Data Retention & Deletion Policy

1. About this Policy

This Data Retention & Deletion Policy (“Policy”) explains how long TAG Vault retains personal data and document data, the lawful basis for each retention period under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and related Indian law, and how data is disposed of at end of retention.

The Policy gives operational effect to:

• §8(7) DPDP Act — the duty to erase personal data once the purpose is served or consent is withdrawn, except where retention is required for compliance with law
• §8(10) DPDP Act — the duty to erase personal data after a prescribed period of non-engagement
• §7(c) read with the proviso to §8(7) of the DPDP Act — the master citation for legal-obligation retention of sealed PDFs and audit logs
• Rule 13 of the Digital Personal Data Protection Rules, 2025 (notified 13 November 2025) — response timelines for Data Principal rights

Scope. This Policy applies to all personal data processed by TAG Vault as a Data Fiduciary, and to all document content stored on the platform. It applies regardless of whether you have a free or paid account, and regardless of whether your account is open or closed.

Effective date: 2026-04-25. Version: 1.0.

2. Our retention principles

Five principles govern every retention decision on TAG Vault.

1. Necessity. We retain data only for as long as it is needed for the documented purpose, or as required by Indian law. We do not keep data “just in case”.
2. Specificity. Every category in this Policy has a defined retention period stated in days, months, or years. We do not use vague phrases such as “as long as necessary”.
3. Tamper-evidence priority. Sealed legal records (your signed PDFs and certificates of completion) are retained immutably for ten years from the date of sealing, irrespective of whether your account is later closed. This rests on §7(c) and §8(7) proviso DPDP Act read with Limitation Act, 1963 ceilings, and is implemented through AWS S3 Object Lock COMPLIANCE retention.
4. User self-service. Account-level data is user-deletable, subject to the legal-retention exceptions described in section 9 of this Policy.
5. Cryptographic erasure on schedule. When a retention period ends, we destroy data irreversibly. In a cloud environment, this is achieved by deleting the row, expiring the S3 object, and where applicable destroying the KMS data-encryption key so any backup ciphertext is rendered unreadable.

3. Retention schedule

The following table is the authoritative retention schedule for TAG Vault. The headline values stated in our Privacy Policy summarise this table; in case of any apparent inconsistency, this table prevails.

4. Why ten years for sealed PDFs

The ten-year retention on sealed PDFs is the longest period in this Policy and deserves a plain-English explanation.

A real-estate document signed on TAG Vault may give rise to a legal claim long after it is signed. The Limitation Act, 1963 sets the outer windows within which such claims can be brought:

• Article 54 — three years for specific performance of a contract, from the date fixed for performance
• Article 55 — three years for compensation for breach of contract, from when the contract is broken
• Article 64 — twelve years for possession of immovable property based on prior possession, from the date of dispossession
• Article 65 — twelve years for possession of immovable property based on title, from when the defendant’s possession becomes adverse
• Article 113 — three years residuary, from when the right to sue accrues; in cases involving fraud or mistake, time runs from discovery (§17 Limitation Act)

A ten-year retention covers the ordinary universe of contract and possession disputes with a margin for the §17 Limitation Act discovery rule, while the registered SRO record (which TAG Vault does not control) remains the primary evidence for the longest-tail Article 64/65 claims.

S3 Object Lock COMPLIANCE. Sealed PDFs are written to AWS S3 with Object Lock in COMPLIANCE mode for ten years. Under that mode, neither TAG Vault employees nor the AWS root user can delete or overwrite the object during the retention window. This is a deliberate platform commitment: it makes the sealed PDF as resistant to tampering and to insider deletion as cloud infrastructure currently allows. The lawful basis for this retention is §7(c) read with the proviso to §8(7) of the DPDP Act (legal-obligation retention); it is not subject to consent withdrawal under §6.

5. Why seven years for the audit log

Seven years on the audit log is calibrated against three Indian-law tracks:

• Companies Act, 2013 §128 — eight years for books of account where the user signs documents on behalf of an Indian company; we set seven so as not to under-retain for the four-year residual after Income-Tax Act preservation
• Income-Tax Act §44AA read with Rule 6F — six years preservation for books of account
• Limitation Act, 1963 — three-year contract claims with §17 discovery rule buffer

Seven years is the operating point that satisfies these tracks while not over-retaining beyond what the audit log’s purpose (forensic integrity, dispute resolution under §7(c) and §7(h) DPDP Act) requires.

6. Retention beyond account closure (legal-obligation carve-out)

When you close your TAG Vault account, TAG Vault will continue to retain the sealed signed PDFs and the audit logs for the periods stated in section 3, in reliance on §7(c) read with the proviso to §8(7) of the DPDP Act (processing necessary as a legal obligation) and on Limitation Act, 1963 ceilings. This is necessary to protect you, the other parties to your documents, and TAG Vault from later-arising claims relating to the documents you signed.

In plain English: you may close your account, but the documents you have already signed cannot be erased on demand. They sit untouched in immutable storage until their ten-year window ends.

7. Litigation hold

Where a dispute, regulatory inquiry, court order, or formal pre-litigation notice requires preservation of data beyond the standard schedule, TAG Vault will place the affected records on a “litigation hold”. During the hold:

• Retention periods that would otherwise have expired are extended for the duration of the hold (basis: §17(1)(a) DPDP Act — processing necessary for enforcement of any legal right or claim)
• Cryptographic erasure of held records is suspended
• Access is restricted to legal-team review
• The user is notified that a hold has been placed, except where notification is unlawful or where the hold itself instructs us not to notify (e.g. a court direction under §65 BSA / §175 of the Bharatiya Nagarik Suraksha Sanhita, 2023 (“BNSS”) (formerly §165 of the Code of Criminal Procedure, 1973), or a regulator’s standing direction)

The hold is lifted, and ordinary disposal resumes, when the underlying matter is closed.

8. End-of-retention disposal

Disposal on TAG Vault is handled by four mechanisms, which are cloud-native equivalents of physical-disk destruction:

1. S3 Object Lock COMPLIANCE auto-expiry. When the ten-year window ends on a sealed PDF, the object is permanently deleted by AWS lifecycle action. There is no recovery path.
2. Database row deletion. Records in PostgreSQL are deleted via Prisma operations, and the daily VACUUM operation reclaims the underlying storage.
3. Cryptographic erasure. Where ciphertext exists in any tier (database, S3 object, backup), destroying the corresponding KMS data-encryption key renders that ciphertext unreadable. We use this mechanism for backup-tier data and for any data we cannot directly delete row-by-row in real time.
4. Backups. Daily database backups are within the lifecycle expiry window (30 days S3 Standard → 11 months Glacier Deep Archive → expire). At Phase 2b, this transitions to AWS RDS automated snapshots which will follow the same schedule.

9. User-initiated deletion (DPDP §12)

Section 12 DPDP Act gives you a right to seek correction, completion, updating, and erasure of your personal data. On TAG Vault, that right works as follows.

You can self-delete:

• Your account profile (after the 90-day closure grace period elapses, the profile is permanently erased)
• Your notification preferences and contact endpoints
• Your optional MFA enrolment and backup codes
• Your marketing-communications consent (you may withdraw this at any time)

You cannot delete (legal-obligation carve-out):

• Sealed PDFs you have signed — these are retained for ten years from the date of sealing
• Audit-log entries in which you appear — these are retained for seven years from the event date
• Any record under an active litigation hold — retention is extended for the duration of the hold

Mechanism. A self-service DELETE /v1/users/me endpoint is on the Phase 2a roadmap. On request, TAG Vault triggers a 30-day soft-delete grace period (during which you may reverse the deletion by signing in), followed by a hard delete that cascades to all non-sealed-document tables. You will receive a confirmation email when deletion completes, and an audit-log entry will be written to record the action.

Where a field is not self-editable, write to dpo@brikbond.com. We respond within 30 days for access requests under §11 DPDP Act, and within 7 business days for correction requests under §12.

10. Right to access (DPDP §11)

You may request a JSON export of all personal data we hold about you by writing to dpo@brikbond.com. The first request in a calendar year is free. We respond within 30 days per Rule 13 of the DPDP Rules, 2025. See the Privacy Policy for the full request workflow.

11. Right to correction (DPDP §12)

You may correct most profile fields directly from your account settings. For fields not self-editable (legal name on signed documents, organisation registration details, audit-log corrections), write to dpo@brikbond.com. We action correction requests within 7 business days. See the Privacy Policy for the request workflow.

12. Sub-processor retention alignment

Our sub-processors retain data only as long as needed to provide their services. The retention periods in section 3 are enforced as follows:

• AWS S3 — S3 lifecycle rules and Object Lock retention configurations enforce this Policy automatically. Once a sealed-PDF Object Lock window ends, AWS deletes the object; once a backup tier expires, AWS deletes it.
• AWS RDS (Phase 2b) — automated snapshots will be configured to follow this Policy at Phase 2b cutover.
• Meta WhatsApp Business Cloud API — phone-number metadata and delivery receipts are processed in Meta’s global infrastructure, with retention per Meta’s own published retention. That retention runs separately from TAG Vault’s; deleting your account on TAG Vault does not by itself purge metadata held at Meta.

For the full sub-processor list and roles, see the Data Processing Addendum.

13. Review and updates

This Policy is reviewed annually and on any material change to:

• The DPDP Act or DPDP Rules
• The Limitation Act, 1963 or any sectoral retention requirement (Companies Act, Income-Tax Act, TRAI rules)
• Our sub-processor retention practices

Where a material change affects users, we notify users by email at least 30 days in advance of the change taking effect.

14. Contact

For questions about this Policy or to exercise your retention-related rights:

• Privacy: privacy@brikbond.com
• Data Protection Officer: dpo@brikbond.com
• Grievance Officer:

Grievance Officer
Vijay Sivanjan
TAG Projects (operated by VTAG Software Private Limited)
Karnataka, India
Email: grievance@brikbond.com

You may also escalate to the Data Protection Board of India under §27 DPDP Act if you are not satisfied with our response within 30 days.