Data Retention Policy
How long we keep your data, why we keep it, and how it is deleted.
Contents
This policy explains the specific periods for which AstroFinanceHub retains personal data collected via the Platform, and the criteria used to determine those periods. It supplements our Privacy Policy.
1 What Data We Retain
We collect and retain the following categories of personal and operational data:
- Account & identity data: Name, email address, phone number, username, password hash, account creation date, country, timezone.
- Birth & astrological data: Date, time, and place of birth provided voluntarily for chart generation; saved charts, divisional charts, Panchanga outputs, KP calculations, and consultation notes.
- Payment & billing records: Transaction IDs, subscription history, invoice amounts, payment method type (last 4 digits only — full card data is never stored by us), refund records, coupon usage.
- Consultation records: Booking details, session summaries, astrologer notes (with your consent), uploaded documents shared during consultations.
- Communication data: Emails sent to and from our support team, in-app messages, contact form submissions.
- Technical & access logs: IP addresses, browser type, device identifiers, pages visited, API call logs, error logs.
- Analytics & usage data: Aggregated usage statistics, feature engagement, crash reports.
- Community content: Posts, comments, reactions, and forum contributions associated with your account.
- Backup data: Copies of the above held in disaster-recovery snapshots.
2 Retention Periods by Category
The table below summarises our standard retention periods and the legal basis for each.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account & identity data | 7 years after closure | Contractual obligation; fraud prevention; regulatory compliance |
| Birth & astrological data | Life of account + 3 years | Legitimate interest (service provision); deleted on account closure + 3-year grace period |
| Payment & billing records | 7 years | Legal obligation — UK/EU tax and accounting rules; HMRC / Companies Act requirements |
| Consultation records | 5 years after session | Legitimate interest; dispute resolution; consumer protection compliance |
| Support & communication data | 3 years after closure | Legitimate interest; dispute resolution |
| Server & access logs | 90 days | Security monitoring; fraud detection; operational necessity |
| Analytics & usage data (aggregated) | 2 years | Legitimate interest (product improvement); anonymised after 2 years |
| Backup data | 30 days after deletion | Disaster recovery; technical necessity; purged on rolling 30-day cycle |
| Community content | 3 years after account closure | Legitimate interest (community integrity); may be anonymised rather than deleted |
| Marketing preferences | Until withdrawn + 1 year | Consent; suppression list maintained for 5 years to honour opt-outs |
* Periods may be extended where a legal hold is in effect (see §6).
3 How We Store Data
3.1 Storage Infrastructure
Data is stored on servers located in the European Economic Area (EEA) and the United Kingdom. Our primary hosting provider is a Tier 1 cloud provider with ISO 27001 and SOC 2 Type II certification. All data at rest is encrypted using AES-256; all data in transit uses TLS 1.2 or higher.
3.2 Access Controls
Access to personal data is restricted to authorised personnel on a need-to-know basis. Role-based access control (RBAC) is enforced across all internal systems. Administrative access requires multi-factor authentication (MFA).
3.3 Payment Data
Full payment card details are never stored on our servers. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We retain only non-sensitive transaction metadata (transaction ID, amount, currency, last 4 digits, billing address for fraud checks).
3.4 Astrological Data Sensitivity
Birth date, time, and place constitute personal data and are treated with heightened care. This data is stored in encrypted fields in our database and is accessible only to systems that directly generate chart outputs or to the user themselves.
4 Deletion & Anonymisation Processes
4.1 Account Deletion
When you delete your account via Account Settings:
- Your account is marked as pending deletion and access is immediately revoked.
- Within 30 days, personally identifiable information (PII) — including your name, email, birth data, and saved charts — is either deleted or irreversibly anonymised.
- Data subject to statutory retention requirements (payment records, invoices) is retained for the mandated period in a restricted, isolated data store not accessible to operational systems.
- Anonymised aggregate statistics derived from your usage may be retained indefinitely as they no longer constitute personal data.
4.2 Anonymisation Standard
Where we anonymise rather than delete (e.g. community posts, aggregated analytics), we apply irreversible anonymisation techniques that render re-identification computationally infeasible. Anonymised records are no longer subject to this Policy.
4.3 Automated Retention Enforcement
We operate scheduled automated jobs that review data against retention schedules and trigger deletion or anonymisation workflows at the end of each applicable period. These jobs are audited quarterly.
4.4 Right to Erasure
You may request early deletion under your right to erasure (see §7). We will honour valid requests within 30 days, subject to legal hold and statutory retention exceptions.
5 Backups
Our systems maintain encrypted daily backups for disaster recovery. Backups are retained for a rolling 30-day window. When data is deleted from our production systems, corresponding backup data is purged at the end of the next backup rotation cycle (within 30 days).
Backups are stored in geographically separate locations within the EEA. Access to backups requires elevated permissions with a full audit trail.
6 Legal Hold
Notwithstanding the retention schedules above, we may preserve data beyond its normal retention period where:
- We are subject to a court order, regulatory investigation, or law enforcement request requiring retention.
- Data is relevant to actual or anticipated litigation, arbitration, or regulatory proceedings involving AstroFinanceHub.
- Statutory obligations in a particular jurisdiction require longer retention than our standard schedule.
Where a legal hold is applied, affected data is placed in a restricted, immutable store. Holds are reviewed at least every 6 months and lifted as soon as the legal basis for retention ceases.
7 Your Rights
You have the following rights in respect of your personal data, subject to applicable law:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Full details of how to exercise these rights are in our Privacy Policy — Your Rights section. To submit a data subject request, contact privacy@astrofinancehub.com. We will respond within 30 days.
8 Third-Party Data Processors
We share data with the following categories of third-party processors, each of whom is contractually bound to process data only as instructed and to maintain appropriate security standards:
| Processor Category | Purpose | Data Shared |
|---|---|---|
| Payment processor (Stripe) | Subscription billing, invoicing, fraud detection | Email, billing address, transaction data |
| Cloud hosting provider | Server infrastructure, storage | All data (encrypted at rest) |
| Email delivery (transactional) | Account notifications, receipts, alerts | Name, email address |
| Analytics provider | Aggregated product analytics | Pseudonymised usage events, IP (hashed) |
| Customer support tools | Helpdesk ticketing, live chat | Name, email, support conversation history |
| Security & monitoring | Intrusion detection, error tracking | IP addresses, error logs (no PII in error payloads) |
Processors are selected based on their security posture and compliance with GDPR/UK GDPR. Data Processing Agreements (DPAs) are in place with all processors that handle EEA or UK personal data. A full list of sub-processors is available on request.
9 Changes to This Policy
We may update this Policy to reflect changes in law, our data practices, or our services. Material changes will be communicated by email and/or a notice on the Platform at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
10 Contact
For any questions about this Data Retention Policy, to submit a data subject access request, or to exercise your erasure rights, please contact our Data Protection team:
- Email: privacy@astrofinancehub.com
- General enquiries: hello@astrofinancehub.com
- Response time: We aim to respond to all data requests within 30 calendar days.
You also have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact your national data protection authority.
Questions About Your Data?
Contact our Privacy team for any data retention requests, erasure requests, or questions about how we handle your personal data.
privacy@astrofinancehub.com