TrustSaathi

Data Retention Policy

TrustSaathi

Last Updated: 20/02/2026

1. Introduction

This Data Retention Policy (“Policy”) describes how TrustSaathi (“Company”, “we”, “our”, or “us”) retains, archives, anonymizes, and deletes personal data collected through its digital verification platform.

This Policy forms an integral part of and must be read together with our Privacy Policy and Terms of Service.

TrustSaathi is committed to retaining personal data only for as long as necessary to fulfill the specific purposes for which it was collected, to comply with applicable law, to prevent fraud, and to resolve disputes. We do not retain personal data indefinitely without lawful justification.

2. Legal and Regulatory Basis

This Policy is designed to comply with applicable Indian law, including the Digital Personal Data Protection Act, 2023, and other relevant statutory and regulatory requirements.

In accordance with the principles of purpose limitation and storage limitation, personal data is retained only:

  • For the duration necessary to provide identity verification and court record screening services;
  • To meet compliance, tax, accounting, and audit obligations;
  • To protect the legal rights and interests of the Company;
  • To respond to lawful requests from competent authorities.

Where consent forms the basis of processing, retention shall not extend beyond the period reasonably required to fulfill the stated purpose, unless otherwise required by law.

3. Categories of Data and Retention Periods

TrustSaathi collects and processes different categories of data. Retention periods vary depending on the nature of the data, its purpose, and applicable legal requirements.

3.1 Identity and Authentication Data

This includes name, date of birth, Aadhaar authentication tokens (where applicable and compliant), PAN (if provided), address details, OTP verification confirmation records, and live photo capture used for verification.

Such data is retained only for the operational period necessary to:

  • Complete the verification process;
  • Generate the verification report;
  • Maintain an audit trail of consent and authentication.

Unless required for dispute resolution, fraud prevention, or legal compliance, identity artifacts are retained for a limited operational period not exceeding twelve (12) months from the date of verification completion. Thereafter, such data may be securely deleted or irreversibly anonymized.

3.2 Consent Records

Records evidencing user consent, including OTP confirmation logs, timestamps, IP logs, and participation records, are retained for a longer period than identity artifacts in order to:

  • Demonstrate lawful processing;
  • Defend against disputes or misuse allegations;
  • Comply with statutory record-keeping obligations.

Consent records may be retained for up to five (5) years from the date of verification, unless extended due to legal proceedings, regulatory requirements, or active disputes.

3.3 Verification Reports

Structured verification reports generated through public court record screening are retained to:

  • Allow user access for a reasonable duration;
  • Maintain compliance documentation;
  • Address potential disputes.

Verification reports may be retained for up to five (5) years unless earlier deletion is requested and legally permissible.

TrustSaathi does not guarantee perpetual availability of historical reports.

3.4 Public Court Record Data

Public court case data accessed and structured for reporting purposes is derived from publicly available sources. While such information remains public in nature, TrustSaathi retains only the structured report version for the duration specified above. Raw data extracts are not retained beyond operational necessity.

3.5 Payment and Tax Records

Payment transaction records, invoices, and applicable GST documentation are retained in accordance with Indian tax and accounting laws. Such records may be retained for up to eight (8) years or for the period mandated under applicable financial regulations.

3.6 Technical and Security Logs

Technical logs including device identifiers, IP addresses, usage metadata, and fraud monitoring signals are retained for security, abuse prevention, and system integrity purposes.

Such logs are generally retained for a period not exceeding twelve (12) months unless required for security investigations, fraud detection, or legal compliance.

3.7 Dispute and Investigation Records

Where a verification is subject to complaint, legal notice, investigation, or suspected misuse, related data may be retained for the duration of the dispute and for a reasonable period thereafter to protect the Company’s legal interests.

4. Deletion and Anonymization

Upon expiry of applicable retention periods, personal data is:

  • Permanently deleted from active systems; or
  • Irreversibly anonymized such that it can no longer identify any individual.

Deletion processes are implemented through controlled technical procedures designed to prevent recovery or reconstruction of deleted data.

Backup systems may retain encrypted copies for a limited additional period due to system architecture. Such backups are automatically overwritten in accordance with standard system cycles.

5. User-Initiated Deletion Requests

Individuals may request deletion of their personal data, subject to:

  • Completion of verification processes;
  • Absence of ongoing disputes;
  • Compliance with statutory retention requirements.

Deletion requests will be reviewed and processed within a reasonable timeframe. However, the Company may retain certain data where required by law or for legitimate legal defense purposes.

6. Legal Holds and Regulatory Requirements

Notwithstanding any retention schedule, the Company may suspend deletion where:

  • Required by court order;
  • Directed by law enforcement authorities;
  • Necessary to comply with regulatory audits;
  • Required to establish, exercise, or defend legal claims.

In such cases, data will be retained only for as long as legally required.

7. Data Minimization Commitment

TrustSaathi commits to collecting only the minimum personal data necessary to complete verification services. We periodically review stored data to ensure that unnecessary or excessive data is not retained beyond its lawful purpose.

8. Security During Retention

All retained data is protected through reasonable technical and organizational safeguards, including encrypted transmission, restricted internal access controls, and secure hosting environments.

While we implement strong safeguards, no system can guarantee absolute security.

9. Policy Updates

This Data Retention Policy may be updated periodically to reflect changes in law, regulatory guidance, or operational requirements. The updated version will be published on our platform with the revised “Last Updated” date.

Continued use of the platform constitutes acceptance of the updated Policy.

10. Contact Information

For questions regarding this Policy or to submit a data deletion request, please contact:

[Insert Company Name]

[Insert Registered Address]

[Insert Email Address]

[Insert Grievance Officer Details, if applicable]