Data Retention Policy
Last Updated: April 2026
This Data Retention Policy explains how long we keep your personal data and why. We retain data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, comply with legal obligations, and protect our legitimate interests.
This policy complies with GDPR Article 5(1)(e) (storage limitation principle) and Luxembourg data protection law.
Retention Periods
Members can leave Rocklab through two independent paths, both accessible from Settings → Data & Account. Deactivate My Account starts a 6-month grace period during which the account can be reactivated by logging back in; after 6 months, an automated job permanently anonymises the account. Delete My Account anonymises personal data immediately with no grace period. Financial and ticketing records retained under legal obligation are not affected by either path.
| Data Category | Retention Period | Legal Basis / Justification |
|---|---|---|
| Active Member Accounts | Duration of membership | Contract performance (GDPR Art. 6(1)(b)) |
| Deactivated Accounts | 6 months after deactivation | Legitimate interests - grace period for reactivation, then permanently anonymized |
| Deleted Account Data | Anonymized immediately Metadata: 3 years | Legal obligation, legitimate interests (dispute resolution) |
| Profile & EPK Content | Duration of membership + 3 years | Contract performance, legitimate interests |
| Authentication Sessions | 7 days (standard) 28 days (remember me) | Security, legitimate interests |
| Refresh Tokens | Until logout or 28 days | Security, user convenience |
| Room Bookings | 10 years | Luxembourg legal obligation (Art. 16 Commercial Code — financial records) |
| Subscription Records | 10 years | Luxembourg legal obligation (Art. 16 Commercial Code — financial records) |
| Financial Transactions | 10 years | Luxembourg legal obligation (Art. 16 Commercial Code — tax, accounting) |
| Posts & Comments | Until deleted by the member or until account anonymisation (whichever comes first). Author attribution is anonymised on account deletion; post content is retained for community integrity unless the member explicitly deletes the post. | Contract performance, community integrity (legitimate interest) |
| System Logs | 90 days (general) 1 year (security logs) | Security, troubleshooting, legitimate interests |
| Security Incident Records | 3 years | Legal obligation (breach notification), legitimate interests |
| Notifications | 90 days or until dismissed | Legitimate interests (user communication) |
| Cookie Consent Records | 1 year or until updated | Legal obligation (consent management) |
| Marketing Consent | Until withdrawal or 3 years inactivity | Consent management, legitimate interests |
| Rejected Room Subscription Applications | 6 months after rejection | Legitimate interests - personal data anonymized, application record retained |
| Event Attendance Logs | Duration of membership | Legitimate interests - engagement tracking, members can delete via settings |
| QR Code Access Data | Deleted after each session | Security - access logs retained for 90 days |
| Admin Private Notes | 2 years, reviewed quarterly | Legitimate interests - member support continuity |
| Expert Tags | Duration of membership or until removed | Legitimate interests - members notified and can request removal |
| International Expert Profiles | Until consent withdrawn or profile deleted | Consent (GDPR Art. 6(1)(a)) - experts can request deletion at any time |
| Audit Logs | 2 years | Security, compliance monitoring |
| Support/Contact Inquiries | 3 years after resolution | Legitimate interests (customer service, dispute resolution) |
Special Retention Cases
Legal Holds
If data is subject to a legal hold (e.g., pending litigation, regulatory investigation), we will retain the data beyond the standard retention period until the hold is lifted. You will be notified if your data is subject to a legal hold.
Extended Retention Requests
In certain cases, you may request extended retention of your data (e.g., for archival purposes). Such requests will be evaluated on a case-by-case basis.
Anonymized Data
We may retain anonymized or aggregated data indefinitely for statistical analysis, research, and service improvement. Anonymized data cannot be linked back to you and is not subject to GDPR data subject rights.
Data Deletion Process
Automatic Deletion
Our systems automatically delete or anonymize data when retention periods expire:
- Expired sessions and refresh tokens are purged daily
- Deactivated accounts are permanently anonymized after 6 months
- Rejected room subscription personal data is anonymized after 6 months
- Old logs are deleted monthly
- Financial records are retained for 10 years (Art. 16 Luxembourg Commercial Code), then deleted
Manual Deletion (Right to Erasure)
You can request immediate deletion of your account at any time:
- Go to Settings → Data & Account
- Click "Delete My Account"
- Confirm your decision by typing "DELETE"
- Your personal data will be anonymized immediately
What gets deleted:
- Name, email, phone, profile information (replaced with "Deleted User")
- Authentication credentials and sessions
- EPK content and media files
- Notifications and non-financial records
What is retained (anonymized or pseudonymized):
- Financial records (10 years - Art. 16 Luxembourg Commercial Code)
- Booking history (anonymized - facility management)
- Posts/comments (soft-deleted, author shown as "Deleted User")
- Anonymized usage statistics
Retention Policy Review
This Data Retention Policy is reviewed annually to ensure:
- Compliance with current legal requirements
- Retention periods remain appropriate for stated purposes
- Technical deletion processes function correctly
- Alignment with business needs and risk management
Last review: April 2026 | Next review: April 2027
Questions About Data Retention
If you have questions about our data retention practices or want to request deletion of your data, contact us:
Data Protection Contact: mydata@rockhal.lu
Phone: (+352) 24 555-611
Address: 5, Avenue du Rock 'n' Roll, L-4361 Esch/Alzette, Luxembourg
Related Policies
The Centre de Musiques Amplifiées is under the patronage of and operates with the financial support of
Rockhal is proud to partner with
Premium partners
Venue partners
Rockhal is member of
Rockhal supports
