Data Retention Policy

1. Purpose

This Data Retention Policy outlines how VestID LLC ("we," "us," or "our") stores, retains, and deletes personal and non-personal data collected through our mobile application, website, and related services. The purpose of this policy is to ensure compliance with applicable data protection laws (GDPR, CCPA, LGPD, Mexican Data Protection Law), responsible management of personal information, and the minimization of storage of outdated, irrelevant, or unnecessary data.

2. Scope

This policy applies to all personal data collected from users, partners, and clients. It covers data stored in any form (electronic or paper) and handled by employees, contractors, and third-party service providers acting on our behalf.

3. Data Retention Principles

We follow these principles:

• Purpose Limitation: Data is only retained as long as necessary for the purposes for which it was collected.
• Data Minimization: We store the minimal amount of personal data required for business operations and legal obligations.
• Security: Retained data is protected by appropriate technical and organizational measures.
• Scheduled Deletion: Data that no longer serves a legitimate purpose is securely deleted or anonymized.

4. Retention Periods

User Account Data (name, email, profile information) is retained for the duration of the account and for an additional 12 months after a deletion request. This allows for legal compliance, fraud prevention, and potential dispute resolution.

Authentication Data (passwords, access tokens) is deleted immediately upon account closure to comply with security best practices.

NFC Tag & Product Authentication Records are kept for 5 years from the date of registration to maintain proof of authenticity and support anti-counterfeit purposes.

Analytics Data (Google Analytics, usage logs) is retained for 26 months for service improvement and statistical reporting.

Support Requests & Communications are stored for 24 months from the last contact to keep a customer service history and assist in dispute resolution.

Marketing Preferences & Consents are retained until the user withdraws consent, serving as legal proof of opt-in.

Backups are rotated every 90 days as part of disaster recovery and continuity processes.

5. Deletion & Anonymization

When a retention period expires, personal data is permanently deleted from our systems. If deletion is not technically possible, the data will be anonymized so that it cannot identify any individual. Backups are overwritten during the regular rotation schedule.

6. User Rights & Requests

Users can request access to their personal data, correction of inaccuracies, deletion of their personal data ("Right to be Forgotten"), or restriction/objection to processing.

Requests can be made through our Privacy Request Form (link in footer) or via email at privacy@vestid.co.

We will respond within the timelines required by law: one month for GDPR requests and 45 days for CCPA requests.

7. Legal & Compliance

Certain laws may require longer retention periods than those stated in this policy. In such cases, we will comply with the applicable legal requirements.

8. Review & Updates

This policy will be reviewed annually or whenever there is a change in applicable laws or our data processing practices.

VestID LLC
2140 S Dupont Hwy
Camden, DE 19934-1249
privacy@vestid.co