Data Retention & Deletion Policy

VeetFlow Technology

Last Updated: January 15, 2025

Effective Date: January 15, 2025

---

1. Introduction

This Data Retention and Deletion Policy explains how long VeetFlow Technology ("VeetFlow," "we," "us," or "our") retains your personal data and how we securely delete it when it is no longer needed. This policy applies to all users of our Services, including customers, end-users, website visitors, and waitlist subscribers.

This policy complies with applicable data protection laws, including:

• EU General Data Protection Regulation (GDPR)
• Malaysia Personal Data Protection Act 2010 (PDPA)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

---

2. Why We Retain Data

We retain personal data only for as long as necessary to:

• Provide Services: Operate our platform and deliver the services you've subscribed to
• Fulfill Contractual Obligations: Complete transactions and maintain customer relationships
• Comply with Legal Requirements: Meet tax, accounting, regulatory, and legal obligations
• Prevent Fraud and Abuse: Detect and prevent fraudulent activity and security threats
• Resolve Disputes: Handle disputes, claims, or litigation
• Improve Services: Analyze usage patterns to improve our products (using anonymized data)

We do not retain personal data longer than necessary for these purposes.

---

3. Data Retention Periods

3.1 Active Customer Accounts

Retention Period: For the duration of your active subscription or account

Data Included:

• Account information (name, email, company name)
• Subscription and billing information
• User preferences and settings
• Chatbot configurations and customizations
• Usage analytics and service logs

Why: To provide continuous service and support

---

3.2 Conversation Logs and End-User Data

Retention Period:

• Default: 12 months from the date of conversation
• Customer-Configurable: Customers can set shorter retention periods (minimum 30 days) or longer periods (up to 7 years for compliance purposes) based on their business needs

Data Included:

• Chatbot conversation transcripts
• End-user messages and interactions
• Timestamps and metadata

Why:

• To provide conversation history and analytics to customers
• To support customer service and quality improvement
• To comply with customer contractual requirements

Customer Control:

• Customers can delete conversation logs at any time through their dashboard
• Customers can configure auto-deletion policies
• End-users can request deletion through the customer (the data controller)

---

3.3 Deleted Accounts

Retention Period: 90 days after account deletion

Process:

1. Day 0 (Account Deletion Requested):

   • Account marked as "deleted" and login access disabled immediately
   • Services stop immediately
   • Data queued for deletion

2. Days 1-30 (Grace Period):

   • Data retained in case of accidental deletion or reactivation request
   • User can request account reactivation by contacting support
   • No billing during this period

3. Days 31-90 (Soft Deletion):

   • Data moved to secure, isolated storage
   • Data encrypted and access strictly limited
   • Cannot be reactivated without full data restoration process

4. Day 90+ (Permanent Deletion):

   • All personal data permanently deleted using secure deletion methods
   • Backups containing deleted data are purged on regular backup rotation cycle (within 90 days)
   • Anonymized analytics data may be retained (no personal identifiers)

Exceptions:

• Financial records retained for 7 years for tax and accounting purposes (name, transaction amount, date)
• Data required for ongoing legal proceedings or disputes retained until resolved
• Security incident logs retained for 7 years (without personal conversation content)

Deletion Confirmation: Upon request, we will provide written confirmation of data deletion

---

3.4 Waitlist Subscribers

Retention Period: 2 years from the date of sign-up, or until you convert to a paying customer

Data Included:

• Name
• Email address
• Company/business information (if provided)
• Sign-up date and source

Why: To notify you when our service becomes available and invite you to join

Deletion Options:

• Unsubscribe link in all waitlist emails (immediate removal)
• Email privacy@veetflow.com to request deletion
• Automatic deletion after 2 years if you don't convert to a customer

---

3.5 Marketing and Communication Data

Retention Period: Until you withdraw consent or unsubscribe

Data Included:

• Email addresses subscribed to marketing communications
• Communication preferences
• Email engagement data (opens, clicks)

Deletion:

• Immediate removal upon unsubscribe (via unsubscribe link or email request)
• Suppression list maintained for 90 days after unsubscribe to prevent re-subscription errors
• Then permanently deleted

---

3.6 Website Visitors and Analytics

Retention Period:

• Anonymous Analytics: 26 months (Google Analytics default)
• Session Cookies: Deleted when you close your browser
• Functional Cookies: Up to 12 months

Data Included:

• IP addresses (anonymized after 24 hours)
• Browser and device information
• Pages visited and interaction data

Why: To understand website usage and improve user experience

Your Control: You can opt out of analytics tracking via browser settings or our cookie consent banner

---

3.7 Support and Customer Service Data

Retention Period: 3 years from the last interaction

Data Included:

• Support tickets and correspondence
• Chat transcripts with support team
• Feedback and survey responses

Why: To provide consistent support and track issue resolution

Deletion: Deleted after 3 years unless ongoing support case or dispute

---

3.8 Financial and Transaction Records

Retention Period: 7 years from the date of transaction

Data Included:

• Invoice and payment records
• Billing information
• Transaction history
• Tax-related information

Why: Legal requirement for tax, accounting, and financial auditing purposes

Cannot Be Deleted Earlier: These records must be retained for 7 years to comply with tax laws and regulations in Malaysia and other jurisdictions

---

3.9 Security and Audit Logs

Retention Period:

• Access Logs: 2 years
• Security Incident Logs: 7 years

Data Included:

• Login attempts and access records
• Security events and anomalies
• System audit trails

Why: To detect security threats, investigate incidents, and comply with security regulations

Privacy Protection: Logs are reviewed and personal data minimized after incidents are resolved

---

3.10 Legal Holds and Litigation

Retention Period: Until legal matter is resolved and appeals period has expired

Data Included: Any data relevant to ongoing or anticipated legal proceedings

Why: Legal obligation to preserve evidence

Process: Legal team will notify relevant departments of litigation hold; data will be isolated and preserved

---

4. How We Delete Data

4.1 Secure Deletion Methods

We use industry-standard secure deletion methods to ensure data cannot be recovered:

Electronic Data:

• Database Records: Securely deleted using database-specific deletion commands, then overwritten
• File Systems: Multi-pass overwrite using NIST 800-88 compliant methods
• Encrypted Data: Cryptographic erasure (destroying encryption keys makes data unrecoverable)
• Cloud Storage: Secure deletion via cloud provider APIs with verification

Physical Media:

• Hard Drives: Physical destruction (shredding, degaussing) for decommissioned drives
• Paper Records: Cross-cut shredding to <4mm pieces

Backups:

• Automated Deletion: Backup retention policies automatically expire and overwrite old backups
• Encrypted Backups: Key destruction for data that must be deleted from encrypted backups

4.2 Deletion Verification

After deletion:

• Verification scans to ensure data is fully removed
• Deletion logs maintained for audit purposes (logs do not contain personal data, only confirmation of deletion)
• Certificate of destruction for physical media from certified vendors

4.3 Third-Party Processors

We ensure that third-party processors (cloud providers, sub-processors) also delete data:

• Contractual obligation to delete data upon our instruction
• Verification of deletion from third-party systems
• Data Processing Agreements include deletion requirements

---

5. Your Right to Deletion ("Right to be Forgotten")

5.1 How to Request Deletion

You have the right to request deletion of your personal data at any time. To request deletion:

Email: privacy@veetflow.com
Subject Line: "Data Deletion Request"
Include:

• Your name
• Email address associated with your account
• Account or customer ID (if known)
• Specific data you want deleted (or "all personal data")

Response Time: We will respond to your request within 30 days

5.2 What Happens After You Request Deletion

1. Verification: We verify your identity to prevent unauthorized deletion requests
2. Assessment: We review your request and determine if any exceptions apply (see below)
3. Deletion: If approved, we delete your data within 14 days of verification
4. Confirmation: We send you written confirmation of deletion
5. Third Parties: We notify any third parties who received your data to delete it as well (where applicable)

5.3 Exceptions to Deletion

We may retain data if required by law or for legitimate reasons:

We Cannot Delete Data If:

• Legal Obligation: Required to retain for tax, accounting, or regulatory compliance (e.g., financial records for 7 years)
• Ongoing Contract: Necessary to fulfill a contract or transaction with you (deleted after completion)
• Legal Claim: Needed to establish, exercise, or defend legal claims (deleted after resolution)
• Public Interest: Required for public health, scientific research, or archiving purposes (rare, and data is anonymized where possible)
• Fraud Prevention: Necessary to detect and prevent fraud (limited data retained, such as email hash to prevent re-registration with fraudulent intent)

We Will Inform You:

• If we cannot delete all your data, we will explain which data we must retain and why
• We will delete the data as soon as the legal requirement no longer applies

---

6. Automated Deletion

We implement automated processes to delete data when retention periods expire:

• Daily Jobs: Automated scripts run daily to identify and delete expired data
• Backup Rotation: Automated backup expiration and overwrite on a 90-day rolling cycle
• Monitoring: Regular audits to ensure automated deletion is functioning correctly

---

7. Data Anonymization

When possible, instead of deleting data, we may anonymize it:

Anonymization Means:

• Removing all personally identifiable information (names, emails, IDs)
• Aggregating data so individuals cannot be re-identified
• Irreversible process (cannot be reversed to identify you)

Why Anonymize:

• Allows us to retain valuable insights for product improvement
• Complies with data protection laws (anonymized data is not personal data)
• Reduces storage and privacy risks

Examples:

• Aggregate usage statistics (e.g., "1,000 users visited the pricing page") without individual identifiers
• Chatbot performance metrics without conversation content or user names

---

8. Data Portability (Before Deletion)

Before requesting deletion, you have the right to export your data:

How to Export:

• Log in to your VeetFlow dashboard
• Go to "Account Settings" > "Export Data"
• Select data categories to export (conversations, account info, usage data)
• Download in JSON or CSV format

Email Request: If you cannot access your account, email privacy@veetflow.com to request a data export

Timeframe: Data export provided within 30 days of request

---

9. Children's Data

VeetFlow's services are not directed at children under 16. We do not knowingly collect or retain personal data from children.

If We Discover Child Data:

• We will delete it immediately upon discovery
• We will notify the account holder (if different from the child)

Parent/Guardian Rights: If you believe we have collected data from a child, contact privacy@veetflow.com immediately, and we will delete it within 48 hours.

---

10. Changes to This Policy

We may update this Data Retention and Deletion Policy from time to time to reflect:

• Changes in data protection laws or regulations
• Changes in our business practices or services
• Improvements in data security and deletion technology

Notification:

• We will notify you of material changes via email at least 30 days before the changes take effect
• Updated policy will be posted at https://veetflow.com/data-retention-policy
• "Last Updated" date at the top of this policy will be revised

Your Rights After Changes:

• If you do not agree with the updated policy, you may delete your account before the changes take effect

---

11. Contact Us

If you have questions about our data retention and deletion practices, or wish to exercise your rights:

Data Protection Officer
VeetFlow Technology
Email: privacy@veetflow.com
Website: https://veetflow.com

For Deletion Requests: privacy@veetflow.com
For General Privacy Questions: privacy@veetflow.com
For Account Support: support@veetflow.com

---

12. Summary Table: Data Retention Periods

Data Type	Retention Period	Deletion Method	Your Control
Active Account Data	Duration of account	Secure deletion	Delete account anytime
Conversation Logs	12 months (default) or customer-configured	Secure deletion	Customer can delete anytime
Deleted Account Data	90 days after deletion request	Secure deletion + backup purge	Request reactivation within 30 days
Waitlist Data	2 years or until conversion	Secure deletion	Unsubscribe anytime
Marketing Communications	Until unsubscribe	Immediate removal	Unsubscribe link in emails
Analytics (Anonymous)	26 months	Automatic expiration	Opt out via browser/cookies
Support Tickets	3 years from last interaction	Secure deletion	Request deletion anytime
Financial Records	7 years (legal requirement)	Secure deletion after 7 years	Cannot be deleted earlier
Security Logs	2-7 years	Secure deletion	Cannot be deleted (security)
Legal Hold Data	Until legal matter resolved	Secure deletion after resolution	Cannot be deleted during litigation

---

End of Data Retention & Deletion Policy