What data survives the PII purge?

Anonymous ballots (which never contain voter identity), encrypted vote choices, receipt codes, vote weights, participation records (who voted on which question, but not how), candidate names and bios (public record), admin actor fields in audit logs (who performed admin actions), and election results all survive the purge.

Can I change the data retention period for my organization?

Yes. Each organization has a configurable retention period (piiRetentionDays) that defaults to 90 days. This can be adjusted to 30, 180, or 365 days depending on your regulatory requirements. The automated purge script respects each organization's individual setting.

Can I trigger a PII purge immediately instead of waiting?

Yes. Any ended or archived session can be purged immediately from the session reports page. The administrator must type "PURGE" to confirm the action. The operation is irreversible and idempotent (running it twice has no additional effect).

VoteAlly

Pricing Help

Get Started

Security & Trust

Data Privacy After Elections: How VoteAlly Handles Voter Information

Q: When does VoteAlly automatically delete voter data?

By default, VoteAlly automatically purges voter Personally Identifiable Information (PII) 90 days after a voting session ends. The retention period is configurable per organization. The countdown starts from the actual session end time, not a scheduled end time, to ensure accuracy.

Q: What voter data is deleted during a PII purge?

Email addresses are replaced with anonymized placeholders. Names, phone numbers, and email delivery metadata are set to NULL. Member IDs and access codes are replaced with anonymized values. Magic link tokens are removed. Candidate photos are deleted from storage. Voter-related fields in audit log entries are replaced with "REDACTED".

Q: Does VoteAlly warn me before data is purged?

Yes. VoteAlly sends automated email notifications to organization administrators at 60 days, 30 days, and 14 days before a scheduled purge. These warnings give administrators time to export reports, download participation data, and save any records they need before the PII is permanently removed.

Most voting platforms collect voter names, emails, and phone numbers to run an election. The question that matters is what happens to that data after the vote is over. VoteAlly automatically purges voter personal information while preserving the anonymous ballot record and audit trail.

Published: March 2026

VoteAlly's automated PII purge permanently removes voter Personally Identifiable Information (names, emails, phone numbers, member IDs) from completed voting sessions. By default, the purge runs 90 days after a session ends. The retention period is configurable per organization. Anonymous ballots, encrypted vote choices, receipt codes, and election results are preserved indefinitely. Administrators receive warning emails at 60, 30, and 14 days before the purge.

Why voter data retention matters

When a voting session ends, the organization no longer needs most of the personal information it collected. The vote has been counted. The results are final. But the voter data sits in the database: names, email addresses, phone numbers, member IDs, access codes.

This creates risk on both sides. For voters, their personal information is exposed to potential data breaches for as long as it is stored. For organizations, holding unnecessary personal data increases their liability under privacy regulations like the GDPR (General Data Protection Regulation) in Europe and the CCPA (California Consumer Privacy Act) in the United States.

The GDPR's "purpose limitation" principle states that personal data should only be kept for as long as it is needed for its original purpose. Once the election is over and the challenge period has passed, there is no legitimate reason to retain voter PII. The CCPA gives California residents the right to request deletion of their personal information, and organizations that hold data unnecessarily face compliance exposure.

Many voting platforms do not address this. They collect voter data, run the election, and leave the data sitting indefinitely. Some require manual deletion by the administrator. Others offer no deletion capability at all. VoteAlly takes a different approach: automated purging with configurable retention, warning notifications, and preservation of the anonymous audit trail.

How VoteAlly's automated PII purge works

The purge runs automatically with no action required from the administrator. Here is the lifecycle from session end to data removal:

Session ends and retention clock starts

When a voting session status changes to ENDED, the system records the exact timestamp. This is the definitive start of the retention countdown. It uses the actual end time, not the scheduled end time, to ensure accuracy even if a session runs long.

Warning notifications at 60, 30, and 14 days

VoteAlly sends automated email notifications to organization administrators at three milestones before the purge. The 14-day notice is marked as a final warning. These give administrators time to export participation reports, download voter lists, and save any records they need.

Reports page shows retention countdown

The session reports page displays the number of days remaining until the automated purge. The countdown changes color to red when 7 or fewer days remain. This is a visual reminder to download data before it is permanently removed.

Automated purge runs daily

A scheduled job runs daily at 3 AM UTC. It processes all sessions that have exceeded their organization's retention period (default: 90 days). Each organization's individual retention setting is respected. The job processes up to 10 sessions per organization per run.

PII is permanently removed

Voter emails are replaced with anonymized placeholders. Names, phone numbers, and email metadata are set to NULL. Member IDs and access codes are replaced with anonymized values. Candidate photos are deleted from cloud storage. Voter-related fields in audit logs are replaced with "REDACTED". The session is marked with a piiPurgedAt timestamp to prevent duplicate processing.

What gets purged vs. what survives

The purge is surgical. It removes everything that identifies a specific person while preserving everything needed to verify election results and maintain the audit trail.

Permanently removed

Email addressesReplaced with anonymized placeholders (purged-{id}@deleted.local)

NamesSet to NULL

Phone numbersSet to NULL

Member IDsReplaced with anonymized values

Access codesReplaced with anonymized values

Magic link tokensSet to NULL

Email delivery metadataSet to NULL

Candidate photosDeleted from cloud storage

Voter fields in audit logsReplaced with "REDACTED"

Preserved indefinitely

Anonymous ballots: Ballots never contain voter identity. They remain for audit and verification.

Encrypted vote choices: AES-256-GCM encrypted payload stays intact for potential audit recovery.

Receipt codes: Voters can still verify their ballot was counted, even after PII is gone.

Vote weights: Needed to validate that weighted tallies are correct.

Participation records: The record that a voter voted on a question (not how) is preserved for turnout analytics.

Candidate names: Considered public record and essential for meaningful election results.

Admin audit fields: Who performed admin actions (changedBy, actorEmail, IP) is preserved for accountability.

Election results: Tallies, pass/fail outcomes, and published results remain permanently.

Immediate manual purge

Administrators do not have to wait for the automated schedule. Any session that has ended or been archived can be purged immediately from the session reports page.

Navigate to the session reports page and find the Danger Zone section
Click the purge button and type "PURGE" to confirm
The operation is irreversible and processes immediately
Running it twice has no additional effect (the operation is idempotent)
After purging, the page shows an "Already Purged" state with the purge timestamp

This is useful when a voter requests immediate data deletion (as is their right under GDPR Article 17, the "right to erasure") or when an organization's internal policy requires faster cleanup.

How this protects both the organization and the voter

For the organization

Reduced liability from holding unnecessary personal data
Automated compliance with GDPR and CCPA retention requirements
No manual cleanup process to forget or get wrong
Audit trail remains intact for governance accountability
Configurable retention to match regulatory requirements

For the voter

Personal information is not stored indefinitely
Email, name, and phone number are permanently removed
Receipt code still works for verification after purge
Ballot anonymity is preserved (it was never linked)
Data breach exposure window is limited to the retention period

Beyond session data: global housekeeping

The daily automated job does more than just session-scoped PII removal. It also performs global database housekeeping to reduce the overall data footprint:

Expired magic link tokens, reset tokens, email MFA codes, and invite tokens are aggressively nullified across all voter and user records
Unverified user accounts older than 30 days (or with expired invite tokens) are hard-deleted to remove abandoned registrations

This reduces the attack surface by ensuring that expired credentials and abandoned accounts do not persist in the database longer than necessary.

How this compares to typical voting platforms

Most voting platforms take one of two approaches to voter data after an election: they keep it indefinitely, or they leave deletion entirely to the administrator.

Typical approach

Voter data stored indefinitely after the election
Manual deletion required (often forgotten)
No automated retention policy
No pre-deletion warnings
Deletion often removes everything, including results

VoteAlly approach

Automated purge after configurable retention (default 90 days)
Three warning notifications before purge (60, 30, 14 days)
Surgical removal: PII gone, results and receipts preserved
Immediate manual purge available for any ended session
Per-organization retention settings

Frequently asked questions

When does VoteAlly automatically delete voter data?

By default, 90 days after a voting session ends. The retention period is configurable per organization. The countdown starts from the actual session end time, not a scheduled end time, to ensure accuracy.

What voter data is deleted during a PII purge?

Email addresses, names, phone numbers, member IDs, access codes, magic link tokens, email delivery metadata, and candidate photos. Voter-related fields in audit log entries are replaced with "REDACTED".

What data survives the purge?

Anonymous ballots (which never contain voter identity), encrypted vote choices, receipt codes, vote weights, participation records, candidate names, admin audit fields, and all election results.

Is VoteAlly GDPR and CCPA compliant?

VoteAlly supports GDPR and CCPA compliance through automated PII purging, configurable retention periods, structural ballot anonymity, and immediate manual purge capability for any ended or archived session.

Can I change the retention period?

Yes. Each organization has a configurable retention period that defaults to 90 days. This can be adjusted to meet your specific regulatory or policy requirements. The automated purge respects each organization's individual setting.

Does VoteAlly warn me before data is purged?

Yes. Automated email notifications are sent at 60 days, 30 days, and 14 days before a scheduled purge. These give administrators time to export reports and download any records they need.

Can I purge data immediately?

Yes. Any ended or archived session can be purged immediately from the reports page. The administrator must type "PURGE" to confirm. The operation is irreversible and idempotent.

Privacy by default, not by accident

VoteAlly is free for up to 50 voters. Automated PII purging, anonymous ballots, and encrypted vote storage are included on every plan. No credit card required.

Try VoteAlly Free See pricing