PII classification and offboarding auto-purge

Every employee record is flagged `data_classification=pii`. On HRIS offboard, the record enters a 90-day grace window, then auto-purges, leaving only anonymized aggregate stats.

Why PII classification

Employee data, name, work email, manager, department, is more sensitive than influencer profile data because the employer-employee relationship carries legal weight (employment law, GDPR Article 88 specifics, etc.). Flagging records as PII triggers stricter retention + purge rules automatically.

The retention timeline

Active → Offboard (HRIS sync flips status)
            ↓
        90-day grace (rehires preserved)
            ↓
        Auto-purge (irreversible)
            ↓
        Anonymized aggregate retained for reporting

What’s purged

Name, work email, manager, department
Personal social handles (LinkedIn, X tokens revoked, handle removed)
Direct contact info

What’s retained (anonymized)

Total post shares (as an integer)
Total reach delivered (anonymized)
Tenure-band (e.g. “1-3 years”), without dates

This lets long-term reporting continue (“employees have generated 1.2M impressions in 2026”) without identifying anyone.

Manual early purge

If an employee requests immediate erasure (GDPR Article 17 right to be forgotten), HR Manager triggers manual purge from the employee record. Bypasses the 90-day grace.