Legal
Data Retention Policy
Burning Ash Protocol data retention policy — how long we keep your data and how it is deleted.
Data Retention Policy
Last Updated: March 2026
Domain: www.baprotocol.com
Purpose
This Data Retention Policy defines how long Burning Ash Protocol ("BAP"), operated by TripleVision LLC, retains different categories of personal and operational data, the legal basis for each retention period, and the processes for data deletion.
Retention Schedule
User Account Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Host account profile (name, email, hashed password) | Duration of active account | Account deletion request | Contract performance |
| Host account profile (after deletion request) | Deleted within 30 days | Deletion request received | GDPR Art. 17, CCPA |
| Host authentication tokens (JWT, API tokens) | Until expiry or revocation | Token expiry/revocation | Contract performance |
Will and Document Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Encrypted will documents | Duration of active account | Account deletion or will deletion | Contract performance |
| Data Encryption Keys (DEKs) | Duration of active account | Account deletion destroys DEK | Contract performance |
| Shamir key shares | Duration of active will | Will deletion or account deletion | Contract performance |
| Will documents (post-deletion) | Purged within 30 days | Deletion request | GDPR Art. 17 |
Survivor Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Survivor names and contact info (encrypted) | Duration of associated will | Will deletion, survivor removal, or account deletion | Contract performance, legitimate interest |
| Survivor OTP records | 24 hours after generation | Automatic expiry | Data minimization |
| Survivor authentication logs | 90 days | Automatic rotation | Security, legitimate interest |
Transfer Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Active transfer records | Duration of transfer process | Transfer completion or cancellation | Contract performance |
| Completed transfer records | 1 year after completion | Automatic deletion | Legitimate interest (dispute resolution) |
| Cancelled transfer records | 90 days after cancellation | Automatic deletion | Legitimate interest |
Liveness Check Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Liveness configuration (intervals, thresholds) | Duration of active account | Account deletion | Contract performance |
| Liveness check history | 1 year | Rolling deletion | Contract performance, legitimate interest |
| Failed liveness notifications | 90 days | Rolling deletion | Debugging, legitimate interest |
Connector and Storage Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Connector credentials (encrypted) | Duration of connector configuration | Connector removal or account deletion | Contract performance |
| Storage provider credentials (encrypted) | Duration of storage configuration | Storage removal or account deletion | Contract performance |
| OAuth refresh tokens | Until revocation or expiry | Token revocation | Contract performance |
Billing Data (SaaS Mode)
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Stripe customer ID | 7 years after last transaction | Automatic deletion after retention period | Tax law |
| Invoice records | 7 years after issuance | Automatic deletion after retention period | Tax law |
| Payment method details | Stored by Stripe, not by BAP | Managed by Stripe | PCI-DSS compliance |
Operational Data
| Data Category | Retention Period | Trigger for Deletion | Legal Basis |
|---|---|---|---|
| Server access logs (IP, timestamp, request) | 90 days | Rolling deletion | Security, legitimate interest |
| Error logs | 90 days | Rolling deletion | Debugging, legitimate interest |
| Security event logs (failed auth, rate limits) | 1 year | Rolling deletion | Security, legitimate interest |
| Admin action audit logs | 2 years | Rolling deletion | Accountability, legitimate interest |
Deletion Procedures
User-Initiated Deletion
When a user requests account deletion (Dashboard > Settings > Delete Account):
- Immediate: Account is deactivated, authentication tokens are revoked
- Within 24 hours: Active transfers are cancelled, liveness checks are stopped
- Within 30 days: All personal data is permanently deleted (profile, wills, survivors, connectors, storage configs, key material)
- Retained: Billing records for tax compliance (7 years), anonymized aggregate usage data
Deletion Verification
Deletion is verified through:
- Database record removal (hard delete, not soft delete, for personal data)
- Encrypted file removal from storage backends
- Key material destruction (DEKs and Shamir shares)
- Log entries confirming deletion completion
Exceptions to Deletion
Data may be retained beyond the standard retention period when:
- Required by applicable law (tax records, legal hold)
- Subject to an active legal proceeding or government investigation
- Necessary to resolve an ongoing dispute
In such cases, the data is retained only for the minimum period required and access is restricted.
Self-Hosted Deployments
For self-hosted BAP instances:
- You (the operator) are responsible for implementing data retention and deletion procedures
- The software provides deletion APIs and dashboard controls
- You must configure your own log rotation, backup retention, and database cleanup
- This policy serves as a recommended baseline
Changes
This policy is reviewed annually and updated to reflect changes in applicable law, data processing activities, or audit findings.
Contact
Privacy inquiries: privacy@baprotocol.com
This Data Retention Policy is part of our Terms of Service. By using BAP, you agree to both.