Data Retention & Deletion Policy
Aureon Financial LLC
(Applies to Aureon Financial LLC and any affiliates and related entities processing borrower, client, partner, and employee data.)
1. Purpose
- • Defining data classification standards
- • Establishing retention schedules
- • Implementing secure deletion procedures
- • Ensuring regulatory compliance
- • Reducing legal, financial, and cybersecurity risk
This policy establishes a structured framework for:
- • GLBA (Gramm-Leach-Bliley Act)
- • FTC Safeguards Rule
- • U.S. federal and state consumer lending laws
- • Applicable Mexican and Latin American data protection regulations (where ACP operates)
- • Contractual obligations with lenders, servicers, and bureaus
This policy operationalizes retention and deletion controls aligned with:
2. Scope
This policy applies to:
- • All Aureon systems (cloud-hosted, SaaS, local endpoints)
- • Loan origination systems
- • CRM and marketing platforms
- • Accounting and servicing records
- • Email and communications
- • Physical documents
- • Backup archives
- • Third-party vendors processing Aureon data
3. Data Classification Framework
| Classification | Description | Examples | Protection Level |
|---|---|---|---|
| Restricted | Highly sensitive personal/financial data | SSN, DOB, bank data, credit reports, loan agreements | Maximum encryption & strict retention |
| Confidential | Business-sensitive information | Contracts, underwriting notes, partner agreements | Encrypted & access-controlled |
| Internal | Non-public operational data | Internal emails, SOPs | Access-controlled |
| Public | Public-facing information | Marketing materials | No retention limits |
4. Retention Schedule
| Record Type | Retention Period | Rationale |
|---|---|---|
| Funded loan agreements | 7 years after loan payoff | Statute of limitations + regulatory audit |
| Loan applications (approved) | 7 years after funding | Compliance and dispute defense |
| Loan applications (denied/withdrawn) | 25 months minimum | ECOA/Reg B compliance |
| Credit bureau reports | 2 years max | Risk minimization |
| Underwriting files | 7 years | Regulatory defense |
| Data Type | Retention Period |
|---|---|
| Marketing leads (no application) | 24 months from last activity |
| Loyalty program member records | Duration of membership + 5 years |
| Email marketing lists | Until opt-out or 24 months inactivity |
| Record Type | Retention Period |
|---|---|
| Tax records | 7 years |
| Accounting records | 7 years |
| Shareholder agreements | Permanent |
| Board minutes | Permanent |
| Compliance policies | Superseded version + 5 years |
| Record Type | Retention Period |
|---|---|
| Personnel files | 7 years after termination |
| Payroll records | 7 years |
| Background checks | 5 years |
| Access logs | 2 years |
| Record Type | Retention |
|---|---|
| System access logs | 24 months |
| Security event logs | 24 months |
| Incident reports | 7 years |
| Backup archives | Rolling 90 days (unless under legal hold) |
5. Legal Holds
When litigation, audit, investigation, or regulatory inquiry is anticipated or active:
- • Automatic deletion is suspended
- • Relevant custodians are notified
- • Backup deletion is paused for relevant systems
- • Documentation of hold scope is maintained
Only General Counsel or Executive Management may lift a legal hold.
6. Secure Deletion Standards
6.1 Digital Records
- • Cryptographic erasure (for encrypted systems)
- • NIST SP 800-88 compliant overwriting
- • Secure wipe protocols for SSD/HDD disposal
- • Vendor-certified destruction certificates
Aureon shall use:
Deletion must render data irrecoverable.
6.2 Cloud & SaaS Platforms
- • Contractually commit to secure deletion
- • Provide deletion confirmation upon request
- • Maintain documented destruction procedures
- • Purge from backups within defined retention cycles
Vendors must:
Vendor compliance must be reviewed annually.
6.3 Physical Records
- • Cross-cut shredding (minimum P-4 standard)
- • Locked destruction bins
- • Certified document destruction vendors
- • Destruction log maintained
7. Data Subject Rights (Where Applicable)
For jurisdictions recognizing data rights:
- • Access to stored personal data
- • Correction of inaccurate data
- • Deletion (subject to legal retention requirements)
- • Restriction of processing
Individuals may request:
If deletion conflicts with regulatory retention requirements, Aureon will:
- • Restrict processing
- • Retain only required minimum data
- • Document the legal basis for retention
8. Backup & Archive Management
- • Encrypted backups maintained separately from production
- • Retention aligned with primary system schedule
- • Backup purging automated
- • Quarterly review of backup integrity
- • No indefinite backup retention permitted
9. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Executive Management | Policy approval |
| Compliance Officer | Oversight & enforcement |
| IT Security Lead | Technical deletion implementation |
| Operations | Ensure CRM/Lending compliance |
| Third-Party Vendors | Contractual compliance |
10. Monitoring & Audit
- • Annual retention audit
- • Quarterly deletion verification sampling
- • Vendor compliance review
- • Access log review
- • Incident documentation
Any deviation must be remediated within 30 days.
11. Policy Violations
Improper retention or unauthorized deletion may result in:
- • Internal disciplinary action
- • Vendor termination
- • Regulatory reporting obligations
12. Review Cycle
This policy shall be reviewed annually or upon:
- • Regulatory change
- • New product launch
- • New jurisdiction expansion
- • Major technology change
Executive Summary for Board-Level Use
This policy ensures Aureon:
- • Minimizes liability exposure
- • Reduces cyber risk surface area
- • Maintains regulatory defensibility
- • Controls data sprawl
- • Aligns with U.S. and cross-border financial compliance standards
Getting your conditional pre-approval takes as little as 60 seconds right on your device. We include a link to get your credit score in real time which does not impact your credit score at all to check. You will have two options; borrow on a personal loan or borrow through your corporation. Once you have your credit score and have confirmed your income you will receive an instant notification whether you have been pre-approved or not. Once you have been pre-approved we will contact you within 2 business days and walk you through the rest of our trusted 3 Step Funding process to ensure success.
Our process is simple and our terms are clear. Our financing fee is included in your sales contract, clearly defined and included in your funded amount. In the rare case that you are not funded, you pay zero fees of any kind. Plus our terms are as good as, or better than you would get at your bank with an average APR of 9% depending primarily on your credit score.
Getting you the funding you need for the lifestyle you deserve is what we do best. But we don’t just do our best, we do what is required to get you your funding to ensure you are happy. Even in the rare cases that we cannot get you funded right away, we offer additional services, at no cost, to help you get the funding you need at a later date. We are here to help you every step of the way.