Please review the following company's internal CCPA/GDPR retention stipulations:

Per the company's User Privacy Policy, paragraph 3, located at https://www.miltonscraftbakers.com/userprivacy: 

How we store your personal information.

When you provide us with your name and contact information, they are automatically recorded in a Windows server operating environment via an SQL database using an Always Encrypted Database Engine that is owned and managed by Milton's. On rare occasion, user contact information may be stored via an offline datastore (i.e., paper) and within a locked facility and only accessible by Milton’s staff. Every 90 calendar days, this offline datastore is evaluated and all records no longer in active use are shredded via an in-house cross-cut DIN Level 3-4 or better shredder. Technical infrastructure security is managed, updated, and maintained via a third-party IT Support and Cybersecurity NIST compliant firm located in San Diego, CA.

Per the company's User Privacy Policy, paragraph 20, located at https://www.miltonscraftbakers.com/userprivacy:

Subprocessors

Under GDPR guidelines, a subprocessor is any business, contractor, or organization that may have access to or processes user data on behalf of Milton’s. Milton’s requires its subprocessors to satisfy equivalent obligations as those required of Milton’s under applicable data protection laws and regulations, including but not limited to the following requirements:

• Process personal data in accordance with data controller’s documented instructions
• Implement and maintain appropriate technical and organizational measures and to protect against unauthorized access and anticipated threats or hazards to personal data.
• Promptly notify Milton’s about any actual or potential security breach affecting personal data processed on behalf of Milton’s
• Cooperate with Milton’s in responding to requests from data controllers, data subjects or data protection authorities, as applicable