Legal

Data Retention Policy

How we store, manage, and retain your data in compliance with GDPR and eIDAS regulations

Last Updated: January 29, 2026

1. Overview

This Data Retention Policy describes how eIDAS Pro ("we," "our," or "us") retains, stores, and manages data collected through our identity verification services. This policy is part of our commitment to GDPR compliance and data protection best practices.

We adhere to the data minimization principle—we only collect and retain data that is necessary for providing our services, and we delete data when it is no longer needed.

2. Data Categories and Retention Periods

2.1 Verification Session Data

Data generated during identity verification sessions:

  • Session identifiers - Retained for 24 hours after session completion
  • Verification results - Retained according to your subscription tier
  • Requested attributes - Only stored transiently during verification, not persisted

Data Minimization by Design

eIDAS Pro never receives or stores identity documents, biometric data, or passport scans. We only process the specific verification attributes you request through the eIDAS infrastructure.

2.2 Audit Logs

Audit logs contain records of verification events and are retained based on your subscription tier:

  • Starter Tier - No audit log retention
  • Growth Tier - 30 days retention
  • Scale Tier - 90 days retention
  • Enterprise Tier - Configurable retention (up to unlimited, as per contract)

2.3 Account Data

Information associated with your eIDAS Pro account:

  • Account credentials - Retained while account is active
  • Billing information - Retained for 7 years (tax/legal requirements)
  • API keys - Retained while active; deleted immediately upon revocation
  • Usage statistics - Retained for 12 months in aggregated form

2.4 Support and Communication Data

  • Support tickets - Retained for 3 years after resolution
  • Email communications - Retained for 3 years
  • Feedback and surveys - Retained for 2 years

3. Retention by Subscription Tier

Data TypeStarterGrowthScaleEnterprise
Audit LogsNone30 days90 daysCustom
Verification Results24 hours30 days90 daysCustom
Session Metadata24 hours7 days30 daysCustom
Webhooks HistoryN/AN/A30 daysCustom

4. Legal Basis for Retention

We retain data based on the following legal grounds under GDPR:

  • Contract performance - To provide the services you have subscribed to
  • Legal obligations - Tax records, regulatory compliance (e.g., 7 years for financial data)
  • Legitimate interests - Security, fraud prevention, service improvement
  • Consent - Marketing communications (until consent is withdrawn)

5. Data Storage and Security

5.1 Storage Location

All data is stored within the European Union:

  • Primary database - Supabase EU region (SOC 2 certified)
  • Backups - Encrypted and stored in EU data centers
  • CDN/Edge - EU-only edge locations for sensitive operations

5.2 Security Measures

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.3)
  • Role-based access controls
  • Regular security audits
  • Automated vulnerability scanning

6. Automated Deletion

We implement automated data lifecycle management:

  • Scheduled jobs - Run daily to identify and delete expired data
  • Soft delete - Data is marked for deletion and removed within 24 hours
  • Backup cleanup - Backup retention follows the same policy
  • Audit trail - Deletion events are logged for compliance

7. Account Termination

When you close your eIDAS Pro account:

  • Immediate - API access revoked, active sessions terminated
  • Within 7 days - Verification data and audit logs deleted
  • Within 30 days - All account data permanently deleted
  • Exception - Billing records retained for 7 years (legal requirement)

You may request data export before account closure. See our Deletion Procedures page for details.

8. Your Rights

Under GDPR, you have the following rights regarding your data:

  • Right to access - Request a copy of your data
  • Right to rectification - Correct inaccurate data
  • Right to erasure - Request deletion of your data
  • Right to restriction - Limit how we process your data
  • Right to portability - Receive your data in a portable format
  • Right to object - Object to certain processing activities

To exercise these rights, contact us at support [at] eidas-pro.com or visit our Deletion Procedures page.

9. Customer Responsibilities

Important: Your Data Retention Obligations

If you store verification results in your own systems, you are a data controller and must implement your own retention policies.

Ensure your retention periods are proportionate to your use case and comply with applicable regulations (GDPR, AML/KYC, industry-specific requirements).

10. Policy Updates

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via:

  • Email notification to account administrators
  • Notice on our website
  • 30 days advance notice for significant changes

11. Contact Us

For questions about this Data Retention Policy:

Email: support [at] eidas-pro.com
Support: eidaspro.com/support

Last Updated: January 29, 2026
Version: 1.0

Questions About Data Retention?

Our privacy team is here to help clarify our data practices.