Data Retention Policy

1. Purpose

Cobalt retains customer data only as needed to deliver our services. Specifically, we store data pulled from electronic health records (EHRs) in order to make it accessible through our API. We do not use customer data for any secondary purposes such as analytics, product training, or machine learning.

2. Scope

This policy applies to all customer data processed or stored by Cobalt, including Protected Health Information (PHI), Personally Identifiable Information (PII), and other healthcare-related data accessed on behalf of our customers.

3. Retention Principles

• Cobalt retains customer data for as long as necessary to provide the contracted service.
• Data is retained to ensure operational continuity, historical access, and support for use cases like reporting, billing, and workflow automation.
• Customers may configure what data is pulled or synced, and how long it remains accessible.
• Cobalt does not retain more data than required to support active product features.

4. Deletion & Requests

• Customers may request deletion of any stored data at any time by contacting us at bryan@usecobalt.com.
• Upon termination of a customer relationship, Cobalt will delete all retained customer data within 30 days unless otherwise required by law or contract.
• Partial or field-level deletions are supported on request.

5. Legal & Compliance Exceptions

Cobalt may retain limited data beyond the active service period where required to comply with legal, audit, or regulatory obligations, or to investigate abuse, fraud, or security issues. These cases are narrowly scoped and logged.

6. Policy Review

This policy is reviewed periodically and updated as needed to reflect evolving best practices and regulatory guidance.