Data Retention, Archival and Data Deletion Policy
Last Updated: July 01, 2026
DATA RETENTION, ARCHIVAL AND DATA DELETION POLICY
Issued By: PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED
Registered Office: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Version: 1.0
Effective Date: 01 July 2026
1. INTRODUCTION
This Data Retention, Archival and Data Deletion Policy ("Policy") has been formulated and adopted by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED ("PROSPER", "Company", "We", "Us", or "Our"), a technology-enabled B2B financial services and fintech company incorporated under the Companies Act, 2013, providing digital payment services, financial inclusion services, business correspondent services, payment processing solutions, and various value-added financial services through its network of agents, distributors, merchants, and regulated financial partners.
PROSPER recognizes the importance of maintaining, protecting, archiving, and securely disposing of customer information, financial records, business records, transaction data, and regulatory information in accordance with applicable laws and regulatory requirements.
This Policy establishes the principles, procedures, controls, responsibilities, retention periods, archival mechanisms, and secure destruction procedures applicable to all information assets maintained by PROSPER.
The objective of this Policy is to ensure that information is retained only for as long as required for legitimate business, operational, legal, regulatory, contractual, audit, security, and compliance purposes, and that such information is securely archived and destroyed when no longer required.
2. OBJECTIVES OF THE POLICY
The objectives of this Policy are:
- To establish a standardized framework for data retention and disposal;
- To ensure compliance with regulatory requirements;
- To protect customer information and privacy;
- To maintain audit trails and business records;
- To support legal and regulatory investigations;
- To reduce operational and compliance risks;
- To implement secure archival procedures;
- To ensure secure deletion and destruction of data;
- To support business continuity and disaster recovery requirements.
3. REGULATORY FRAMEWORK
This Policy has been formulated in accordance with:
- Digital Personal Data Protection Act, 2023 (DPDP Act);
- Information Technology Act, 2000;
- Prevention of Money Laundering Act, 2002 (PMLA);
- Prevention of Money Laundering Rules, 2005;
- Payment and Settlement Systems Act, 2007;
- Companies Act, 2013;
- Reserve Bank of India (RBI) Master Directions on KYC;
- RBI Payment Aggregator Guidelines;
- RBI Cyber Security Framework;
- NPCI Guidelines;
- FIU-IND Reporting Requirements;
- Aadhaar Act, 2016;
- UIDAI Regulations;
- Income Tax Act, 1961;
- CERT-In Directions;
- Other applicable laws and regulations.
4. SCOPE OF THE POLICY
This Policy applies to all information collected, processed, stored, transmitted, archived, or maintained by PROSPER, including:
- Customer data;
- Agent and distributor data;
- Merchant data;
- Employee records;
- Financial records;
- Transaction records;
- KYC records;
- AML/CFT records;
- Audit records;
- Security logs;
- Complaint records;
- Communication records;
- Technical logs;
- Digital evidence;
- Legal records;
- Business records;
- Backup and archival records.
This Policy applies to:
- Physical records;
- Electronic records;
- Cloud-based records;
- Databases;
- Emails;
- Audio/video recordings;
- System logs;
- Documents and files.
5. DEFINITIONS
5.1 Data Retention
The preservation of information for a specified period to satisfy legal, regulatory, operational, or business requirements.
5.2 Archival
The secure storage of inactive information for long-term preservation and retrieval.
5.3 Data Deletion
The permanent removal or destruction of information such that it cannot reasonably be reconstructed.
5.4 Personal Data
Any information relating to an identified or identifiable individual.
5.5 Sensitive Personal Data
Financial, biometric, authentication, Aadhaar, and other sensitive information requiring enhanced protection.
6. DATA RETENTION PRINCIPLES
PROSPER shall adhere to the following principles:
6.1 Lawful Retention
Information shall be retained only as required by applicable laws and business needs.
6.2 Purpose Limitation
Information shall not be retained beyond its intended purpose.
6.3 Data Minimization
Only necessary information shall be retained.
6.4 Security
Retained information shall remain protected.
6.5 Accountability
Retention activities shall be documented and auditable.
7. CUSTOMER KYC RECORD RETENTION
Customer KYC records shall be retained in accordance with RBI and PMLA requirements.
| Record Type | Retention Period |
|---|---|
| Customer KYC Documents | 5 years after relationship termination |
| Customer Identification Records | 5 years |
| Aadhaar Authentication Logs | 2 years + archival for 5 years |
| Video KYC Records | 5 years |
| Beneficial Ownership Records | 5 years |
KYC information shall remain accessible for regulatory inspection.
8. TRANSACTION RECORD RETENTION
All financial transaction records shall be maintained as follows:
| Transaction Type | Retention Period |
|---|---|
| BBPS Transactions | 7 years |
| AEPS Transactions | 7 years |
| Micro ATM Transactions | 7 years |
| UPI Transactions | 7 years |
| DMT Transactions | 7 years |
| Merchant Transactions | 7 years |
| Wallet Transactions | 7 years |
| Prepaid Card Transactions | 7 years |
Transaction records shall include:
- Transaction IDs;
- UTR numbers;
- Amounts;
- Timestamps;
- IP addresses;
- Device information;
- Audit trails.
9. AML/CFT RECORD RETENTION
In accordance with PMLA requirements:
| Record Type | Retention Period |
|---|---|
| Suspicious Transaction Reports (STRs) | 5 years |
| Cash Transaction Reports (CTRs) | 5 years |
| AML Investigations | 5 years |
| Risk Assessments | 5 years |
| Due Diligence Records | 5 years |
10. AGENT, DISTRIBUTOR AND MERCHANT RECORDS
The following records shall be maintained:
| Record Type | Retention Period |
|---|---|
| Agent KYC Records | 7 years |
| Merchant KYC Records | 7 years |
| Distributor Agreements | 7 years |
| Agent Agreements | 7 years |
| Merchant Agreements | 7 years |
| Commission Records | 7 years |
11. CUSTOMER SUPPORT AND COMPLAINT RECORDS
The following records shall be retained:
| Record Type | Retention Period |
|---|---|
| Complaint Records | 3 years |
| Grievance Records | 3 years |
| Customer Support Tickets | 3 years |
| Call Recordings | 1 year |
| Email Communications | 3 years |
12. INFORMATION SECURITY RECORDS
Security-related information shall be retained as follows:
| Record Type | Retention Period |
|---|---|
| Audit Logs | 5 years |
| Access Logs | 5 years |
| Authentication Logs | 5 years |
| Security Incident Reports | 5 years |
| Vulnerability Reports | 5 years |
| Penetration Test Reports | 5 years |
13. EMPLOYEE RECORD RETENTION
Employee-related records shall be retained as follows:
| Record Type | Retention Period |
|---|---|
| Employment Records | 7 years |
| Payroll Records | 8 years |
| Background Verification Records | 5 years |
| Disciplinary Records | 5 years |
| Training Records | 5 years |
14. LEGAL AND LITIGATION RECORDS
Legal records shall be retained as follows:
| Record Type | Retention Period |
|---|---|
| Litigation Records | Until closure + 7 years |
| Court Orders | 7 years |
| Legal Notices | 7 years |
| Investigation Records | 7 years |
| Regulatory Correspondence | 7 years |
15. FINANCIAL AND ACCOUNTING RECORDS
In accordance with Companies Act and tax laws:
| Record Type | Retention Period |
|---|---|
| Accounting Records | 8 years |
| Tax Records | 8 years |
| Audit Reports | 8 years |
| Financial Statements | Permanently |
| Bank Statements | 8 years |
16. DATA ARCHIVAL POLICY
Data may be archived when:
- Business usage declines;
- Regulatory retention remains applicable;
- Litigation is ongoing;
- Historical preservation is necessary.
Archived information shall:
- Be encrypted;
- Be access-controlled;
- Be regularly backed up;
- Maintain audit trails.
17. DATA DELETION AND DESTRUCTION
Upon expiry of retention periods, data shall be:
Electronic Records
- Cryptographically erased;
- Securely overwritten;
- Permanently deleted.
Physical Records
- Shredded;
- Pulverized;
- Incinerated.
Deletion shall ensure that information cannot be reconstructed.
18. CUSTOMER DATA DELETION REQUESTS
Customers may request deletion of personal information by contacting PROSPER.
However, deletion requests may be denied where retention is required due to:
- Regulatory obligations;
- AML investigations;
- Court proceedings;
- Audit requirements;
- Law enforcement investigations.
19. LEGAL HOLD
Where litigation, investigations, audits, or regulatory proceedings are anticipated or ongoing:
- Data deletion shall be suspended;
- Relevant records shall be preserved;
- Legal hold procedures shall apply.
Legal holds shall remain effective until formally released.
20. BACKUP RETENTION
Backup records shall be retained as follows:
| Backup Type | Retention Period |
|---|---|
| Daily Backup | 30 days |
| Weekly Backup | 90 days |
| Monthly Backup | 1 year |
| Annual Backup | 7 years |
Backup data shall be encrypted and protected.
21. DATA SECURITY CONTROLS
Retained data shall be protected through:
- AES-256 encryption;
- TLS 1.2+ encryption;
- Multi-factor authentication;
- Role-based access controls;
- Audit trails;
- Security monitoring;
- Backup and disaster recovery controls.
22. RESPONSIBILITIES
The following stakeholders shall ensure compliance:
- Board of Directors;
- Compliance Officer;
- Data Protection Officer;
- Information Security Officer;
- Legal Department;
- Internal Audit Team;
- Technology Team;
- Operations Team.
23. AUDIT AND REVIEW
The Company shall conduct:
- Annual policy reviews;
- Internal audits;
- Regulatory compliance audits;
- Data retention assessments;
- Security reviews.
24. NON-COMPLIANCE
Failure to comply with this Policy may result in:
- Disciplinary action;
- Suspension;
- Termination;
- Regulatory reporting;
- Legal action.
25. GRIEVANCE AND DATA REQUESTS
Data Protection Officer / Grievance Officer
Name: Mr. Divyanshu Kumar
Address: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Email: legal@prosper.in
Phone: +91 9918784000
Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM
26. GOVERNING LAW AND JURISDICTION
This Policy shall be governed by the laws of India.
All disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts situated at Lucknow, Uttar Pradesh.
27. EFFECTIVE DATE
This Policy shall come into force on 01 July 2026 and remain valid until amended, replaced, or withdrawn by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED.
28. DECLARATION
This Data Retention, Archival and Data Deletion Policy has been approved by the management of PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED and shall be binding upon all employees, agents, distributors, merchants, contractors, service providers, and business partners.
FOR AND ON BEHALF OF
PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED
Registered Office:
CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Email: legal@prosper.in
Phone: +91 9918784000
Website: www.prosper.in
"PROSPER – Preserving Trust Through Secure Data Governance and Regulatory Compliance."
