Data Retention

  1. Purpose: This Data Retention Policy outlines the guidelines and procedures for the retention and disposal of customer payment data collected during online payment processing. It aims to protect customer information, comply with data protection laws, and ensure the secure handling of sensitive data.
  2. Scope: This policy applies to all employees, contractors, and third-party service providers involved in the collection, storage, processing, or disposal of customer payment data.
  3. Data Categories: The following categories of customer payment data may be collected and retained:
    • Cardholder information: Name, billing address, card number, expiration date, and CVV/CVC code.
    • Transaction details: Date, time, amount, payment method, and any relevant identifiers.
    • Contact information: Customer’s email address, phone number, and shipping address.
  4. Data Retention Guidelines:
    • 4.1 The Company will retain customer payment data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.
    • 4.2 The retention period for customer payment data shall not exceed the duration necessary to process payments, facilitate refunds or chargebacks, and address any legal, accounting, or audit requirements.
    • 4.3 The Company will regularly review and update the data retention periods based on changes in applicable laws or business needs.
    • 4.4 Customer payment data that is no longer required will be securely disposed of in accordance with the Data Disposal Policy.
  5. Data Security and Access Controls:
    • 5.1 The Company will implement appropriate technical and organizational measures to protect customer payment data against unauthorized access, loss, or alteration.
    • 5.2 Access to customer payment data will be restricted to authorized personnel with a legitimate business need for accessing such data.
    • 5.3 All employees and contractors with access to customer payment data will receive adequate training on data protection, privacy, and security practices. 5.4 Any data breaches or unauthorized access incidents will be promptly reported, investigated, and addressed following the Company’s Incident Response Plan.
  6. Third-Party Service Providers:
    • 6.1 The Company may engage third-party service providers for online payment processing. The selection of such providers will include an assessment of their data security measures and compliance with applicable data protection laws.
    • 6.2 The Company will ensure that third-party service providers have appropriate data protection and confidentiality agreements in place.
  7. Data Subject Rights: The Company will honor data subject rights regarding customer payment data, including the right to access, rectify, restrict processing, and erase personal data, as outlined in the Company’s Privacy Policy.
  8. Policy Review: This Data Retention Policy will be periodically reviewed and updated to ensure its continued effectiveness and compliance with relevant laws and regulations.
  9. Documented Procedures: The Company will maintain documented procedures that support the implementation of this Data Retention Policy, including data retention schedules, data disposal methods, and incident response processes.