COOKIESSPACE – DATA RETENTION POLICY
Version:
2025
Effective Date:
01/01/26
Issued By:
CookiesSpace Private Limited (“CookiesSpace”)
This Policy governs the retention, archival, and deletion of Customer Data, Logs, Personal Data, and Operational Data collected or processed by CookiesSpace during the provision of IaaS/PaaS cloud services.
This Policy applies to all Customers, end-users, employees, contractors, and sub-processors engaged by CookiesSpace.
1. PURPOSE OF THIS POLICY
The purpose of this Data Retention Policy is to:
- Establish legally compliant retention timelines
- Ensure timely deletion of Customer Data
- Meet obligations under the DPDP Act, CERT-In, and other Indian laws
- Support investigations, audits, security operations, and disaster recovery
- Provide clarity and assurance to customers
2. DEFINITIONS
Customer Data – all data uploaded, stored, transmitted, processed, or generated by the customer.
Personal Data – as defined in the DPDP Act 2023.
System Logs – logs generated by infrastructure, servers, applications, or network devices.
Account Data – user profile, contact details, billing details, KYC documents.
Backup Data – system-level and customer-level snapshots, backups, or replicas.
3. PRINCIPLES OF DATA RETENTION
CookiesSpace follows these core principles:
- Data minimization – retain data only as long as necessary
- Purpose limitation – retain data only for the purpose for which it was collected
- Legal compliance – strictly follow CERT-In, DPDP Act, IT Act requirements
- Security during retention – encrypted storage and access control
- Secure disposal – cryptographic deletion when data expires
4. RETENTION SCHEDULE
4.1 Customer Account & Authentication Data
| Data Type | Retention Duration | Legal Basis / Purpose |
|---|---|---|
| Customer profile data (name, email, phone) | For active account + 12 months after closure | Legal/operational requirement |
| Authentication logs | 180 days minimum | CERT-In Direction 2(iv) |
| KYC documents (if applicable) | 5 years from account closure | RBI/Income Tax guidelines (industry standard) |
4.2 Customer Content/Data Stored in VMs, Disks, Databases
| Data Type | Retention Duration | Notes |
|---|---|---|
| VM disks, block storage, object storage | Deleted within 30 days of account closure or customer request | Customer may delete anytime |
| Snapshots / Images | 30–90 days based on user configuration | Auto-expiry supported |
| Database instances & backups | Up to 30 days, unless customer configures otherwise | Retention configurable |
4.3 System & Security Logs (Mandatory by Indian Law)
| Data Type | Retention Duration | Legal Basis |
|---|---|---|
| System logs (compute, network, API logs, flow logs) | 180 days | CERT-In 2022 |
| Application logs | 180 days | CERT-In |
| Security event logs | 180 days | CERT-In |
| Audit logs | 180 days or longer based on policy | CERT-In |
| Incident-related logs | Up to 5 years | Evidence preservation |
4.4 Billing & Financial Records
| Data Type | Retention Duration | Legal Requirement |
|---|---|---|
| Tax invoices & billing history | 8 years | Income Tax Act, GST Act |
| Payment confirmations | 8 years | GST Act |
| Refund/credit note records | 8 years | GST Act |
4.5 Support Tickets & Communications
| Data Type | Retention Duration | Purpose |
|---|---|---|
| Support chats, emails, tickets | 24 months | Auditing & service improvement |
| Call recordings (if any) | 12 months | Quality control |
4.6 Monitoring, Telemetry & Performance Data
| Data Type | Retention Duration | Purpose |
|---|---|---|
| Performance metrics | 90 days | System optimization |
| Monitoring alerts | 90 days | Operations |
| Resource usage logs | 12 months | Billing validation |
4.7 Backups
| Backup Type | Retention Duration | Notes |
|---|---|---|
| Daily backups | 7–30 days | Rolling cycles |
| Weekly backups | Up to 8 weeks | Rotation |
| Monthly backups | Up to 6 months | Disaster recovery |
| Incident-related forensic images | Up to 5 years | Legal requirement |
5. CUSTOMER-CONTROLLED RETENTION
CookiesSpace provides customers ability to:
- Delete VM disks, snapshots, buckets, DB instances
- Define custom retention policies (where supported)
- Request early deletion
Any data deleted by the customer is immediately marked for cryptographic wipe from active systems and removed from backups after the retention window.
6. DATA DELETION PROCEDURES
Deletion occurs through:
6.1 Logical Deletion
Data becomes inaccessible instantly.
6.2 Cryptographic Wipe
Encryption keys are destroyed, making data unrecoverable.
6.3 Physical Overwrite / Hardware Sanitization
Performed when:
- Storage is decommissioned
- Drives fail or are retired
- Devices leave the controlled environment
Follows NIST SP 800-88 guidelines.
7. CROSS-BORDER DATA RETENTION
If customer selects a foreign region: (Once Available)
- Data is retained and deleted according to both CookiesSpace policy and local laws of the chosen region (EU/US/Asia/ME).
- Customers remain responsible for obtaining appropriate consents.
8. DATA SUBJECT RIGHTS (DPDP Act)
CookiesSpace supports Customer obligations regarding:
- Correction
- Access
- Erasure
- Consent withdrawal
- Nominee access
Customer must raise requests through:
CookiesSpace is not required to respond to end-users directly.
9. SUSPENSION OF DELETION (LEGAL HOLDS)
If CookiesSpace receives:
- Court order
- Government request
- Law enforcement directive
- CERT-In investigation
- Data Principal grievance
Data deletion will be paused until legal clearance.
10. DOCUMENTATION & AUDIT
CookiesSpace maintains:
- Retention logs
- Evidence of deletion
- Key destruction logs
- CERT-In compliance logs
- Sub-processor retention agreements
Audit reports may be shared with Customers under NDA.
11. POLICY REVIEW
This Policy is reviewed:
- Annually
- After any major legal change (DPDP notifications, CERT-In updates)
- After any major incident
12. CONTACT
For any retention/deletion-related queries:
