Data Retention Policy
1. Purpose and Scope
This Data Retention Policy ("Policy") sets out the principles and specific retention periods that SkyL4rk (Pty) Ltd applies to personal and operational data collected and processed across all platforms operated under the SkyL4rk umbrella, including xCrypt, Verilink, TermsCon, SkyVault, and SkyDome.
This Policy applies to all data in SkyL4rk's custody or control, whether held in production systems, backup systems, archives, or offline storage. It applies to SkyL4rk as a data controller for its own data, and informs the obligations SkyL4rk undertakes as a data processor under client DPAs.
This Policy supports SkyL4rk's compliance with:
- The Protection of Personal Information Act 4 of 2013 (POPIA) — particularly Condition 5 (Further Processing Limitation) and Condition 9 (Security Safeguards)
- The General Data Protection Regulation (GDPR) — particularly Article 5(1)(e) (Storage Limitation)
- The Tax Administration Act 28 of 2011
- The Electronic Communications and Transactions Act 25 of 2002 (ECTA)
- The Financial Intelligence Centre Act 38 of 2001 (FICA) where applicable
2. Retention Principles
SkyL4rk adheres to the following principles in determining data retention periods:
- Purpose limitation: Data is retained only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law.
- Minimal retention: Retention periods are set at the minimum required — we do not retain data "just in case".
- Legal compliance: Where legislation mandates minimum retention periods, those periods are respected even if the business purpose has ceased.
- Security during retention: Data retained beyond its active use phase is subject to the same security controls as live data.
- Documented deletion: Deletion events are logged and verifiable.
3. Retention Schedule
| Data Category | Specific Data Types | Retention Period | Legal / Business Basis | Action at End of Period |
|---|---|---|---|---|
| Merchant Account Data | Name, email, contact details, company info, user UUID, role, password hash | Duration of account + 5 years post-termination | Contractual obligation; tax and financial record-keeping (Tax Administration Act) | Secure deletion / anonymisation |
| Sub-Client Account Data | Name, email, client ID, API key, webhook URL, status | Duration of active relationship + 3 years, or 24 months of inactivity (whichever comes first) | Contractual necessity; merchant instruction as data controller | Secure deletion upon expiry or merchant instruction |
| License Keys and Entitlement Records | License key hash, expiration date, activation history, revocation records and reasons, usage count | 7 years from date of issuance or last activity | Financial record-keeping obligations (Tax Administration Act S29); audit trail requirements; potential legal disputes | Secure deletion; key hashes may be anonymised and statistical records retained |
| API Usage Logs | Endpoint accessed, timestamp, IP address, response code, parent and sub client IDs, metadata | 12 months rolling | Security monitoring; fair use enforcement; debugging; billing verification | Automated deletion on rolling basis; aggregated statistical summaries retained indefinitely |
| Billing and Invoice Records | Invoice amount, plan tier, overage charges, payment status, payment timestamps | 7 years from invoice date | Tax Administration Act; VAT records; financial audit requirements | Secure deletion |
| Usage Summaries (Billing Rollup) | Monthly validation counts, activation counts, webhook counts per merchant | 7 years from billing period | Financial record-keeping; overage dispute resolution | Secure deletion |
| Webhook Delivery Logs | Event type, payload, delivery response, success status, timestamp | 6 months rolling | Debugging; merchant support; delivery verification | Automated deletion on rolling basis |
| Authentication and Security Logs | Login events, failed authentication attempts, IP addresses, session tokens | 12 months | Security monitoring; incident investigation; fraud detection | Secure deletion; anonymised aggregates retained for trend analysis |
| Identity Verification Data (Verilink KYC) | ID document type and number, biometric scan data, liveness scores, MRZ data, verification outcome | As required by applicable FICA and KYC regulations — typically 5 years from verification event | FICA compliance; AML obligations; regulatory audit trail | Secure deletion; biometric data deleted as soon as verification outcome is recorded unless legal hold applies |
| Support and Communications | Email correspondence, support tickets, contact form submissions | 3 years from date of communication | Business record; dispute resolution; reference for recurring issues | Secure deletion |
| Contractual Records | Accepted terms versions, DPA acceptance timestamps, consent records | Duration of relationship + 5 years | Legal evidence of contractual agreement; regulatory compliance | Secure deletion |
| Secret Keys and Cryptographic Material | Secret keys used for API authentication and encryption | Active use only; rotated or deleted upon revocation or account termination | Security best practice; no legitimate purpose once revoked | Immediate secure deletion upon revocation |
| Verified Email Records | Email address, verification code, confirmation date, status | Duration of account + 1 year | Verification audit trail | Secure deletion |
| Site Contact Submissions | Name, email, message content, IP address, submission date | 2 years from submission date | Business follow-up; spam/abuse detection | Secure deletion |
4. Backup Retention
Database backups are created daily and retained on a rolling 30-day basis. Backups are:
- Encrypted at rest using AES-256
- Stored on geographically separate infrastructure from live data
- Subject to access controls equivalent to live production data
- Automatically purged after 30 days in the normal rotation cycle
Where a data deletion or erasure request is received for live data, the relevant data will be deleted from live systems immediately. Corresponding backup copies may persist for up to 30 days in encrypted backup archives before being purged in the normal rotation. During this period, backup data is not accessible or used in any way.
5. Right to Erasure and Early Deletion
5.1 Merchant-Initiated Deletion
Merchants may request deletion of their own account data or the data of their Sub-Clients at any time. Requests must be submitted in writing to legal@xcrypt.co.za. SkyL4rk will process the deletion within 30 days of the verified request, subject to legal retention obligations.
5.2 Legal Retention Override
Deletion requests may be partially or fully deferred where SkyL4rk is required to retain the data by law — for example, financial and invoice records subject to Tax Administration Act requirements. In such cases, SkyL4rk will:
- Delete all data not subject to a legal hold
- Inform the requestor of the specific categories retained and the applicable legal basis
- Apply the minimum necessary retention and delete at the earliest permitted date
5.3 Data Subject Requests via Merchants
Where a Sub-Client exercises their right to erasure against the Merchant (as data controller), the Merchant may instruct SkyL4rk (as processor) to delete the relevant Sub-Client data via the dashboard or API, or in writing to legal@xcrypt.co.za.
6. Automated Deletion Processes
SkyL4rk operates automated processes to enforce the following retention rules:
- API usage logs older than 12 months are purged on a rolling monthly basis
- Webhook logs older than 6 months are purged on a rolling monthly basis
- Sub-client records with no API activity for 24 consecutive months are flagged for review and deletion
- Backup archives older than 30 days are purged automatically
Automated deletion events are logged for audit purposes.
7. Data Destruction Standards
When data reaches the end of its retention period, SkyL4rk applies the following destruction standards depending on the storage medium:
- Database records: Hard deletion (not soft-delete) from production databases; confirmed via deletion logs
- Backup media: Overwritten and purged in accordance with the 30-day rolling backup rotation
- Physical media: Shredded or degaussed in accordance with applicable standards (where physical media is used — currently minimal)
- Cloud storage: Deletion via cloud provider API with confirmation; cryptographic erasure applied where full deletion is not immediately possible
8. Legal Holds
Where SkyL4rk becomes subject to litigation, regulatory investigation, or court order requiring preservation of data beyond its scheduled retention period, SkyL4rk will implement a legal hold on the relevant data. Legal holds suspend automated deletion processes for the affected data only. Legal holds are managed by the Information Officer and reviewed quarterly.
9. Retention of Anonymised Data
Anonymised or aggregated data — from which no individual can be identified, directly or indirectly — is not subject to this Policy's retention limits. SkyL4rk may retain aggregated usage statistics, trend data, and platform performance metrics indefinitely for product development and business intelligence purposes.
10. Cross-Border Considerations
Where personal data is stored by sub-processors in jurisdictions outside South Africa, SkyL4rk ensures that those sub-processors are contractually required to apply equivalent or stricter data retention and deletion standards. Deletion instructions are propagated to relevant sub-processors within a reasonable timeframe, typically within 30 days of the deletion instruction being applied to live systems.
11. Review of This Policy
This Policy is reviewed at least annually, or sooner where there are material changes to applicable legislation, SkyL4rk's data processing activities, or following a significant security or data incident. The current version is always published at https://xcrypt.co.za/legal/data-retention.html.
12. Contact
For queries about data retention, deletion requests, or this Policy:
- Email: legal@xcrypt.co.za
- Information Officer: Michael Beuster
- Address: SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa