Last updated: 07-01-2026
This Data Retention Policy outlines how Drupto Consultants Pvt Ltd ("we," "us," or "our") retains and deletes personal data collected through DruptoQuiz (the "Platform"). It specifies retention periods for different categories of data, the legal bases for retention, and our procedures for secure deletion. This policy is designed to comply with the storage limitation principle under the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and other applicable data protection laws.
1. Introduction
We are committed to retaining personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. This policy provides transparency about our data retention practices and helps you understand how long your data is kept and when it is permanently deleted.
2. Data Retention Principles
Our retention practices are guided by the following principles:
- Purpose Limitation: Data is retained only for the specific, legitimate purposes for which it was collected.
- Storage Limitation: Data is kept no longer than necessary to achieve those purposes.
- Legal Compliance: Retention periods are determined by legal, regulatory, and contractual requirements.
- Data Minimization: We retain the minimum amount of data necessary for each purpose.
- Secure Deletion: When retention periods expire, data is permanently and securely deleted using industry‑standard methods.
3. Retention Schedule
The table below details retention periods for different categories of personal data we process:
| Data Category | Retention Period | Legal Basis | Purpose |
|---|---|---|---|
| User Account Data (name, email, profile) | Until deletion request + 45 days | Consent | Service delivery, account management |
| Quiz Submissions & Results | 5 years | Legitimate use | Certificate verification, dispute resolution, performance records |
| Proctoring Logs & Session Data | 30 days | Legal obligation | Dispute resolution, integrity verification |
| Payment Records & Transaction Data | 7 years | Legal obligation | Tax compliance, financial auditing |
| Support Communications (emails, chat logs) | 3 years | Legitimate use | Service improvement, quality assurance |
| Analytics & Usage Data | 14 months | Consent | Performance analysis, feature optimization |
| Biometric Data (facial landmarks, gaze patterns) | Immediate deletion after quiz session ends | Consent | Proctoring integrity, session monitoring |
| AI‑Generated Content (quiz questions, feedback) | Same as associated quiz/submission | Contractual necessity | Service delivery, educational purposes |
| Backup Data | 30 days from creation | Legitimate use | Disaster recovery, business continuity |
Note: Retention periods may be extended if required by law, regulation, or ongoing legal proceedings. In such cases, data will be retained only for the duration of the legal requirement.
4. Post‑Deletion Retention (45‑Day Grace Period)
When you request deletion of your account or personal data, we implement a 45‑day grace period before permanent deletion. During this period, your data is:
- Soft‑deleted: Marked as inactive and removed from public access.
- Retained for limited purposes: Kept only for the following specific purposes:
- Account recovery: To allow you to change your mind and restore your account within 45 days.
- Fraud prevention: To investigate and prevent fraudulent activities that may have occurred before deletion.
- Legal compliance: To comply with legal holds, regulatory inquiries, or law enforcement requests.
- Dispute resolution: To resolve any disputes or appeals that were initiated before the deletion request.
After 45 days, all personal data is permanently and irreversibly deleted from our production systems, backups, and any third‑party systems under our control.
5. Data Deletion Procedures
We employ automated and manual procedures to ensure secure deletion of data when retention periods expire:
- Scheduled Cloud Functions: Automated Firebase Cloud Functions run daily to identify and permanently delete data whose retention period has expired.
- Secure Deletion Methods: Data is deleted using secure deletion protocols that overwrite storage locations where technically feasible, or through permanent deletion APIs provided by Google Cloud Platform.
- Backup Purge: Backup data containing expired personal data is purged during the next backup rotation cycle (within 30 days).
- Third‑Party Data Deletion: We instruct our sub‑processors (e.g., Google, Razorpay) to delete data in accordance with our retention schedule through automated API calls or manual requests.
- Audit Logging: All deletion activities are logged with timestamps, user/function identifiers, and data categories for audit purposes.
6. User Rights Regarding Data Retention
You have the following rights concerning the retention of your personal data:
- Right to Erasure: You can request deletion of your personal data at any time, subject to legal exceptions.
- Right to Access Retention Information: You can request details about how long your specific data categories are retained.
- Right to Object to Retention: You can object to the retention of your data based on legitimate uses, and we will review your request in accordance with the DPDP Act.
- Right to Data Portability: Before deletion, you can request a copy of your data in a structured, commonly used format.
To exercise these rights, contact us at support@druptoconsultants.com.
7. Legal & Regulatory Compliance
Our retention periods are designed to comply with applicable laws and regulations:
- DPDP Act (India): Section 8(7) requires data fiduciaries to retain personal data only as long as necessary for the specified purpose.
- Income Tax Act (India): Requires retention of financial records for 7 years.
- Consumer Protection Laws: Require retention of transaction records for dispute resolution periods.
8. Changes to This Policy
We may update this Data Retention Policy as our practices evolve or as legal requirements change. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Platform after such changes constitutes acceptance of the revised policy.
9. Contact for Retention‑Related Queries
If you have questions, concerns, or requests related to our data retention practices, please contact:
Data Protection Officer
Drupto Consultants Pvt Ltd
Email: saurabh.chandra@druptoconsultants.com
Phone: +91-6388063038 (available during business hours)
Address: JAIPURIA INNOVATION AND INCUBATION CENTRE, Hahnemann Rd, Vineet Khand, Gomti Nagar, Lucknow, Uttar Pradesh 226010
For general support, you may also contact support@druptoconsultants.com.