Retention philosophy
Retention নীতি
Our retention rules follow three principles:
- Default to delete — every data category has an explicit retention window, and the default for any new category is to delete it as soon as the operational need ends.
- Lawful basis for each— every row in the schedule below names the GDPR Art. 6 basis for the retention. Where the basis is “legal obligation”, the specific obligation is named.
- Customer-facing transparency — the schedule on this page is the schedule we operate to. We do not have a shadow internal schedule that contradicts what is published here.
The full schedule
পূর্ণ schedule
| Category | What it is | Retention | Lawful basis |
|---|---|---|---|
| Account credentials | Email, name, mobile number, bcrypt password hash, MFA secret hash | Lifetime of account + 30 days | Contract performance — Art. 6(1)(b) GDPR |
| Company profile | RJSC registration, TIN, BIN, VAT registration, trade licence, e-GP user ID, financials, employee count, work specialisations | Lifetime of account + 30 days | Contract performance — Art. 6(1)(b) GDPR |
| Tender ZIPs and supporting documents | Original tender documents the customer uploads; AI-extraction outputs derived from them | 7 days from upload, then auto-delete | Data minimisation — Art. 5(1)(c) GDPR — and our explicit short-window commitment |
| AI bid drafts | Full text of AI-generated bid responses, eligibility analyses, copilot conversations | Until customer deletes (no auto-delete) | Contract performance — Art. 6(1)(b) — customer asset |
| Login session metadata | IP address, user-agent, timestamps, session token hash | 30 days from session end | Legitimate interest — security monitoring — Art. 6(1)(f) |
| Invoices and tax records | Invoice PDFs, line items, VAT challans, EPS transaction references, customer billing address | 7 years from issue | Legal obligation — Bangladesh NBR retention rules — Art. 6(1)(c) |
| Admin audit log entries | Internal staff access events to customer data; refund authorisations; account-state changes | 1 year hot retention, 7 years cold retention | Legitimate interest — accountability — Art. 6(1)(f) |
| Application logs | Server-side logs of API requests, feature usage, error events; PII scrubbed at the SDK level | 90 days hot, 1 year cold | Legitimate interest — operations — Art. 6(1)(f) |
| Marketing communications | Email opens, link clicks, unsubscribe events, segmentation tags | Until consent withdrawn or 12 months of inactivity | Consent — Art. 6(1)(a) GDPR |
| Support correspondence | Email threads with TenderPulse support; chat transcripts; phone-call notes | 3 years from last interaction | Legitimate interest — quality assurance, dispute defence |
| Cookie consent records | Consent state on a given device for a given LEGAL_VERSIONS | Lifetime of consent state on the browser | Consent — Art. 6(1)(a) |
| Closed-account export bundle | Machine-readable export prepared after account closure for customer download | 30 days from closure (the grace window) | Customer right of access — Art. 15 / 20 GDPR |
| Backups | Encrypted database and S3 snapshots used for disaster recovery | 30 days rolling | Legitimate interest — business continuity — Art. 6(1)(f); deletion within next backup cycle after primary deletion |
How auto-deletion works
Auto-deletion
delete_at timestamp save হয় (upload + ৭ দিন)। প্রতি ঘণ্টায় একটা scheduled job এই timestamp-এর সাথে compare করে delete করে — primary storage থেকে, indices থেকে, সব।Our auto-deletion pipeline runs as a scheduled Lambda hourly and operates in three stages:
- Identification — query rows where
delete_at < NOW(); every retention-bound table has this column populated at write time - Cascade delete — primary row + child rows in dependent tables + S3 object + vector-database embedding + search index entry — all in a single transactional unit
- Backup tombstoning — flag added to the next backup cycle so the deleted item is excluded from future restores; the actual backup data ages out within 30 days under the rolling-backup policy
Auto-deletion is monitored: every run emits a metric for number-of-items-deleted, and an alert fires if the run skips a day or fails. We do not silently let auto-deletion lapse.
Customer-initiated deletion
Customer যখন delete চায়
Customers can delete:
- Individual AI drafts from the bid editor
- Individual tender ZIPs from the document library
- Specific company profile fields (where the field is not required for product function)
- The whole account from billing settings
On individual-item deletion, the item enters the auto-delete pipeline immediately with a 7-day soft-delete window during which the customer can restore it. After 7 days the item is permanently deleted.
On full account closure, the account enters a 30-day grace window during which: a complete machine-readable export is available, the account can be reactivated by paying for a new period, and customer data is preserved. After 30 days, all customer data flagged for deletion is permanently deleted from primary systems (within 30 days) and from backups (within the next backup cycle, typically within 60 days). GDPR Art. 17
Carve-outs from deletion
Deletion-এর carve-out
Some data we retain even after a customer requests deletion, because retention is required by law. The carve-outs are:
- Invoices and tax records — retained for 7 years from issue under Bangladesh NBR rules. We anonymise beyond what is required for tax inspection.
- Admin audit log entries— retained for the full 7-year cold-storage window. The customer’s name in audit log entries is replaced with an internal account ID after the account is fully closed; the underlying access record is preserved.
- Anti-money-laundering / sanctions screening evidence — retained for the period required under applicable BD or international AML rules.
- Pending dispute or investigation evidence — where a customer has an open dispute, a regulatory investigation, or a court-ordered preservation requirement, relevant data is preserved for the duration of that matter.
These carve-outs are explicitly permitted under GDPR Art. 17(3)(b) (legal obligation) and GDPR Art. 17(3)(e) (legal claims).
Right to data portability
Data portability
You have the right to receive a copy of your personal data in a structured, commonly-used, machine-readable format and to transmit that data to another controller. GDPR Art. 20
From the billing settings page you can trigger an export at any time. The export package contains:
- Account profile (JSON)
- Company profile (JSON)
- Tender history (JSON + original tender ZIPs where still within their 7-day retention window)
- AI bid drafts and copilot conversation history (JSON + Markdown)
- Invoices (PDF + JSON line-items)
- Admin audit log entries pertaining to your tenant (JSON)
- Cookie consent records (JSON)
The export is generated within 5 business days for normal accounts, faster for accounts in the closure-grace window. The schema is documented in our developer portal so you can re-import to a competing service if you choose.