You must not keep personal information obtained from your content moderation activities for longer than you need it. There are no set time limits in data protection law because it depends on your situation and your purposes for processing the information. You must not hold personal information indefinitely, ‘just in case’ it might be useful in the future.
If you are using a third party, you should be clear in your contractual agreement about what personal information they retain and for how long. Third-party providers must be limited in the information they retain to what is necessary. This will vary depending on the service they provide. For example, a third-party moderation service that provides an AI-based classification tool may not need to retain information for longer than it takes to analyse the content. However, a third-party provider that is managing user appeals may need to keep information for longer to allow them to deliver their service.
You should review your retention periods regularly, and erase or anonymise personal information when you no longer need it.
You may also have to follow other laws that set out how long you need to keep certain information for.