Data Retention & Deletion Policy
Effective Date: 25 March 2026 | Last Updated: 25 March 2026
This Data Retention & Deletion Policy outlines how SecNinjaz retains and disposes of personal data and service data in compliance with Section 8(7) of the Digital Personal Data Protection Act, 2023 and Rule 5 of the DPDP Rules, 2025, which mandate erasure of personal data when the specified purpose is no longer being served or consent is withdrawn.
1. Guiding Principles
- Purpose Limitation — Data is retained only as long as it serves the specific purpose for which it was collected.
- Minimization — We collect the minimum data necessary and delete it at the earliest opportunity.
- Automation — Deletion is automated, not dependent on manual processes.
- Irreversibility — Deleted data cannot be recovered. There are no backups or archives of personal data after deletion.
- Transparency — Retention periods are clearly communicated and consistently enforced.
2. Retention Schedule
2.1 Vulnerability Assessment Tool Data
| Data Category | Examples | Retention Period | Deletion Method |
|---|---|---|---|
| Email Address | user@domain.com | 144 hours (6 days) from submission | Automated purge job; encrypted records deleted from PostgreSQL |
| IP Address | Client IP (encrypted) | 144 hours (6 days) from submission | Automated purge job; encrypted records deleted from PostgreSQL |
| User-Agent String | Browser identifier | 144 hours (6 days) from submission | Deleted with parent submission record |
| Domain / Target URL | https://example.com | 144 hours (6 days) from submission | Deleted with parent submission record |
| Domain Verification Tokens | securescan-verify-abc123 | 144 hours (6 days) from submission | Deleted with parent submission record |
| OTP (One-Time Password) | 8-character code (hashed) | 10 minutes | Auto-expired in Redis; hash deleted on verification |
| Email Verification Token | Session verification token | 30 minutes | Auto-expired in Redis |
| Session Token | UUID-based identifier | Until browser tab is closed + 72 hours server-side | Browser: cleared on tab close; Server: auto-expired |
| Scan Results & Findings | Vulnerability details, CVSS scores, CVEs | 144 hours (6 days) from scan completion | Cascade-deleted with parent submission |
| Generated Reports | Executive summaries, remediation steps | 144 hours (6 days) from generation | Cascade-deleted with parent submission |
| Scan Schedules | Recurring scan configurations | Until user cancels or 144 hours after last associated submission | Deleted with parent submission |
| Application Logs | PII-masked request logs | 30 days | Rotated and purged automatically |
2.2 Report Accessibility Timeline
Time 0 : Scan completes, report generated | | [Active Access Period - 72 hours] | Report accessible via session token | Report can be exported (JSON/Markdown/PDF) | Hour 72 : Report access expires (HTTP 410 Gone) | | [Grace/Cleanup Period - 72 hours] | Data awaiting automated deletion | No access possible | Hour 144 : ALL DATA PERMANENTLY DELETED | | [Nothing remains]
3. Automated Deletion Process
3.1 Background Cleanup Job
- A server-side background job runs every 6 hours.
- It identifies all submissions older than 144 hours.
- It performs cascade deletion: submission + all associated scans, findings, reports, and schedules.
- Encrypted PII fields (email, IP address) are deleted along with their encryption keys.
- Redis entries (OTPs, verification tokens, session data) auto-expire based on their configured TTL.
3.2 Deletion Verification
- Each cleanup run is logged in the application audit log (with PII-masked references).
- The cleanup job records the count of deleted submissions, scans, and reports.
- No personal data is retained in logs — all PII is masked before logging.
4. On-Demand Deletion (Data Erasure Requests)
In compliance with Section 12(2) of the DPDP Act, you may request immediate deletion of your personal data before the automated retention period expires.
How to request:
- Email dpo@secninjaz.com with the subject "Data Erasure Request."
- Provide the email address and/or domain associated with your submission for identification purposes.
- We will process your request within 72 hours.
- You will receive confirmation once deletion is complete.
What gets deleted:
- Your email address and all encrypted PII
- Domain and target URL records
- All scan results, findings, and reports
- All verification tokens and session data
- All associated log entries are purged or rendered non-identifiable
5. Data That Is NOT Retained
We explicitly do not maintain:
- Backups of personal data — There is no backup retention after the 144-hour lifecycle.
- Shadow copies or archives — No data is moved to cold storage or archives.
- Aggregated personal data — We do not create aggregate datasets from personal data.
- Third-party copies — We require our Data Processors to delete personal data in accordance with our retention schedule.
6. Exceptions to Retention Schedule
Data may be retained beyond the standard retention period only if:
- Legal obligation — Required by an order of the Data Protection Board of India, a court, or under applicable Indian law.
- Active legal proceeding — Data is relevant to an ongoing legal dispute or investigation.
- Active security incident — Data is needed for investigation of a confirmed security breach.
In such cases:
- Only the minimum necessary data is retained.
- Retention is limited to the duration required by the legal obligation.
- The Data Protection Officer oversees and documents the extended retention.
- The affected Data Principal is notified where legally permissible.
7. Third-Party Data Processor Retention
Our Data Processors are contractually required to:
- Process personal data only for the purposes specified by SecNinjaz.
- Delete or return personal data upon completion of the service or upon our instruction.
- Not retain copies of personal data beyond what is strictly necessary for service delivery.
- Comply with the same retention timelines outlined in this policy.
8. Contact
For questions about data retention or to request data deletion:
- Data Protection Officer: dpo@secninjaz.com
- Website: https://secninjaz.com
This Data Retention & Deletion Policy was last reviewed and published on 25 March 2026.