What is the default PII retention period in VoteAlly?

The default retention period is 90 days after a voting session ends. After this window, voter PII (names, emails, phone numbers, member IDs, and access codes) is permanently removed. Organizations can customize this to 30, 90, 180, or 365 days.

What data survives after PII is purged?

Ballot records (including receipt codes and encrypted vote choices), candidate names, vote weights, participation counts, and admin audit logs all survive the purge. This preserves the integrity of election results and the audit trail while removing personally identifiable voter data.

Can I purge PII manually before the retention period expires?

Yes. Once a session has ended or been archived, you can trigger a manual purge from the Reports tab in the session dashboard. You will need to type "PURGE" to confirm the action. Manual purge is irreversible.

Does VoteAlly send warnings before automated PII purging?

Yes. VoteAlly sends email notifications to the organization owner (or admin) at 60 days, 30 days, and 14 days before the scheduled automatic purge. These are one-time notifications per session, not recurring reminders.

When does the retention clock start?

The retention period starts when the session status changes to ENDED, based on the endedAt timestamp. This is more reliable than the scheduled end time, which can change. The clock runs even if the session has not been manually archived.

VoteAlly

Pricing Help

Get Started

Data Retention and PII Purging

Q: Is PII purging compliant with GDPR and CCPA?

Yes. The purge process is designed for compliance with GDPR (EU) and CCPA (California) data minimization requirements. Voter PII is permanently and irreversibly removed from the database, while anonymous ballot data and audit logs are retained for accountability.

Understand how VoteAlly protects voter privacy through automated data retention policies. Comply with GDPR and CCPA while preserving election integrity.

What is PII Purging?

PII (Personally Identifiable Information) purging is the permanent, irreversible removal of voter personal data from a completed voting session. VoteAlly performs this automatically to comply with data minimization requirements under GDPR (EU General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

The core principle is simple: once a voting session is over and the results are final, there is no legitimate reason to retain voter names, emails, or phone numbers. Removing this data reduces the risk of a data breach exposing personal information while keeping the election results and audit trail fully intact.

Purging is idempotent. Running it multiple times on the same session has no additional effect. Once purged, the operation cannot be undone.

Retention Period

The default retention period is 90 days after a voting session ends. The clock starts from the endedAt timestamp, which is set when the session status changes to ENDED. This is more reliable than the scheduled end time, which can change.

Organizations can customize their retention period. Supported values are 30, 90, 180, or 365 days. Each organization's setting applies to all of its sessions.

Note: The retention clock runs even if a session has not been manually archived. As long as the session has ended, the countdown is active. This ensures compliance even if administrators forget to archive old sessions.

What Gets Purged vs. What Survives

The purge process targets three categories of data. Everything else remains intact for analytics and accountability.

Voter PII

Removed

Email addresses
Names
Phone numbers
Member IDs
Access codes
Magic link tokens
Email delivery metadata

Preserved

Voter ID (anonymized reference)
Vote weight
Invitation timestamp
Participation records (turnout data)

Audit Logs

Voter-related fields in audit log details (voter email, voter name, phone, member ID) are replaced with REDACTED. Admin actor fields (who performed the action, their email, and IP address) are preserved. The audit trail remains functional for accountability without exposing voter PII.

Candidate Photos

Candidate photos are deleted from cloud storage (R2) and their URLs are removed from the database. Candidate names are retained as public record, since they are essential for meaningful election results.

Ballots

Ballots are not modified during PII purging. They are already anonymous by design (no voter reference exists on the Ballot record). All receipt codes, encrypted vote choices, choice hashes, and vote weights remain intact as part of the permanent audit trail.

Manual and Automated Purge Options

Manual Purge

You can purge PII at any time after a session has ended or been archived. This is useful when you need to comply with a data deletion request before the automated retention period expires.

Open the session Reports tab

Navigate to the voting session in your admin dashboard and open the Reports tab.

Download any reports you need

Export participation reports, ballot audit logs, and results before purging. These exports contain voter PII that will no longer be available after the purge.

Click the Purge button in the Danger Zone

At the top of the Reports page, locate the Danger Zone section. Click the purge button to begin.

Type "PURGE" to confirm

A confirmation modal will appear. You must type the word "PURGE" to proceed. This safeguard prevents accidental deletion.

Automated Purge

A scheduled job runs daily at 3:00 AM UTC and processes sessions that have exceeded their organization's retention period. It processes up to 10 sessions per organization per run to avoid overloading the database. Each organization's custom retention period is respected.

Once a session is purged (manually or automatically), VoteAlly records a piiPurgedAt timestamp on the session record to prevent duplicate processing.

Important: PII purging is irreversible. Once executed, there is no way to recover voter names, emails, or other personal data. Always export your reports before purging.

Pre-Purge Warning Notifications

VoteAlly sends email notifications to the organization owner (or an admin, if no owner is available) before the automated purge runs. These warnings give you time to download reports containing voter PII before it is permanently removed.

First Notice

60 days before purge

Second Notice

30 days before purge

Final Notice

14 days before purge

Each notification is sent at most once per session. They are not recurring reminders. Notifications are only sent during business hours (9 AM to 6 PM in the organization's timezone).

The Reports tab in the session dashboard also displays a retention countdown showing the number of days remaining until the automated purge. The countdown text turns red when 7 or fewer days remain.

Frequently Asked Questions

Can I change my organization's retention period?

Yes. Organizations can set their retention period to 30, 90, 180, or 365 days. Contact your Super Admin or support to adjust this setting. The change applies to all sessions in the organization.

What happens if I do not archive a session?

The automated purge does not require manual archiving. The retention clock starts from the endedAt timestamp, which is set when the session status changes to ENDED. As long as the session has ended, the purge will run on schedule.

Can I stop an automated purge from running?

If you need to preserve voter PII beyond the retention period, increase your organization's retention period before the purge date. Once a purge has run, it cannot be reversed.

Are election results affected by PII purging?

No. Ballots, receipt codes, encrypted vote choices, candidate names, and all tally data remain fully intact. Only voter personal information and candidate photos are removed. You can still view and export election results after a purge.

Does purging affect admin audit logs?

Partially. Voter-related fields in audit log details (voter email, name, phone, member ID) are replaced with "REDACTED." Admin actor information (who performed each action, their email, and IP address) is preserved. The audit trail remains functional for accountability.

Is PII purging compliant with GDPR and CCPA?

Yes. The purge process permanently and irreversibly removes all voter PII from the database. Anonymous ballot records are retained for accountability, which is consistent with data minimization requirements under both GDPR and CCPA.

What additional cleanup does the automated purge perform?

Beyond session-scoped PII, the automated job also clears expired authentication tokens (magic links, reset tokens, MFA codes) and removes unverified user accounts older than 30 days. This reduces the overall attack surface of the platform.