Data Retention Policy

Redhorse Technologies Private Limited

Version 1.0 • Effective March 15, 2025

Introduction

This Data Retention Policy defines how Redhorse Technologies Private Limited ("Redhorse") retains, stores, and securely disposes of data in accordance with business requirements, contractual obligations, and applicable legal and regulatory expectations.

This policy supports our commitment to data protection, security, and privacy, and complements our Information Security Policy and Privacy Policy. We believe in retaining data only for as long as necessary and ensuring its secure disposal when no longer needed.

Scope

This policy applies to all personnel associated with Redhorse Technologies Private Limited, including employees, founders, contractors, and temporary staff. It governs all customer data, employee and contractor information, and business records processed or stored by Redhorse across all systems, applications, databases, logs, and backups, whether managed directly or through approved third-party service providers.

Data Classification

Data retained by Redhorse is classified into the following categories to ensure appropriate handling and retention practices:

Customer Data encompasses all information provided by customers or generated through their use of Redhorse services, including account information, application bundles, configuration data, and usage analytics.

Operational Data includes system logs, audit trails, security logs, and monitoring data generated by our infrastructure and applications in the course of normal operations.

Employee and Contractor Data consists of human resources information, onboarding documentation, and records related to personnel engaged by Redhorse.

Business Records comprise contracts, invoices, financial records, and internal documentation necessary for business operations and compliance.

Retention requirements vary based on data classification, sensitivity level, and legitimate business need.

Retention Principles

Redhorse adheres to the following core retention principles to ensure responsible data management:

Data is retained only for as long as necessary to fulfill legitimate business, contractual, or legal purposes. We do not retain data beyond its useful life without clear justification.

Retention periods are defined based on data type, sensitivity, and operational requirements. These periods are reviewed periodically and adjusted as business needs evolve.

Data that is no longer required is securely deleted or anonymized using industry-standard methods to prevent unauthorized recovery.

Access to retained data is restricted based on the principle of least privilege, ensuring only authorized personnel can access sensitive information.

Retention Periods

Unless otherwise required by law, regulation, or contract, Redhorse follows the retention guidelines outlined below.

Customer Data

Customer data is retained for the duration of the active customer relationship. Upon contract termination or account closure, customer data is deleted or anonymized within 30 to 90 days, unless longer retention is required to satisfy legal obligations, resolve disputes, or complete billing processes.

Customers may request earlier deletion subject to applicable legal and contractual constraints.

Operational Logs

Security logs, access logs, and operational monitoring data are retained for 30 to 180 days depending on system requirements and the nature of the data. These logs support troubleshooting, security monitoring, incident investigation, and compliance verification.

Logs containing sensitive information are subject to access controls and are purged automatically upon reaching their retention limit.

Backups

Encrypted backups of critical systems and data are retained for 30 to 90 days. Backup retention follows automated rotation schedules, with older backups securely deleted as new backups are created. All backup data is encrypted at rest using cloud-provider encryption mechanisms.

Employee and Contractor Data

Personnel data is retained for the duration of the employment or engagement relationship and for a reasonable period thereafter to meet legal, tax, audit, or compliance obligations. Specific retention periods comply with applicable labor and tax regulations.

Business Records

Contracts, financial records, invoices, and related business documentation are retained in accordance with applicable legal and regulatory requirements, which may extend beyond the active business relationship.

Secure Deletion and Disposal

When data reaches the end of its retention period, Redhorse ensures secure disposal through industry-standard practices. Data is deleted using cloud-provider-approved deletion mechanisms that prevent unauthorized recovery. Backups are automatically rotated and securely overwritten according to defined schedules.

For any physical storage media requiring disposal, secure destruction practices are followed to ensure complete and irreversible data removal.

Customer Data Deletion Requests

Upon contract termination or receipt of a valid customer deletion request, Redhorse initiates the data deletion process. Customer data is deleted or anonymized within the defined retention window, typically 30 to 90 days.

Deletion requests are subject to any legal, regulatory, or contractual hold requirements that may necessitate extended retention. Customers may request written confirmation of deletion where applicable and permitted by law.

Legal and Regulatory Holds

If Redhorse becomes subject to legal, regulatory, or contractual obligations requiring extended data retention, such as litigation holds, regulatory investigations, or audit requirements, relevant data will be preserved until the obligation is fully satisfied.

During hold periods, access to preserved data remains strictly controlled and monitored, and normal deletion schedules are suspended for affected data only.

Third-Party Service Providers

Redhorse partners with reputable third-party service providers for cloud infrastructure, backup services, and operational tooling. Data retention and deletion processes rely on provider-supported mechanisms that meet our security and compliance requirements.

All third-party providers are evaluated for their security practices, data handling capabilities, and compliance certifications before engagement.

Payment processing is handled exclusively by PCI DSS-compliant providers including Razorpay, PayPal, and Paddle. Redhorse does not store, process, or transmit payment card data directly.

Policy Review and Updates

This Data Retention Policy is reviewed at least annually or upon significant changes to business operations, systems, organizational structure, or regulatory requirements. Updates are approved by management and communicated to all relevant personnel.

Related Policies

• Information Security Policy
• Privacy Policy
• Service Level Agreement
• Business Continuity Plan
• Risk Management Policy

Contact Us

If you have questions about this Data Retention Policy or wish to submit a data deletion request, please contact us.