Data Retention Policy
95octane permanently deletes user personal data when an account is removed. A narrow set of pseudonymised records is retained beyond deletion under the legal claims exception — GDPR Article 17(3)(e) and the equivalent provision of India's Digital Personal Data Protection Act 2023 (DPDPA Section 8(7)) — to support fraud prevention and chargeback defence.
No raw personal data (name, email address, phone number, profile photo, or GPS location) is retained after permanent deletion.
Retained Data Categories
| Category | What is kept | Retention period | Legal basis |
|---|---|---|---|
| Identity markers | Hashed UID, hashed device identifiers, hashed sign-in provider IDs | 3 years from deletion | GDPR Art. 17(3)(e) · DPDPA S.8(7) |
| Payment records | Subscription purchase history, transaction IDs, refund and chargeback events (via App Store, Google Play, RevenueCat) | 7 years from deletion | Tax compliance · GDPR Art. 17(3)(e) · DPDPA S.8(7) |
| Ban and moderation history | Ban events, appeal threads, operator decisions | 3 years from deletion | GDPR Art. 17(3)(e) · DPDPA S.8(7) |
| Account activity summary | Account creation date, deletion date, last active date | 3 years from deletion | GDPR Art. 17(3)(e) · DPDPA S.8(7) |
| Ride participation | Anonymised ride starts — tier and timestamp only, no names or locations | 3 years from deletion | GDPR Art. 17(3)(e) · DPDPA S.8(7) |
Retention periods are measured from the date of permanent account deletion (the end of the 7-day grace period). Payment records are kept for 7 years to satisfy tax reporting obligations in India and the record-keeping requirements of the App Store and Google Play.
Access
Retained data is accessible only to operators with the compliance role in the back office. No other operator role can view or act on this data.
Purge
Retained data is not purged automatically. When a retention period expires, a compliance operator must trigger the purge from the dedicated retention management section in the back office. The system shows which records have passed their retention date and are eligible for purge.
User Rights
Deleted users retain certain rights over data held under this policy.
Right of access (GDPR Art. 15 · DPDPA): A former user who contacts 95octane to ask what data is held about them receives a response that:
- Confirms that minimal retention data exists.
- Describes the categories retained (from the table above).
- Does not disclose raw values.
Right to object (GDPR Art. 21): Objections are assessed case by case. Data retained strictly for legal claims defence may be exempt from this right for the duration of any active or foreseeable dispute.
Data Breach
If retained data is involved in a security breach, GDPR requires notification to the relevant supervisory authority within 72 hours and to affected individuals without undue delay. The compliance operator is the designated owner for breach response. Incidents must be escalated to the compliance role immediately on discovery. A formal breach notification process (notification templates, DPA contact details, and timelines) needs to be established before launch.
References
- Delete Account — how account deletion and the grace period work
- Ban — how ban and moderation history is created
- GDPR Article 17 — https://gdpr-info.eu/art-17-gdpr
- GDPR Article 5 — https://gdpr-info.eu/art-5-gdpr
- India DPDPA 2023 — Section 8(7)
- India Limitation Act 1963