Data Retention Policy

Redhorse Technologies Private Limited

Version 1.1 • Effective March 11, 2026

Introduction

This Data Retention Policy defines how Redhorse Technologies Private Limited retains, stores, and securely disposes of data in accordance with business requirements, contractual obligations, and applicable legal and regulatory expectations.

This policy supports our commitment to data protection, security, and privacy. We believe in retaining data only for as long as necessary and ensuring its secure disposal when no longer needed.

Scope

This policy applies to production system data, application logs, security and infrastructure logs, analytics and telemetry data, incident records, backup data, and internal business records related to Stallion operations. End-user device data is outside the scope of this policy.

Data Classification and Retention Periods

We retain data according to defined minimum retention periods based on data type and business requirements.

Security and infrastructure logs, access logs, audit logs, and infrastructure logs maintained within centralized logging and monitoring systems are retained for a minimum of 30 days and a maximum of 90 days. These logs support security monitoring, operational troubleshooting, and incident investigation.

Application-level logs used for debugging, reliability monitoring, and service analysis are retained for a minimum of 30 days.

Analytics and SDK telemetry data stored within Company-managed analytics environments are retained for a minimum of 12 months, unless operational or contractual requirements justify longer retention.

Incident reports and related investigation documentation are retained for a minimum of 3 years from the date of closure.

Backup retention periods are defined in the Data Backup Policy and currently include hourly backups retained for 7 days, daily backups retained for 7 days, and weekly backups retained for 4 weeks. Backup retention settings are configured at the infrastructure level.

Customer-related configuration and operational data is retained for the duration of the active service relationship. Upon termination of service, customer data is deleted or rendered inaccessible within a reasonable operational timeframe, unless retention is required for legal or contractual purposes.

Data Disposal

Where retention periods expire and data is no longer required, we ensure secure disposal using industry-standard methods.

Electronic data is disposed of using logical deletion through system-level deletion controls, permanent deletion using platform-supported data purge mechanisms, secure overwrite mechanisms where supported, and cryptographic erasure by deletion of encryption keys where applicable. Access to expired data is revoked prior to or at the time of deletion.

Where automated lifecycle management capabilities are available, they are configured to enforce defined retention periods and trigger deletion automatically. Data disposal actions that materially impact production systems are logged or otherwise auditable where supported by the platform.

Although we operate as a remote-first, cloud-native organization, if physical records or storage media containing Company or customer data are created, they must be securely disposed of using cross-cut shredding of paper records, secure destruction of storage media, or permanent sanitization of reusable media prior to reuse. Physical records containing confidential information must not be disposed of in regular waste.

Legal and Contractual Requirements

If legal, regulatory, or contractual obligations require extended retention, such requirements take precedence over the standard retention periods defined in this policy. During hold periods, access to preserved data remains strictly controlled and monitored, and normal deletion schedules are suspended for affected data only.

Responsibilities

The Information Security Officer is responsible for overseeing adherence to defined retention periods, reviewing retention settings periodically, and updating retention requirements upon operational or regulatory change. Authorized Personnel must handle data in accordance with this policy.

Policy Review and Updates

This policy is reviewed periodically and updated when necessary to reflect changes in our systems, data practices, or regulatory obligations. Reviews are conducted at least annually or upon significant operational, technical, or regulatory change.

Related Documents

• Information Security Policy
• Privacy Policy
• Information Security Policy (includes backup policies)
• Business Continuity Plan
• Risk Management Policy

Contact Us

If you have questions regarding this policy or wish to submit a data deletion request, please contact us at:

support@stalliontech.io