PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Electricity

Electricity

Enable your retail business to offer fast, secure and reliable BBPS bill payments, recharges, OTT subscriptions and more all from one platform.

Data Retention, Archival and Data Deletion Policy

Last Updated: July 01, 2026

DATA RETENTION, ARCHIVAL AND DATA DELETION POLICY

Issued By: PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Registered Office: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Version: 1.0

Effective Date: 01 July 2026

1. INTRODUCTION

This Data Retention, Archival and Data Deletion Policy ("Policy") has been formulated and adopted by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED ("PROSPER", "Company", "We", "Us", or "Our"), a technology-enabled B2B financial services and fintech company incorporated under the Companies Act, 2013, providing digital payment services, financial inclusion services, business correspondent services, payment processing solutions, and various value-added financial services through its network of agents, distributors, merchants, and regulated financial partners.

PROSPER recognizes the importance of maintaining, protecting, archiving, and securely disposing of customer information, financial records, business records, transaction data, and regulatory information in accordance with applicable laws and regulatory requirements.

This Policy establishes the principles, procedures, controls, responsibilities, retention periods, archival mechanisms, and secure destruction procedures applicable to all information assets maintained by PROSPER.

The objective of this Policy is to ensure that information is retained only for as long as required for legitimate business, operational, legal, regulatory, contractual, audit, security, and compliance purposes, and that such information is securely archived and destroyed when no longer required.

2. OBJECTIVES OF THE POLICY

The objectives of this Policy are:

  • To establish a standardized framework for data retention and disposal;
  • To ensure compliance with regulatory requirements;
  • To protect customer information and privacy;
  • To maintain audit trails and business records;
  • To support legal and regulatory investigations;
  • To reduce operational and compliance risks;
  • To implement secure archival procedures;
  • To ensure secure deletion and destruction of data;
  • To support business continuity and disaster recovery requirements.

3. REGULATORY FRAMEWORK

This Policy has been formulated in accordance with:

  • Digital Personal Data Protection Act, 2023 (DPDP Act);
  • Information Technology Act, 2000;
  • Prevention of Money Laundering Act, 2002 (PMLA);
  • Prevention of Money Laundering Rules, 2005;
  • Payment and Settlement Systems Act, 2007;
  • Companies Act, 2013;
  • Reserve Bank of India (RBI) Master Directions on KYC;
  • RBI Payment Aggregator Guidelines;
  • RBI Cyber Security Framework;
  • NPCI Guidelines;
  • FIU-IND Reporting Requirements;
  • Aadhaar Act, 2016;
  • UIDAI Regulations;
  • Income Tax Act, 1961;
  • CERT-In Directions;
  • Other applicable laws and regulations.

4. SCOPE OF THE POLICY

This Policy applies to all information collected, processed, stored, transmitted, archived, or maintained by PROSPER, including:

  • Customer data;
  • Agent and distributor data;
  • Merchant data;
  • Employee records;
  • Financial records;
  • Transaction records;
  • KYC records;
  • AML/CFT records;
  • Audit records;
  • Security logs;
  • Complaint records;
  • Communication records;
  • Technical logs;
  • Digital evidence;
  • Legal records;
  • Business records;
  • Backup and archival records.

This Policy applies to:

  • Physical records;
  • Electronic records;
  • Cloud-based records;
  • Databases;
  • Emails;
  • Audio/video recordings;
  • System logs;
  • Documents and files.

5. DEFINITIONS

5.1 Data Retention

The preservation of information for a specified period to satisfy legal, regulatory, operational, or business requirements.

5.2 Archival

The secure storage of inactive information for long-term preservation and retrieval.

5.3 Data Deletion

The permanent removal or destruction of information such that it cannot reasonably be reconstructed.

5.4 Personal Data

Any information relating to an identified or identifiable individual.

5.5 Sensitive Personal Data

Financial, biometric, authentication, Aadhaar, and other sensitive information requiring enhanced protection.

6. DATA RETENTION PRINCIPLES

PROSPER shall adhere to the following principles:

6.1 Lawful Retention

Information shall be retained only as required by applicable laws and business needs.

6.2 Purpose Limitation

Information shall not be retained beyond its intended purpose.

6.3 Data Minimization

Only necessary information shall be retained.

6.4 Security

Retained information shall remain protected.

6.5 Accountability

Retention activities shall be documented and auditable.

7. CUSTOMER KYC RECORD RETENTION

Customer KYC records shall be retained in accordance with RBI and PMLA requirements.

Record TypeRetention Period
Customer KYC Documents5 years after relationship termination
Customer Identification Records5 years
Aadhaar Authentication Logs2 years + archival for 5 years
Video KYC Records5 years
Beneficial Ownership Records5 years

KYC information shall remain accessible for regulatory inspection.

8. TRANSACTION RECORD RETENTION

All financial transaction records shall be maintained as follows:

Transaction TypeRetention Period
BBPS Transactions7 years
AEPS Transactions7 years
Micro ATM Transactions7 years
UPI Transactions7 years
DMT Transactions7 years
Merchant Transactions7 years
Wallet Transactions7 years
Prepaid Card Transactions7 years

Transaction records shall include:

  • Transaction IDs;
  • UTR numbers;
  • Amounts;
  • Timestamps;
  • IP addresses;
  • Device information;
  • Audit trails.

9. AML/CFT RECORD RETENTION

In accordance with PMLA requirements:

Record TypeRetention Period
Suspicious Transaction Reports (STRs)5 years
Cash Transaction Reports (CTRs)5 years
AML Investigations5 years
Risk Assessments5 years
Due Diligence Records5 years

10. AGENT, DISTRIBUTOR AND MERCHANT RECORDS

The following records shall be maintained:

Record TypeRetention Period
Agent KYC Records7 years
Merchant KYC Records7 years
Distributor Agreements7 years
Agent Agreements7 years
Merchant Agreements7 years
Commission Records7 years

11. CUSTOMER SUPPORT AND COMPLAINT RECORDS

The following records shall be retained:

Record TypeRetention Period
Complaint Records3 years
Grievance Records3 years
Customer Support Tickets3 years
Call Recordings1 year
Email Communications3 years

12. INFORMATION SECURITY RECORDS

Security-related information shall be retained as follows:

Record TypeRetention Period
Audit Logs5 years
Access Logs5 years
Authentication Logs5 years
Security Incident Reports5 years
Vulnerability Reports5 years
Penetration Test Reports5 years

13. EMPLOYEE RECORD RETENTION

Employee-related records shall be retained as follows:

Record TypeRetention Period
Employment Records7 years
Payroll Records8 years
Background Verification Records5 years
Disciplinary Records5 years
Training Records5 years

14. LEGAL AND LITIGATION RECORDS

Legal records shall be retained as follows:

Record TypeRetention Period
Litigation RecordsUntil closure + 7 years
Court Orders7 years
Legal Notices7 years
Investigation Records7 years
Regulatory Correspondence7 years

15. FINANCIAL AND ACCOUNTING RECORDS

In accordance with Companies Act and tax laws:

Record TypeRetention Period
Accounting Records8 years
Tax Records8 years
Audit Reports8 years
Financial StatementsPermanently
Bank Statements8 years

16. DATA ARCHIVAL POLICY

Data may be archived when:

  • Business usage declines;
  • Regulatory retention remains applicable;
  • Litigation is ongoing;
  • Historical preservation is necessary.

Archived information shall:

  • Be encrypted;
  • Be access-controlled;
  • Be regularly backed up;
  • Maintain audit trails.

17. DATA DELETION AND DESTRUCTION

Upon expiry of retention periods, data shall be:

Electronic Records

  • Cryptographically erased;
  • Securely overwritten;
  • Permanently deleted.

Physical Records

  • Shredded;
  • Pulverized;
  • Incinerated.

Deletion shall ensure that information cannot be reconstructed.

18. CUSTOMER DATA DELETION REQUESTS

Customers may request deletion of personal information by contacting PROSPER.

However, deletion requests may be denied where retention is required due to:

  • Regulatory obligations;
  • AML investigations;
  • Court proceedings;
  • Audit requirements;
  • Law enforcement investigations.

19. LEGAL HOLD

Where litigation, investigations, audits, or regulatory proceedings are anticipated or ongoing:

  • Data deletion shall be suspended;
  • Relevant records shall be preserved;
  • Legal hold procedures shall apply.

Legal holds shall remain effective until formally released.

20. BACKUP RETENTION

Backup records shall be retained as follows:

Backup TypeRetention Period
Daily Backup30 days
Weekly Backup90 days
Monthly Backup1 year
Annual Backup7 years

Backup data shall be encrypted and protected.

21. DATA SECURITY CONTROLS

Retained data shall be protected through:

  • AES-256 encryption;
  • TLS 1.2+ encryption;
  • Multi-factor authentication;
  • Role-based access controls;
  • Audit trails;
  • Security monitoring;
  • Backup and disaster recovery controls.

22. RESPONSIBILITIES

The following stakeholders shall ensure compliance:

  • Board of Directors;
  • Compliance Officer;
  • Data Protection Officer;
  • Information Security Officer;
  • Legal Department;
  • Internal Audit Team;
  • Technology Team;
  • Operations Team.

23. AUDIT AND REVIEW

The Company shall conduct:

  • Annual policy reviews;
  • Internal audits;
  • Regulatory compliance audits;
  • Data retention assessments;
  • Security reviews.

24. NON-COMPLIANCE

Failure to comply with this Policy may result in:

  • Disciplinary action;
  • Suspension;
  • Termination;
  • Regulatory reporting;
  • Legal action.

25. GRIEVANCE AND DATA REQUESTS

Data Protection Officer / Grievance Officer

Name: Mr. Divyanshu Kumar

Address: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Email: legal@prosper.in

Phone: +91 9918784000

Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM

26. GOVERNING LAW AND JURISDICTION

This Policy shall be governed by the laws of India.

All disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts situated at Lucknow, Uttar Pradesh.

27. EFFECTIVE DATE

This Policy shall come into force on 01 July 2026 and remain valid until amended, replaced, or withdrawn by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED.

28. DECLARATION

This Data Retention, Archival and Data Deletion Policy has been approved by the management of PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED and shall be binding upon all employees, agents, distributors, merchants, contractors, service providers, and business partners.


FOR AND ON BEHALF OF

PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Registered Office:
CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Email: legal@prosper.in

Phone: +91 9918784000

Website: www.prosper.in

"PROSPER – Preserving Trust Through Secure Data Governance and Regulatory Compliance."