to align with Applicable Law, including but not limited to the General Data Protection Regulation ("GDPR"), UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), state data breach notification laws, the Children’s Online Privacy Protection Act ("COPPA"), the Electronic Communications Privacy Act ("ECPA"), the Computer Fraud and Abuse Act ("CFAA"), the EU Digital Services Act ("DSA"), Section 230 of the Communications Decency Act, FOSTA-SESTA, and Section 5 of the FTC Act, among others.

1.3 This Policy operates in conjunction with, and is incorporated by reference into, the Hard Call LLC Terms of Service ("Terms") and Privacy Policy. In case of conflict regarding retention or deletion, this Policy will control to the extent it provides more specific or stringent requirements, unless Applicable Law dictates otherwise.

1.4 By using the Services or providing Personal Data to Hard Call, you acknowledge that your information will be retained and deleted as described in this Policy, subject to your rights under Applicable Law and any more protective commitments made in the Privacy Policy or Terms.

2. DEFINITIONS

2.1 "Applicable Law" means all applicable federal, state, local, and international laws, regulations, and rules governing privacy, data protection, electronic communications, platform liability, and records management, including without limitation GDPR, UK GDPR, CCPA/CPRA, COPPA, DSA, ECPA, CFAA, PCI DSS requirements, state data breach notification laws, and Section 5 of the FTC Act.

2.2 "Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR, UK GDPR, CCPA/CPRA, and other Applicable Laws.

2.3 "Sensitive Personal Data" means special categories of Personal Data or sensitive personal information as defined by Applicable Law, including but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a natural person’s sex life or sexual orientation, or precise geolocation data, where such categories are defined in the relevant jurisdiction.

2.4 "User" or "you" means any individual or entity that accesses or uses the Services, including Clients, Recipients, Editors, and website visitors.

2.5 "Client" means the individual or entity that initiates a communication or message for review, refinement, and optional delivery through the Services.

2.6 "Recipient" means the individual or entity identified by the Client as the intended recipient of a message that may be sent via the Services.

2.7 "User Content" means any content, data, text, communications, messages, information, or materials submitted, transmitted, uploaded, or otherwise made available through the Services by a User, including the substance of messages, replies, context descriptions, and attachments.

2.8 "Retention" means the storage of data in active or archived form for a defined period consistent with this Policy and Applicable Law.

2.9 "Deletion" means rendering data permanently unreadable and irretrievable in production systems, such as through secure erasure, cryptographic destruction of keys, or equivalent technical means, subject to technical and legal limitations.

2.10 "De-identification" or "Anonymization" means processing data such that it can no longer reasonably be used to identify an individual, taking into account all means reasonably likely to be used, as understood under GDPR Recital 26 and analogous guidance.

2.11 "Legal Hold" means an internal preservation order requiring the retention of data beyond standard retention periods because the data may be relevant to existing or reasonably anticipated litigation, regulatory investigations, law enforcement requests, or other legal obligations.

3. SCOPE AND RELATIONSHIP TO OTHER DOCUMENTS

3.1 This Policy applies to all data, including Personal Data and User Content, that Hard Call processes through the Services, as well as supporting systems such as logs, backups, analytics, and customer support tools, to the extent such systems are under Hard Call’s control.

3.2 Where Hard Call acts as an independent Controller, this Policy defines how Hard Call determines and implements retention and deletion periods. Where Hard Call acts as a Processor on behalf of a business customer under a data processing agreement, Hard Call will follow the retention and deletion instructions set forth in that agreement, to the extent permitted by Applicable Law, in addition to the general principles of this Policy.

3.3 This Policy complements the Privacy Policy and Terms, which provide additional information about categories of data collected, purposes of use, and your rights. Nothing in this Policy is intended to diminish rights granted to Users under the Privacy Policy or Applicable Law.

3.4 Retention and deletion practices described in this Policy are also designed to support Hard Call’s obligations under the DSA, CCPA/CPRA, and similar frameworks to maintain appropriate records of enforcement actions, notices, and safety interventions.

4. GOVERNING PRINCIPLES AND LEGAL FRAMEWORK

4.1 Hard Call adopts a data minimization and storage limitation approach consistent with GDPR Article 5, CCPA/CPRA requirements, and other Applicable Laws. Personal Data shall be: (a) adequate, relevant, and limited to what is necessary; and (b) kept in identifiable form no longer than necessary for the purposes for which it is processed, unless a longer retention period is required or permitted by law.

4.2 Retention periods are set by reference to: (a) the nature and sensitivity of the data; (b) legal and regulatory requirements; (c) operational needs, including safety, abuse prevention, and quality assurance; (d) contractual commitments; and (e) applicable limitation periods for legal claims.

4.3 Hard Call’s retention practices are designed to support compliance with Section 230 of the Communications Decency Act, FOSTA-SESTA, DSA, and other platform-liability frameworks by preserving sufficient records to document moderation and safety actions, while not retaining unnecessary identifying information longer than needed.

4.4 Hard Call will document its key retention schedules and periodically review them to ensure ongoing compliance with Applicable Law, evolving regulatory expectations, industry standards (including PCI DSS where relevant), and Hard Call’s risk-based safety model.

5. CATEGORIES OF DATA AND RETENTION SCHEDULES (HIGH-LEVEL)

5.1 Hard Call categorizes data for retention purposes as follows: (a) Account and Identity Data; (b) Message and Communication Data; (c) Safety, Moderation, and Enforcement Records; (d) Technical Logs and Telemetry Data; (e) Payment and Billing Data; (f) Support and Correspondence Data; and (g) Aggregated or De-identified Data.

5.2 Specific retention periods are expressed in ranges to allow operational flexibility, typically not exceeding: (a) Account and Identity Data: for the life of the account plus a period of up to seven (7) years after closure, subject to legal holds and limitation periods; (b) Message and Communication Data: for periods generally not exceeding five (5) years from the date of the last interaction, subject to safety, abuse, and legal requirements; (c) Safety and Enforcement Records: for periods generally not exceeding seven (7) years from the date of the record; (d) Technical Logs: for periods generally not exceeding two (2) years, except security-critical logs which may be retained up to five (5) years; and (e) Payment and Billing Data: for periods generally not exceeding seven (7) years to meet tax and accounting obligations.

5.3 Where shorter retention periods are feasible without undermining safety, legal, or operational needs, Hard Call will favor shorter retention. Where longer retention is necessary due to legal obligations, investigations, or legal holds, retention may be extended as described in Section 12.

5.4 Detailed internal retention schedules and matrices may provide more granular retention timelines for specific systems and data types. These internal documents are maintained as part of Hard Call’s records management program and are available to regulators or auditors under appropriate confidentiality protections.

6. GENERAL RETENTION RULES AND ACCOUNT LIFECYCLE

6.1 Active Accounts. For active User accounts, Hard Call retains Personal Data as long as reasonably necessary to provide and secure the Services, fulfill contractual obligations under the Terms, and meet ongoing legal and safety requirements.

6.2 Dormant Accounts. If an account has been inactive for a prolonged period (for example, two (2) years of no login or usage), Hard Call may classify the account as dormant and may: (a) notify the User, where feasible, prior to account closure; and (b) delete or anonymize associated Personal Data in accordance with this Policy, subject to legal holds and statutory obligations.

6.3 Account Closure at User Request. When a User requests account closure, Hard Call will: (a) deactivate the account; (b) delete or anonymize Personal Data that is no longer necessary, as described in this Policy; and (c) retain limited data where required for legal, tax, safety, or enforcement purposes, consistent with Sections 10 and 12.

6.4 System Backups. Data may continue to exist for a limited time in system backups after deletion from active systems. Backups are subject to scheduled rotation and overwriting cycles, and Hard Call will not restore deleted personal data from backups except where required for security, disaster recovery, legal, or regulatory purposes.

7. MESSAGE, COMMUNICATION, AND MODERATION DATA

7.1 Core Message Content. Hard Call retains message and reply content (including contextual descriptions) for periods necessary to: (a) operate the Services; (b) allow Clients and Recipients to view the history of a specific communication cycle; (c) enable Editors to maintain context across up to five (5) messages or other defined workflows; and (d) support safety review, audits, and quality assurance. These periods generally do not exceed five (5) years from the last relevant interaction, absent legal holds or ongoing investigations.

7.2 Safety and Escalation Records. For content associated with safety escalations, Red Flag processes, or potential violations of FOSTA-SESTA, DSA, or other laws, Hard Call may retain relevant records, including message content and system annotations, for longer periods (for example, up to seven (7) years or longer where legally required) to cooperate with law enforcement, demonstrate compliance, and manage risk.

7.3 De-identified Training and Quality Data. Hard Call may retain de-identified or anonymized versions of message content and metadata for use in quality assurance, training of Editors, and improvement of Hard Call Automation. Such data is retained as long as the de-identified dataset remains useful and reasonably robust safeguards prevent re-identification, consistent with GDPR, CCPA/CPRA, and FTC guidance on de-identification.

7.4 User-Initiated Deletion of Message Threads. Where Applicable Law grants Users the right to request deletion or erasure of certain message content, Hard Call will, subject to legal and safety exceptions, delete or anonymize the identified content from active systems and, where feasible, from archives, while retaining limited records necessary to demonstrate that the request was fulfilled and to maintain safety and enforcement history.

8. TECHNICAL LOGS, TELEMETRY, AND SECURITY DATA

8.1 Usage Logs. Server and application logs (including IP addresses, timestamps, and endpoint usage) are generally retained for up to two (2) years to support security investigations, service reliability, capacity planning, and abuse detection, unless a longer retention is necessary for an ongoing investigation or legal hold.

8.2 Security and Fraud Data. Security-related logs, access records, and fraud detection signals may be retained for longer periods (for example, up to five (5) years) to investigate, mitigate, and document security incidents, consistent with ECPA, CFAA, and applicable cybersecurity guidance.

8.3 Analytics Data. Aggregated or pseudonymous analytics data, including cookie-based usage information, may be retained for periods determined by Hard Call’s analytics configuration, typically not exceeding five (5) years where identifiers remain linkable to individuals and longer where data has been effectively anonymized.

8.4 System Configuration and Audit Trails. Configuration records, change logs, and audit trails used to demonstrate compliance with PCI DSS, data protection laws, and internal security controls may be retained for periods up to seven (7) years or as otherwise required by relevant standards and regulators.

9. PAYMENT, BILLING, AND PCI DSS DATA

9.1 Payment Card Data. Hard Call LLC endeavors to avoid storing full payment card numbers or sensitive authentication data and instead relies on PCI DSS-compliant payment processors. To the extent Hard Call temporarily handles card data (for example, in tokenization workflows), such data is processed only as necessary and is not retained longer than needed to complete the transaction and meet PCI DSS obligations.

9.2 Billing and Transaction Records. Non-sensitive billing information, transaction IDs, invoices, and related records are retained for periods generally not exceeding seven (7) years from the transaction date to comply with tax, accounting, and anti-fraud obligations.

9.3 Chargeback and Dispute Records. Records related to payment disputes, chargebacks, or investigations may be retained for the duration of the dispute and for a subsequent period (for example, up to seven (7) years) sufficient to comply with card network rules, financial regulations, and legal requirements.

10. DATA RELATING TO CHILDREN AND MINORS

10.1 The Services are intended for Users aged 18 and older. Hard Call LLC does not knowingly permit the targeting of messages to individuals known or reasonably believed to be under 18, nor does it intentionally solicit Personal Data from children under 13 in violation of COPPA.

10.2 If Hard Call LLC becomes aware that Personal Data relating to a child under 13 has been collected in a manner inconsistent with COPPA, or that minors under 18 have been targeted in violation of our Terms, Hard Call will take reasonable steps to delete such data from active systems without undue delay, subject to retention required for legal or safety investigations.

10.3 Records demonstrating the detection and remediation of such improper use may be retained as part of safety and compliance documentation, consistent with Section 7 and Applicable Law.

11. HARD CALL AUTOMATION, MODEL, AND TRAINING DATA

11.1 Hard Call LLC Automation may generate internal metadata, risk scores, tags, or other derived data to support Editors and safety workflows. Such derived data is retained as long as necessary to fulfill its operational purpose, typically aligned with the retention of the underlying records to which it relates.

11.2 Where Hard Call LLC uses de-identified or anonymized data sets to improve automated systems, those data sets may be retained as long as reasonably necessary to achieve their purpose, provided that Hard Call maintains appropriate safeguards to prevent re-identification and periodically reviews the robustness of those safeguards in line with GDPR, CCPA/CPRA, and FTC guidance.

11.3 If any automated processing is subject to additional obligations under GDPR, UK GDPR, or similar laws (including rights related to automated decision-making and profiling), Hard Call LLC will ensure that retention of associated records is sufficient to allow Users to exercise their rights and for Hard Call to demonstrate compliance.

12. LEGAL HOLDS, LITIGATION, AND REGULATORY RETENTION

12.1 Notwithstanding standard retention periods, Hard Call LLC will implement Legal Holds when it knows or reasonably anticipates that certain data may be relevant to litigation, government or regulatory investigations, law enforcement inquiries, or other legal proceedings.

12.2 Data subject to a Legal Hold shall not be deleted, even if the standard retention period has expired, until the Legal Hold is formally released by Hard Call’s legal function. Legal Holds are implemented in a targeted and proportionate manner, consistent with data minimization principles.

12.3 Hard Call LLC will maintain documentation of Legal Holds, including their scope, duration, and release, and will ensure that personnel and service providers with access to affected data are notified of and comply with applicable preservation instructions.

12.4 Legal Holds may require retention of data relevant to claims under FOSTA-SESTA, Section 230, DSA, data protection laws, or other frameworks, and are a critical component of Hard Call’s ability to defend itself and demonstrate regulatory compliance.

13. USER DELETION REQUESTS AND ERASURE RIGHTS

13.1 Where Applicable Law provides Users with the right to request deletion or erasure of Personal Data (for example, GDPR Article 17 or CCPA/CPRA deletion rights), Hard Call LLC will honor such requests subject to the exceptions and limitations described in this Policy, the Privacy Policy, and Applicable Law.

13.2 Upon receiving a verified deletion request, Hard Call LLC will: (a) delete or anonymize the Personal Data from active systems to the extent required; and (b) inform service providers or Processors to which the data was disclosed, where feasible and required by law, so that they may also delete the data, subject to their own legal obligations.

13.3 Hard Call LLC may decline, delay, or limit deletion requests where retention is necessary to: (a) comply with legal obligations; (b) complete transactions or provide services reasonably expected by the User; (c) detect, prevent, or investigate security incidents or illegal activity; (d) protect free expression or the rights of others; (e) preserve evidence for legal claims; or (f) comply with Legal Holds, as permitted by GDPR, CCPA/CPRA, and other Applicable Laws.

13.4 When Hard Call LLC relies on an exception to deny or limit a deletion request, Hard Call will document the basis for the decision and, where required by law, explain the core reasons to the requesting User, subject to legal privilege and confidentiality constraints.

14. METHODS OF DELETION, ANONYMIZATION, AND AGGREGATION

14.1 Hard Call LLC employs a combination of logical and technical deletion methods, including overwriting identifiers, revoking access, and removing data from active indexes and storage systems, to ensure that Personal Data is no longer reasonably accessible or usable in the ordinary course of business.

14.2 Where data cannot be immediately removed from all backups or archived media, Hard Call LLC will: (a) ensure that such media are subject to strict access controls; and (b) allow the data to age out and be overwritten according to scheduled backup rotation, except where earlier destruction is required by law or feasible without undermining record integrity.

14.3 When anonymizing or aggregating data, Hard Call LLC will apply techniques that are reasonably designed to prevent re-identification, taking into account current industry standards, regulatory guidance, and the likelihood of attempts at re-identification. Hard Call LLC will periodically review anonymization practices to maintain compliance with GDPR, CCPA/CPRA, and FTC guidance.

14.4 Where de-identified data is maintained, Hard Call LLC will not re-identify such data except as permitted by Applicable Law and internal policies (for example, to validate anonymization methods or respond to security incidents), and will not attempt to re-identify de-identified data if doing so would violate CCPA/CPRA or other data protection laws.

15. CROSS-BORDER TRANSFERS AND RETENTION IMPLICATIONS

15.1 Because Hard Call LLC operates primarily from the United States, Personal Data may be stored on servers located in the U.S. and potentially other jurisdictions. Retention periods described in this Policy apply regardless of where the data is stored, subject to local law requirements.

15.2 Where GDPR, UK GDPR, or similar laws apply to cross-border transfers, Hard Call LLC will implement appropriate safeguards, such as standard contractual clauses and supplementary measures, and will ensure that retention and deletion practices in receiving jurisdictions are consistent with the commitments outlined in this Policy.

15.3 Users in the EU, EEA, UK, and other jurisdictions with special retention rules may have additional rights or expectations regarding retention and deletion, which Hard Call will address as part of its data protection compliance program.

16. SECURITY, ACCESS CONTROL, AND RECORDS OF RETENTION

16.1 Hard Call’s security controls, including access management, encryption, and logging, are designed to support and enforce retention and deletion requirements by limiting who can access data, how long it is accessible, and under what conditions it may be restored from backup.

16.2 Access to data scheduled for deletion is restricted to personnel with a legitimate need and is removed when the data is deleted or anonymized. Hard Call LLC uses role-based access control and periodic access review processes to ensure compliance with this Policy.

16.3 Hard Call LLC maintains records of retention and deletion events where appropriate, including logs of bulk deletion operations, to demonstrate compliance with this Policy and Applicable Law to auditors and regulators.

16.4 Security incident and data breach response procedures under state data breach laws, GDPR, and other frameworks are described in the Privacy Policy and related incident response documentation. Retention of breach-related records is aligned with Sections 8 and 12 of this Policy.

17. ROLES, RESPONSIBILITIES, AND TRAINING

17.1 Hard Call’s leadership is responsible for approving and periodically reviewing this Policy and any material updates, in consultation with legal, security, and privacy functions.

17.2 Designated data protection, security, and compliance personnel are responsible for maintaining detailed retention schedules, implementing technical controls, and monitoring adherence to this Policy across systems and business processes.

17.3 Editors and operational staff receive training on this Policy, including how long they may access message histories, how to handle deletion requests, and how to apply Legal Holds when instructed by authorized personnel.

17.4 Service providers that process data on Hard Call’s behalf are contractually required to assist Hard Call in meeting retention and deletion obligations, including the timely deletion or return of data upon termination of services, subject to their own legal obligations.

18. ENFORCEMENT, AUDITS, AND NON-COMPLIANCE

18.1 Hard Call LLC will periodically review and audit its retention and deletion practices to assess compliance with this Policy, data protection laws, PCI DSS where applicable, and internal security standards. Audits may be carried out by internal teams or independent third parties under appropriate confidentiality obligations.

18.2 Non-compliance with this Policy by Hard Call LLC personnel may result in disciplinary action, up to and including termination of employment or engagement, consistent with applicable law and contractual arrangements.

18.3 Where non-compliance with this Policy by a service provider is identified, Hard Call LLC will take appropriate remedial steps, which may include contractual enforcement, additional oversight, suspension of data transfers, or termination of the relationship.

18.4 To the fullest extent permitted by law, Hard Call’s liability for retention and deletion issues is governed by the limitation of liability and indemnification provisions of the Terms, which are incorporated by reference into this Policy.

19. GOVERNING LAW, DISPUTE RESOLUTION, AND SURVIVAL

19.1 This Policy is governed by the same governing law as the Terms, typically the laws of the Commonwealth of Massachusetts and the United States, without regard to conflict of law rules, except where non-waivable local law requires otherwise.

19.2 Any disputes arising out of or relating to this Policy shall be resolved in accordance with the dispute resolution, arbitration, and class action waiver provisions set forth in the Terms, to the fullest extent permitted by law.

19.3 Provisions of this Policy that by their nature should survive termination of the Services or closure of an account, including those relating to Legal Holds, liability limitations, and evidentiary records, shall survive for as long as necessary to fulfill their purpose and comply with Applicable Law.

20. CHANGES TO THIS DATA RETENTION AND DELETION POLICY

20.1 Hard Call LLC may update this Policy from time to time to reflect changes in legal requirements, regulatory interpretations, industry standards, or our Services and infrastructure. Material changes will be communicated in accordance with the notification methods described in the Privacy Policy and Terms, such as by updating the "Last Updated" date, posting a notice in the Services, or sending email notifications.

20.2 Unless otherwise stated, updates to this Policy become effective when posted. Continued use of the Services after the effective date of an updated Policy constitutes acknowledgment of the changes, to the extent permitted by Applicable Law. If you do not agree with the updated Policy, you shall stop using the Services and may exercise your rights under Applicable Law.

20.3 Where GDPR, CCPA/CPRA, DSA, or other frameworks require specific disclosures or rights in connection with changes to retention practices, Hard Call will implement those requirements, including honoring any additional rights to object, opt out, or seek deletion.

21. CONTACT INFORMATION

21.1 If you have questions about this Policy, our retention and deletion practices, or your rights under Applicable Law, you may contact us at: HARD CALL LLC, TWO LOWELL AVENUE, WINCHESTER, MA 01890, Attn: Data Protection, and info@hardcall.com.

21.2 If GDPR or UK GDPR applies, you may also have the right to lodge a complaint with your local supervisory authority or the authority where you work or reside. Information on EU supervisory authorities is available from the European Data Protection Board, and information on the UK Information Commissioner’s Office is available on its official website.

21.3 Hard Call LLC will review and respond to inquiries and rights requests related to this Policy in good faith and in accordance with Applicable Law.