Data Retention Policy
This policy defines how long Seedicon India Private Limited retains personal data and other data collected through the Platform, and the procedures for secure deletion. This policy applies to all data categories processed by the Platform and complies with GDPR, DPDP Act 2023, and applicable Indian laws.
1. Principles
- Data is retained only for as long as necessary to fulfil the purpose for which it was collected
- Retention periods balance operational, contractual, legal, and regulatory requirements
- Data is securely deleted or anonymised at the end of the retention period
- Users may request earlier deletion subject to legal obligations
2. Retention Schedule
Account and Profile Data
Retained for the duration of the active account plus 90 days after account deletion request, to enable account recovery. If the account is not recovered within 90 days, all personal profile data is permanently deleted.
Event Data (Organiser-created Events)
Event listings, descriptions, and configurations: retained for 3 years after the event date to support dispute resolution, payout audits, and legal claims. After 3 years, event content is deleted; anonymised aggregate statistics may be retained indefinitely.
Transaction and Payment Records
Ticket purchase records, payment references, refund records, and payout records: retained for 7 years from the transaction date, as required by Indian financial and tax regulations (Income Tax Act, GST law). Raw payment card data is never stored; only tokenised references held by Razorpay.
Attendee Registration Records
Names, email addresses, ticket types, and check-in records: retained for 2 years from the event date. After 2 years, records are anonymised and the personal identifiers are deleted.
Contact and CRM Data (Business Card Scans and Imports)
Contact records, including scanned data, voice note transcriptions, notes, and tags: retained for the duration of the organiser's active account plus 90 days post-deletion. Users can delete individual contacts at any time.
Business Card Images
Original business card images used for OCR: deleted within 24 hours of successful extraction. Extracted text data is retained per the Contact and CRM Data schedule above.
Voice Note Audio Files
Raw audio recordings: deleted within 72 hours of successful transcription. Transcription text is retained per the Contact and CRM Data schedule.
Email Marketing Data
Campaign content, recipient lists, and delivery logs: retained for 2 years from the campaign send date. Unsubscribe records are retained indefinitely to honour opt-out requests.
WhatsApp Marketing Data
Broadcast records and delivery/read receipts: retained for 1 year from the send date. Opt-out records are retained indefinitely.
System and Security Logs
Access logs, authentication events, and security audit logs: retained for 12 months. Anomaly detection logs may be retained for 24 months.
Analytics and Usage Data
Pseudonymised usage analytics: retained for 3 years. Fully anonymised aggregate analytics may be retained indefinitely.
Support and Communication Records
Customer support tickets, emails, and chat logs: retained for 3 years from last contact, then permanently deleted.
3. Deletion Procedures
At the end of a retention period:
- Structured database records are permanently deleted using secure deletion commands
- Files stored in cloud object storage (e.g., S3) are deleted using provider-certified deletion APIs
- Backup copies containing expired data are purged during the next backup rotation cycle (maximum 30 days after scheduled deletion)
- Deletion is logged in the audit trail
4. User-Requested Deletion
Users may request deletion of their account and personal data at any time via Settings or by emailing privacy@seedicon.com. Upon verified request, we will delete personal data within 30 days, except where retention is required by law (e.g., 7-year financial records). We will notify you of any data we are legally required to retain.
5. Legal Hold
If data is subject to a legal hold (e.g., litigation, regulatory investigation), normal retention schedules are suspended for the affected data until the hold is lifted, at which point standard deletion procedures resume.
6. Third-Party Sub-processor Retention
We ensure sub-processors apply comparable retention standards through contractual obligations. Specifically: OCR providers delete processed images immediately after extraction; voice transcription providers do not retain audio or transcripts beyond processing; payment processors retain transaction data per their own regulatory obligations.
7. Review
This policy is reviewed annually or upon significant changes to applicable law or business operations. Contact legal@seedicon.com with questions.