Data Retention Policy
This Data Retention Policy describes how long BigBeeSec, a unit of Geethanjali Technologies, keeps personal data, and when we delete or anonymise it. It supports the Privacy Policy and the DPDP Act, 2023 principle of storage limitation: we keep personal data only as long as necessary for the purpose for which it was collected, or as required by law.
1. Retention principles
- We retain personal data for the periods below unless a longer period is required by law, by a legitimate dispute, or by an ongoing investigation.
- When a retention period ends, we delete the data or irreversibly anonymise it so it can no longer identify you.
- Backups containing personal data are retained on a rolling basis and are overwritten or deleted in the ordinary backup cycle.
2. Retention schedule
| Data category | Retention period | Trigger |
|---|---|---|
| Active account and profile data | For the life of the account | Until account deletion or institution offboarding |
| Verification documents (identity proof) | For the verification period plus 12 months, unless your institution requires otherwise | Encrypted at rest, deleted after the period |
| Consent records (terms, privacy, NDA acceptance) | Duration of the account plus 8 years | Legal evidence of consent |
| Support tickets and contact messages | 24 months after resolution | Service quality and dispute handling |
| Testimonials and blog comments | Until withdrawn or removed, or account deletion | Public content |
| Resume content | For the life of the account, or until the student deletes it | Student-controlled |
| Activity and security logs | 12 to 24 months | Security, audit, abuse prevention |
| Rate-limit and OTP records | Short-lived, typically minutes to 30 days | Security |
| Email delivery metadata | 12 months | Deliverability and abuse handling |
| Financial and tax records (if paid plans apply) | As required by Indian tax law, commonly 8 years | Statutory obligation |
| Backups | Rolling 30 to 90 day cycle | Disaster recovery |
Bracketed periods are placeholders to be confirmed with counsel and aligned to statutory requirements.
3. Deletion on request
You may request deletion of personal data that is no longer necessary, as described in the Privacy Policy. We will honour valid requests subject to legal retention obligations and legitimate interests such as fraud prevention and dispute resolution. Where we must retain some data, we will tell you which and why.
4. Offboarding
When a user is offboarded, soft deactivation marks the account inactive and revokes sessions. Hard deletion, available only to authorised administrators, first exports the user's data to a portable file, then deletes records in the correct order and logs the action.
5. Contact
Retention questions: privacy@bigbeesec.com. Grievances: see the Grievance Officer Notice.