Table of Contents
- Purpose & Legal Foundation
- Scope & Applicability
- Definitions
- Master Retention Schedule — Financial Records
- Master Retention Schedule — User & Platform Data
- Master Retention Schedule — Legal & Compliance Records
- Master Retention Schedule — HR & Employment Records
- Master Retention Schedule — Technology & Security Records
- Master Retention Schedule — Contract & Vendor Records
- Master Retention Schedule — Marketing & Communication Records
- Legal Hold Procedure
- Secure Deletion & Destruction Standards
- Storage Standards & Classification
- Employee Responsibilities
- Vendor & Third-Party Records
- Audit & Compliance Review
- Records Retention for Regulatory Requests
- DPDP Act 2023 — Data Minimisation & Retention
- Policy Review & Updates
- Contact & Grievance
1. Purpose & Legal Foundation
This Records Retention Policy ("RET Policy") establishes the binding framework governing how long RLS Retail Private Limited ("Company"), operating SeekhoBecho.com, retains records — and how and when records are securely destroyed. This Policy is referenced in the SeekhoBecho.com Code of Conduct (COD-01) and is mandatory for all employees, contractors, vendors, and departments.
Proper records retention serves dual purposes: (1) Legal Compliance — Indian law mandates minimum retention periods for specific categories of records; retaining records for shorter periods creates legal liability. (2) Data Minimisation — DPDP Act 2023 requires that personal data is not retained beyond what is necessary; retaining data longer than required creates regulatory risk. This Policy balances both obligations.
Core Rule: Keep records for the legally required or operationally necessary minimum period — then delete securely. Neither premature deletion nor indefinite hoarding is compliant.
2. Scope & Applicability
2.1 Applies To: All records created, received, stored, or managed by RLS Retail Private Limited — in any format (digital, physical, email, cloud, app-generated).
2.2 Persons Covered: All employees (full-time, part-time, contract, intern), all vendors with access to Company records, all departments, and all platform systems that generate records.
2.3 Record Types Covered: Financial records; user personal data; legal documents and agreements; HR and employment records; technology and security logs; marketing and communication records; intellectual property records; regulatory correspondence.
2.4 Format Applies Equally: Retention obligations apply regardless of whether records are stored in cloud systems, local servers, personal devices, email, WhatsApp, paper, or any other medium.
3. Definitions
| Term | Meaning |
|---|
| "Record" | Any document, file, email, log, database entry, message, image, audio, video, or any other information created or received in the course of Company business. |
| "Retention Period" | The minimum time a record must be kept before it may be deleted. Some records have both minimum and maximum retention periods. |
| "Secure Deletion" | Permanent, irreversible destruction of a record such that it cannot be recovered — as distinct from moving to Trash/Recycle Bin. |
| "Legal Hold" | A temporary suspension of normal retention/deletion schedules, ordered by Legal counsel, when records may be relevant to litigation, regulatory investigation, or government inquiry. |
| "Personal Data" | Any information identifying or capable of identifying a natural person, as defined under DPDP Act 2023, Section 2(t). |
| "Custodian" | The employee or department responsible for managing a specific category of records per this Policy. |
4. Master Retention Schedule — Financial Records
| Record Type | Retention Period | Legal Basis | Custodian |
|---|
| GST returns, invoices, purchase records | 8 years from the relevant financial year end | CGST Act 2017, Section 36 | Finance |
| Income Tax records (ITR, TDS returns, challans) | 8 years from end of assessment year | Income Tax Act 1961, Section 149 | Finance |
| TDS certificates (Form 16, 16A) | 8 years | Income Tax Act 1961 | Finance |
| Bank statements, payment records | 8 years | Income Tax Act 1961; PMLA 2002 | Finance |
| Payroll records, salary registers | 8 years | Income Tax Act 1961; Shops Act | Finance / HR |
| Expense claims and reimbursements | 8 years | Income Tax Act 1961 | Finance |
| Subscription payment records | 8 years | CGST Act 2017 | Finance / Tech |
| Wholesale order financial records | 8 years | CGST Act 2017 | Finance |
| Platform Commission records (DS-01) | 8 years | CGST Act 2017; Income Tax Act | Finance / Tech |
| Prize and payout records (gaming, leagues) | 8 years | Income Tax Act 1961 (Section 194BA) | Finance / Gaming |
| AML monitoring records | 10 years | PMLA 2002, Section 12 | Finance / Compliance |
5. Master Retention Schedule — User & Platform Data
| Record Type | Minimum Retention | Maximum Retention (DPDP Act) | Legal Basis |
|---|
| User account data (name, email, phone) | Account lifetime | Account lifetime + 2 years | DPDP Act 2023; IT Rules 2021 |
| KYC documents (PAN, Aadhaar last 4) | 8 years from last transaction | 8 years (statutory) | Income Tax Act; PMLA 2002 |
| Pearl Economy transaction logs | 3 years | 5 years | Dispute resolution; CGST |
| Gaming session data (scores, results) | 3 years | 5 years | PROG Act 2025; dispute resolution |
| Order history (dropshipping, wholesale) | 8 years | 8 years (statutory) | CGST Act 2017 |
| Course enrollment and completion records | 5 years | 7 years | Skill certificate validity; dispute resolution |
| Consent records (DPDP Act marketing consent) | Duration of consent + 1 year | Duration of consent + 2 years | DPDP Act 2023, Section 6 |
| Wholesale checkout disclaimer (WS-D01) consent logs | 3 years | 5 years | Contract Act 1872 (limitation period) |
| Grievance records (GRP-01) | 2 years from resolution | 3 years | IT Rules 2021; Consumer Protection Act |
| User-submitted content (UGC) — after deletion by user | 180 days (residual) | 180 days max | DPDP Act 2023; IT Act |
| Deleted user data (after erasure request) | Minimum hold: 0 days | Maximum: 30 days (processing time) | DPDP Act 2023, Section 12 |
| Support ticket records | 2 years | 3 years | IT Rules 2021; Consumer Protection Act |
DPDP Act 2023 Warning: Personal data must NOT be retained beyond the retention period shown in the "Maximum Retention" column. Continued retention of personal data beyond maximum permitted periods is a violation of DPDP Act 2023 and may attract Data Protection Board enforcement action.
6. Master Retention Schedule — Legal & Compliance Records
| Record Type | Retention Period | Legal Basis |
|---|
| Executed contracts and agreements (all types) | 10 years from expiry/termination | Contract Act 1872 (limitation: 3 years; best practice: 10) |
| NDAs (NDA-01 to NDA-04) | 10 years from end of confidentiality period | Contract Act 1872; NDA terms |
| Vendor agreements (V-177 to V-188) | 10 years from termination | Contract Act 1872 |
| Subscription plan agreements (all 7 plans) | 8 years from last transaction | CGST Act; Contract Act |
| Legal notices received and sent | 10 years | Limitation Act 1963 |
| Court orders and regulatory directions | Permanent | Compliance requirement |
| IP registrations (trademarks, copyrights) | Permanent (while IP is active) + 10 years after | Trade Marks Act; Copyright Act |
| Content moderation records (takedown notices) | 3 years | IT Act 2000; IT Rules 2021 |
| POCSO/child safety incident records | 10 years | POCSO Act 2012; Evidence Act |
| POSH complaints and ICC proceedings | 3 years from case closure | POSH Act 2013, Section 16 |
| Regulatory correspondence (MeitY, CERT-In, DPB) | 10 years | Regulatory best practice |
| Arbitration records | 10 years from award | Arbitration Act 1996; Limitation Act |
7. Master Retention Schedule — HR & Employment Records
| Record Type | Retention Period | Legal Basis |
|---|
| Employment agreements and offer letters | 10 years post-employment end | Contract Act 1872; Labour laws |
| Employee KYC and PAN records | 8 years post-employment end | Income Tax Act 1961; PF Act |
| PF/ESIC records | 5 years post-employment | EPF Act 1952; ESIC Act 1948 |
| Leave records and attendance | 3 years | Shops and Establishments Act |
| Performance reviews and PIPs | 5 years post-employment | Labour law; disciplinary evidence |
| Disciplinary records and show-cause notices | 5 years post-employment | Labour law; potential litigation |
| BGV (Background Verification) records | 5 years post-employment | Company policy; due diligence |
| COD-01 Code of Conduct acknowledgements | 10 years post-employment | COD-01; enforcement evidence |
| NDA-01 (Employee/Contractor NDA) signed copies | 10 years post-employment | Contract Act 1872; NDA enforcement |
| Resigned/terminated employee data (general HR) | 3 years post-departure | Labour law; DPDP Act 2023 |
| Payroll and salary records | 8 years | Income Tax Act 1961 |
8. Master Retention Schedule — Technology & Security Records
| Record Type | Retention Period | Legal Basis |
|---|
| Cybersecurity incident logs | 5 years | CERT-In Directions 2022; IT Act 2000 |
| Access logs (login, admin, data access) | 180 days minimum; 1 year recommended | CERT-In Directions 2022 (Clause 10) |
| System event logs (server, application) | 180 days minimum | CERT-In Directions 2022 |
| Data breach notification records (CY-02) | 5 years | DPDP Act 2023; CERT-In |
| Penetration test reports (CY-04) | 3 years | CY-04; security best practice |
| Backup verification records (DRP-01) | 3 years | DRP-01; operational |
| WS-D01 Wholesale consent logs | 3 years | Contract Act 1872; Evidence Act |
| Cookie consent logs (CP-01) | 1 year from consent | DPDP Act 2023; CP-01 |
| API access logs (vendor integrations) | 180 days minimum | CERT-In Directions 2022 |
| Vulnerability disclosure records (CY-03) | 3 years | CY-03; security practice |
| Source code version history | Permanent (active) + 5 years (deprecated) | IP protection; Company Act 2013 |
9. Master Retention Schedule — Contract & Vendor Records
| Record Type | Retention Period | Reason |
|---|
| Master Vendor Services Agreement (V-177) | 10 years post-termination | Liability period; Contract Act |
| Specific vendor agreements (V-178 to V-188) | 10 years post-termination | Contract Act 1872 |
| Vendor KYC and due diligence records | 5 years post-engagement | PMLA 2002; company risk management |
| Vendor invoices and payment records | 8 years | CGST Act 2017; Income Tax Act |
| Influencer and creator agreements (AGR-04, A-MK-05) | 5 years post-campaign | IP terms; ASCI compliance evidence |
| Affiliate agreement records (AGR-06) | 5 years post-agreement end | Commission records; Income Tax |
10. Master Retention Schedule — Marketing & Communication Records
| Record Type | Retention Period | Legal Basis |
|---|
| Marketing consent records (email, WhatsApp opt-ins) | Duration of consent + 2 years | DPDP Act 2023; TRAI DND regulations |
| Opt-out records (DND, unsubscribe) | 3 years minimum | TRAI regulations; Consumer Protection Act |
| Advertising creatives (Meta, Google) | 3 years from last use | ASCI; IP; Campaign attribution |
| Campaign performance reports | 3 years | Financial audit; Board reporting |
| External communications (press releases, statements) | Permanent | Public record; Brand history |
| ASCI compliance records | 3 years | ASCI Code; Consumer Protection Act 2019 |
| Social media posts and records | 3 years (accessible); archives indefinitely | Reputation management; Brand history |
| WhatsApp Business communication logs | 180 days (mandatory) + 1 year recommended | CERT-In Directions 2022 |
11. Legal Hold Procedure
11.1 What Is a Legal Hold? A Legal Hold is a directive issued by Legal counsel (compliance@seekhobecho.com) that suspends all normal destruction, deletion, or alteration of records that may be relevant to: pending litigation or arbitration, regulatory investigation, government inquiry, POCSO/child safety investigation, or any matter where records may be needed as evidence.
11.2 Who Can Issue a Legal Hold? Only the Founder/Director or Legal/Compliance team (compliance@seekhobecho.com). No other person may issue or suspend a Legal Hold.
11.3 Legal Hold Process: (1) Legal Hold notice issued in writing to affected Custodians; (2) Custodians immediately suspend all scheduled deletions of covered records; (3) Records under Legal Hold are tagged/marked in the records management system; (4) Legal Hold is lifted in writing by the same authority that issued it; (5) Normal retention/deletion schedule resumes after Legal Hold is lifted — records within their normal retention period are retained; records past their normal retention period are reviewed for deletion.
11.4 Violation of Legal Hold: Destruction of records subject to a Legal Hold — intentionally or negligently — is a serious disciplinary offence and may constitute destruction of evidence, which is a criminal act under IPC/BNS.
Legal Hold Override: A Legal Hold overrides ALL retention periods — including the deletion requirements under DPDP Act 2023. Records under Legal Hold cannot be deleted even if a user submits an erasure request, until the Legal Hold is lifted and the matter is resolved.
12. Secure Deletion & Destruction Standards
12.1 Digital Records: Deletion must use secure wiping methods that prevent recovery: (a) For cloud-stored records: permanent deletion using provider's secure deletion API (not just "Trash"); (b) For database records: overwrite with zeros/random data + database vacuuming; (c) For email: permanent deletion from all accounts + server-level deletion; (d) For backups: backup containing the record must also be purged from backup cycles per DRP-01 retention schedules.
12.2 Physical Records (Paper): Cross-cut shredding (minimum DIN 66399 P-4 level). Bulk shredding may use a certified shredding service. A Certificate of Destruction must be obtained and retained for 2 years.
12.3 Device Disposal: All Company devices must be securely wiped (DoD 5220.22-M standard or equivalent) before disposal, sale, or reuse. No device may be disposed of without IT sign-off confirming secure wipe. This applies to laptops, phones, hard drives, USB drives, and any storage media.
12.4 Vendor-Held Records: When a vendor engagement ends, vendors holding Company data must: (a) Return all Company data; (b) Provide a Certificate of Destruction for all copies; (c) Confirm in writing that no copies remain on vendor systems. This obligation is in Vendor Agreements (V-177 MSA).
13. Storage Standards & Classification
13.1 Storage Classification:
| Classification | Examples | Storage Standard |
|---|
| Permanent | Court orders, IP registrations, incorporation documents | Primary storage + 2 backup copies (different locations); never deleted without Founder approval |
| Long-term (8-10 years) | Financial records, tax records, contracts | Approved cloud storage (encrypted) + annual backup verification |
| Medium-term (3-5 years) | HR records, vendor records, security logs | Approved cloud storage; access-controlled |
| Short-term (1-2 years) | Support tickets, marketing records, consent logs | Active systems; auto-deletion on expiry where technically feasible |
| Operational (under 1 year) | Security access logs, session logs | Active logging systems; rolling deletion |
13.2 All records rated "Confidential" or above must be stored in encrypted format. Encryption standard: AES-256 at rest; TLS 1.2+ in transit.
14. Employee Responsibilities
14.1 Every employee is responsible for: (a) Knowing the retention periods applicable to records they create or manage; (b) Following scheduled deletion timelines; (c) Not deleting records before their minimum retention period expires; (d) Immediately notifying compliance@seekhobecho.com of any Legal Hold notice received; (e) Participating in periodic records audits.
14.2 Department Heads are responsible for: maintaining a current inventory of records in their department; ensuring staff training on this Policy; confirming compliance with annual records audit.
14.3 Employees who wilfully destroy records before their retention period expires — especially under Legal Hold — face immediate disciplinary action and potential legal proceedings.
15. Vendor & Third-Party Records
15.1 Third-party vendors who process or store Company records must comply with retention schedules equivalent to this Policy per their Vendor Agreement (V-177 MSA, Section on Data Management).
15.2 All vendor-held records are subject to the same Legal Hold obligations as internally-held records. Vendors must be notified of any Legal Hold affecting records they hold.
15.3 Cloud service providers (e.g., Firebase, BigQuery, HubSpot, Freshdesk) holding Company data are subject to their own deletion confirmation upon relationship termination per individual vendor agreements (V-178 to V-188).
16. Audit & Compliance Review
16.1 Annual Records Audit: Conducted by Compliance team. Reviews: adherence to retention schedules, identification of overdue deletions, identification of premature deletions, Legal Hold status, storage security compliance.
16.2 Audit Report: Presented to Founder annually. Any material non-compliance documented and remediated within 30 days of audit completion.
16.3 DPDP Act Compliance: Annual audit specifically reviews personal data retention against DPDP Act 2023 maximum retention limits. Over-retained personal data is scheduled for immediate deletion upon audit finding.
17. Records Retention for Regulatory Requests
17.1 When a regulatory authority (MeitY, Income Tax, CERT-In, Data Protection Board, Consumer Forum, SEBI, or any other authority) requests records, the following process applies: (1) All requests routed immediately to compliance@seekhobecho.com; (2) Legal counsel reviews the request for legality and scope; (3) Records within applicable retention period are produced per lawful request; (4) Records that have been securely deleted per this Policy and were not subject to Legal Hold: the deletion date and method are documented and provided to the authority as proof of proper record management (not destruction to evade compliance).
18. DPDP Act 2023 — Data Minimisation & Retention
18.1 Purpose Limitation: Records containing personal data may only be retained for the original stated purpose. If the purpose is fulfilled, personal data must be deleted even if the general retention period has not expired — unless another legal basis mandates retention.
18.2 User Erasure Requests: Per SCA-01 (Subscription Cancellation & Account Deletion Policy), users have the right to request erasure of their personal data. Erasure requests are processed within 30 days, subject to: (a) Legal Hold exceptions; (b) Statutory retention obligations (KYC, financial records, tax records cannot be deleted regardless of erasure request).
18.3 Automated Deletion: Where technically feasible, automated deletion workflows are implemented to delete personal data that has reached its maximum retention period — without requiring manual action for each individual record.
19. Policy Review & Updates
This Policy is reviewed annually and updated for: new DPDP Act Rules notifications, changes to CGST/Income Tax/labour law retention requirements, CERT-In direction amendments, and new record categories created by Platform expansion. Updated effective dates shown in Policy header. Material changes communicated to all Custodians with training.
20. Contact & Grievance
Compliance & Records Management
compliance@seekhobecho.com
Legal Holds, audit queries, regulatory requests, Policy clarifications
Data Protection (DPDP Act)
privacy@seekhobecho.com
Personal data retention, erasure requests, DPDP Act compliance
Grievance Officer — IT Rules 2021
grievance@seekhobecho.com
User complaints about data retention practices
General Support
support@seekhobecho.com
User queries about their data retention
Address: RLS Retail Private Limited, Plot-76-D, Phase IV, Udyog Vihar, Gurugram, Haryana – 122001 | GSTIN: 06AAJCR4683G1Z3