Question 79
Where is extracted personal data stored, and for how long?
This depends entirely on the specific deployment model and configuration a business chooses, since these details vary by vendor and by how a given business has configured their integration, rather than being fixed universally across the industry.
For on-device processing, extracted data can, depending on configuration, remain solely on the user's device and never be transmitted to any external server at all, with the business only receiving whatever final structured result it chooses to request, if any. This is the most privacy-preserving configuration available, since the sensitive document image and detailed extraction results never leave the device unless explicitly transmitted.
For cloud-based or hybrid processing, extracted data (and often the underlying document image, at least temporarily) is transmitted to and processed on the vendor's servers, or sometimes on infrastructure specifically dedicated to a business customer, depending on the vendor's architecture and any custom hosting arrangements. In these cases, data retention periods should be clearly defined and configurable, ideally aligning with the minimum period genuinely necessary for the business's specific use case.
A compliance check might need to retain records for a regulatory-mandated period, while a simple check-in flow might need no retention at all beyond the immediate transaction.
Responsible vendors generally publish clear data retention and storage policies, specify the geographic location(s) where data is processed and stored (relevant for regulations like GDPR that impose restrictions on cross-border data transfers), and offer configurable retention settings so a business can align the vendor's defaults with their own specific legal and compliance requirements rather than being locked into a one-size-fits-all retention period.
Given how sensitive this data category is, it's reasonable and appropriate for any business evaluating a document scanning vendor to ask directly about storage location, retention periods, and deletion practices, and to confirm these align with the business's own regulatory obligations before committing to an integration.
ScanDoc offers configurable data retention and processing options, including on-device processing that minimizes data leaving the user's own device, and can provide specific details on storage location and retention periods for businesses evaluating compliance with their particular regulatory requirements.
Talk to a document scanning specialist
Have a specific integration question, or want to see how this fits your onboarding flow? The ScanDoc team is happy to help.