Product Policy
DD Auth
Product-Specific Policy
1.0
DD Auth Data Retention Policy
Last Updated: January 1, 2026
Important Notice
This is a product-specific policy. In case of any conflict between this policy and our Common Policies, this product-specific policy shall prevail for the applicable product.
Found matches
No matches found for ""
Table of Contents
1. Introduction
This Data Retention Policy describes how long DD Auth retains different types of data and the procedures for data deletion. This policy applies to all data collected through DD Auth Web Application (auth.duodev.in), DD Auth Mobile Application (in.duodev.auth), and DD Accounts (accounts.duodev.in).
2. Account Data Retention
Account Data:
• User profile (name, email): Account lifetime + 90 days
• Profile picture: Account lifetime + 30 days
• Account preferences: Account lifetime
• Email verification status: Account lifetime
• User profile (name, email): Account lifetime + 90 days
• Profile picture: Account lifetime + 30 days
• Account preferences: Account lifetime
• Email verification status: Account lifetime
3. Authentication Data Retention
Authentication Data:
• OAuth2 access tokens: 1 hour (or configured expiry)
• OAuth2 refresh tokens: 30 days (or configured expiry)
• Session data: Session duration + 24 hours
• PKCE verifiers: Authentication flow completion
• Login timestamps: 90 days
• OAuth2 access tokens: 1 hour (or configured expiry)
• OAuth2 refresh tokens: 30 days (or configured expiry)
• Session data: Session duration + 24 hours
• PKCE verifiers: Authentication flow completion
• Login timestamps: 90 days
4. Vault Data Retention
Vault Data:
• Active vault items: Until user deletion
• Soft-deleted items: 30 days after deletion
• Permanently deleted items: Immediate removal
• Vault metadata: Same as associated item
• Active vault items: Until user deletion
• Soft-deleted items: 30 days after deletion
• Permanently deleted items: Immediate removal
• Vault metadata: Same as associated item
5. Security and Audit Data Retention
Security and Audit Data:
• Authentication logs: 90 days
• Failed login attempts: 90 days
• Security events: 1 year
• API access logs: 90 days
• IP addresses: 90 days
• Authentication logs: 90 days
• Failed login attempts: 90 days
• Security events: 1 year
• API access logs: 90 days
• IP addresses: 90 days
6. Technical Data Retention
Technical Data:
• Error logs: 30 days
• Performance metrics: 30 days
• Usage analytics (anonymized): 2 years
• Device information: Account lifetime
• Error logs: 30 days
• Performance metrics: 30 days
• Usage analytics (anonymized): 2 years
• Device information: Account lifetime
7. Backup Data Retention
Backup Data:
• System backups: 30 days rolling
• Encrypted vault backups: 30 days after deletion
• Database snapshots: 7 days rolling
• System backups: 30 days rolling
• Encrypted vault backups: 30 days after deletion
• Database snapshots: 7 days rolling
8. User-Initiated Deletion
Vault Items:
• Soft Delete: Items moved to trash are retained for 30 days
• Permanent Delete: Immediately removes data from active storage
• Trash Empty: Empties all soft-deleted items immediately
Account Deletion - When you delete your account:
1. Immediate: Access revoked, sessions terminated
2. Within 24 hours: Active vault items queued for deletion
3. Within 7 days: Account marked for removal
4. Within 30 days: Data removed from backups
5. Within 90 days: All data permanently purged
• Soft Delete: Items moved to trash are retained for 30 days
• Permanent Delete: Immediately removes data from active storage
• Trash Empty: Empties all soft-deleted items immediately
Account Deletion - When you delete your account:
1. Immediate: Access revoked, sessions terminated
2. Within 24 hours: Active vault items queued for deletion
3. Within 7 days: Account marked for removal
4. Within 30 days: Data removed from backups
5. Within 90 days: All data permanently purged
9. Automatic Deletion
Automatic Deletion Triggers:
• Token expiry → Access/Refresh tokens: Automatic
• Session timeout → Session data: 24 hours after
• Soft delete expiry → Trashed vault items: 30 days
• Log rotation → System logs: Per retention policy
• Backup rotation → Old backups: 30 days
Deletion Verification - We implement secure deletion practices:
• Cryptographic erasure - Encryption keys destroyed
• Database deletion - Records removed from tables
• Backup expiry - Data ages out of backups
• Audit trail - Deletion events logged (without data)
• Token expiry → Access/Refresh tokens: Automatic
• Session timeout → Session data: 24 hours after
• Soft delete expiry → Trashed vault items: 30 days
• Log rotation → System logs: Per retention policy
• Backup rotation → Old backups: 30 days
Deletion Verification - We implement secure deletion practices:
• Cryptographic erasure - Encryption keys destroyed
• Database deletion - Records removed from tables
• Backup expiry - Data ages out of backups
• Audit trail - Deletion events logged (without data)
10. Data Export (Before Deletion)
Export Formats:
• DD Auth Encrypted: Password-protected backup (All vault data)
• DD Auth JSON: Plaintext JSON (All vault data)
• TOTP URI: Standard format (TOTP codes only)
• CSV: Spreadsheet format (Passwords only)
Export Process:
1. Navigate to Settings → Export
2. Choose export format
3. Set encryption password (if applicable)
4. Download export file
5. Verify export contents
What's Included: All vault items (passwords, TOTP, notes), Item metadata, Creation and modification dates, Tags and categories (if applicable)
What's Not Included: Account credentials (email, password), Authentication tokens, Device information, Activity logs
• DD Auth Encrypted: Password-protected backup (All vault data)
• DD Auth JSON: Plaintext JSON (All vault data)
• TOTP URI: Standard format (TOTP codes only)
• CSV: Spreadsheet format (Passwords only)
Export Process:
1. Navigate to Settings → Export
2. Choose export format
3. Set encryption password (if applicable)
4. Download export file
5. Verify export contents
What's Included: All vault items (passwords, TOTP, notes), Item metadata, Creation and modification dates, Tags and categories (if applicable)
What's Not Included: Account credentials (email, password), Authentication tokens, Device information, Activity logs
11. Inactive Accounts
For accounts with no activity:
• 12 months inactivity: Warning email sent
• 18 months inactivity: Final warning
• 24 months inactivity: Account marked for deletion
• 24 months + 30 days: Account deleted (with notice)
• 12 months inactivity: Warning email sent
• 18 months inactivity: Final warning
• 24 months inactivity: Account marked for deletion
• 24 months + 30 days: Account deleted (with notice)
12. Mobile App Local Data
DD Auth App Data - Local data on your device:
• Encryption keys: Secure Storage - Until app uninstall
• Vault database: App storage - Until user deletes
• Preferences: App storage - Until user clears
• Cache: Cache directory - Until cleared
Clearing Local Data - You can clear local data by:
• Using "Clear All Data" in app settings
• Uninstalling the application
• Clearing app data in device settings
Sync Considerations - When clearing local data:
• Server data is NOT affected
• Re-sync will restore from server
• Offline-only data will be lost
• Encryption keys: Secure Storage - Until app uninstall
• Vault database: App storage - Until user deletes
• Preferences: App storage - Until user clears
• Cache: Cache directory - Until cleared
Clearing Local Data - You can clear local data by:
• Using "Clear All Data" in app settings
• Uninstalling the application
• Clearing app data in device settings
Sync Considerations - When clearing local data:
• Server data is NOT affected
• Re-sync will restore from server
• Offline-only data will be lost
13. Your Rights
Right to Access:
You can request a copy of all data we hold about you by contacting privacy@duodev.in. Response within 30 days. Data provided in portable format.
Right to Deletion:
You can request deletion of your data through account settings, by contacting support, subject to legal retention requirements.
Right to Rectification:
You can request correction of inaccurate data.
You can request a copy of all data we hold about you by contacting privacy@duodev.in. Response within 30 days. Data provided in portable format.
Right to Deletion:
You can request deletion of your data through account settings, by contacting support, subject to legal retention requirements.
Right to Rectification:
You can request correction of inaccurate data.