Simple answer: **you can keep the student’s own essay and SHEP’s feedback for as long as your Terms/Privacy Policy disclose and as long as you have a legitimate product reason.** For this product, I would use a conservative default: **Keep the student’s own essay and feedback until 30 days after the relevant bar exam, unless the student deletes it earlier or affirmatively saves/exports it.** For July 2026, that means a default expiration around **August 31, 2026**. For February 2027, around **March 31, 2027**. The thing I would **not** keep by default is the uploaded question/prompt or the generated prompt-specific packet. Your current spec already draws that line: store limited feedback, but delete the uploaded prompt and prompt-derived packet or keep them locally only. ## Clean retention rule Use this: | Item | Keep? | Recommended retention | | --------------------------------------------- | ------------: | ----------------------------------------------------------------- | | Student’s written answer | Yes | Until 30 days after exam date | | SHEP feedback on that answer | Yes | Until 30 days after exam date | | Score band / issue tags / performance metrics | Yes | Until 30 days after exam date, or longer if anonymized/aggregated | | Uploaded question/prompt | No by default | Runtime only; max 24 hours if needed for recovery | | Generated prompt-specific packet/rubric | No by default | Runtime only; max 24 hours | | Local browser saved packet | Optional | User-controlled | | Backend saved prompt/packet | Avoid for MVP | Only if user affirmatively saves; expire by default | ## How retries should work There are two different retry models. ### Better model: retry from saved session shell For a user-uploaded prompt, store only a “session shell”: ```json { "essay_session_id": "sess_123", "user_id": "user_456", "source_mode": "user_uploaded_prompt", "subject": "Contracts", "issue_tags": ["formation", "consideration", "breach"], "student_answers": ["attempt_1", "attempt_2"], "feedback_ids": ["fb_1", "fb_2"], "stored_prompt": false, "stored_prompt_packet": false, "expires_at": "2026-08-31T23:59:59-04:00" } ``` If the student wants to retry, they can reopen the session page and either: 1. paste/upload the prompt again; or 2. use a local-browser saved prompt/packet if they chose to save locally. That is legally cleaner because SHEP does not need to keep the uploaded question. ### More convenient model: user-private saved prompt If you want the student to click “Retry this essay” without reuploading anything, then you need to save enough of the prompt or prompt-packet to recreate the exercise. That is more convenient, but higher risk. I would only allow it as an explicit user choice: “Save this prompt privately so I can retry later.” Then apply: ```text Private to user only Not searchable by other users Not reused by SHEP Not used for training/evals Deletable anytime Expires by default 30 days after the exam Subject to takedown policy ``` If you store user-uploaded materials, you should treat it like user-directed storage and have DMCA mechanics in place. Section 512 has a safe-harbor framework for material stored “at the direction of a user,” but it depends on conditions like notice-and-takedown and repeat-infringer policies. ([Davis Wright Tremaine][1]) ## The best UX compromise Use this product flow: After grading, show: **Save for retry?** Options: 1. **Do not save prompt** “We’ll keep your answer and feedback, but you’ll need to paste the prompt again to retry.” 2. **Save locally in this browser** “The prompt/packet is saved on this device only.” 3. **Save privately to my account until exam day + 30 days** “This lets you retry later from any device. SHEP will not reuse it, train on it, or add it to any shared question bank.” Default should be **Option 1** or **Option 2**, not backend prompt storage. ## Why this line matters The student’s own answer is their own content. Your feedback is SHEP-generated feedback about their performance. Those are much safer to keep than the uploaded question or a generated answer packet. The uploaded prompt may contain NCBE, California, commercial course, professor, or tutor content. NCBE’s terms specifically identify examinations, study aids, sample questions, model analyses, and point sheets as protected content and restrict copying, modification, distribution, and derivative works. ([NCBE][2]) So the conservative architecture is: keep the learning record, not the source prompt or answer key. Also, do not forget provider retention. If an LLM provider or tracing tool stores the prompt, your product promise must account for that. OpenAI’s data controls say Responses API application state has 30-day retention by default and background mode stores response data for roughly 10 minutes to enable polling; Anthropic describes Zero Data Retention as not storing customer data at rest after the API response, subject to exceptions. ([OpenAI Developers][3]) ## My recommendation For MVP, implement this: ```text Student answer: keep until exam + 30 days. SHEP feedback: keep until exam + 30 days. Prompt text: do not keep by default. Prompt packet: do not keep by default. Retry: require reupload, or allow local browser save. Backend retry save: optional, explicit, private, deletable, expires exam + 30 days. ``` So the simple rule is: **Keep the student’s essay and your feedback for the bar-prep season. Do not keep the uploaded question unless the student expressly asks you to save it for retry, and even then expire it by default.** [1]: https://www.dwt.com/insights/2017/04/ninth-circuit-holds-website-can-lose-dmca-safe-har?utm_source=chatgpt.com "Ninth Circuit Holds Website Can Lose DMCA Safe Harbor ..." [2]: https://www.ncbex.org/website-terms-use?utm_source=chatgpt.com "Website Terms of Use" [3]: https://developers.openai.com/api/docs/guides/your-data?utm_source=chatgpt.com "Data controls in the OpenAI platform"