Data Retention Policy v1.0
Core Principle: zkOrigoPlus operates a stateless architecture. We do NOT retain wallet addresses, transaction data, or personally identifiable information (PII).
1. Data Retention Summary
| Data Type |
Retention Period |
Storage Location |
Deletion Method |
| Wallet Addresses |
NOT STORED |
N/A |
N/A (stateless) |
| Transaction Hashes |
NOT STORED |
N/A |
N/A (stateless) |
| PII (names, IDs, etc.) |
NOT STORED |
N/A |
N/A (stateless) |
| Aggregated Telemetry |
90 days |
DynamoDB (us-east-1) |
Automatic TTL expiration |
| Technical Logs (IP, user-agent) |
7 days |
CloudWatch Logs |
Automatic expiration |
| API Key Metadata |
Subscription + 1 year |
DynamoDB (us-east-1) |
Manual deletion on request |
| Billing Records |
7 years |
Stripe (external) |
Per Stripe policy |
2. Detailed Retention Policies
2.1 Aggregated Telemetry (90 Days)
What We Store:
- Timestamp of API request
- Module used (AML, ISO, RWA, ZK, KYC, CBP)
- Risk score (numeric value only, no identifiers)
- Response time (milliseconds)
- Error codes (if applicable)
What We Do NOT Store:
- Wallet addresses
- Transaction hashes
- User identities
- Request payloads
Purpose: Service performance monitoring, AI model training (statistical patterns only)
Deletion: Automatic via DynamoDB TTL (Time-To-Live) after 90 days
2.2 Technical Logs (7 Days)
What We Store:
- IP addresses (for rate limiting)
- User-agent strings
- HTTP request/response codes
- Request timestamps
Purpose: Abuse detection, rate limiting, debugging
Deletion: Automatic via CloudWatch Logs retention policy (7 days)
2.3 API Key Metadata (Subscription + 1 Year)
What We Store:
- Email address (for billing and support)
- API key identifier (hashed with bcrypt)
- Subscription tier (Starter, Professional, Enterprise)
- Usage limits and current usage
- Creation and expiration dates
Purpose: Billing, usage tracking, support
Deletion: Automatic 1 year after subscription ends, or on request
2.4 Billing Records (7 Years)
What We Store:
- Email address
- Payment history (via Stripe)
- Invoices and receipts
Purpose: Tax compliance, financial audits
Deletion: Per Stripe's retention policy (7 years for tax purposes)
3. Data NOT Retained
zkOrigoPlus does NOT store:
- Wallet Addresses: Passed in API requests but not logged or stored
- Private Keys: Never transmitted or stored
- Transaction Hashes: Not logged or stored
- Blockchain Data: Queried from external RPCs, not cached
- PII: Names, addresses, phone numbers, identity documents
- KYC Data: Handled by external provider (Sumsub), not stored by us
4. User Rights
4.1 Right to Access
Request a copy of your data: Email admin@autodigitalcoin.com
We will provide:
- API key metadata (email, tier, usage)
- Aggregated telemetry (if identifiable)
4.2 Right to Deletion
Request deletion of your data: Email admin@autodigitalcoin.com
We will delete:
- API key metadata (immediate)
- Aggregated telemetry (within 30 days)
Note: Billing records retained for 7 years (tax compliance)
4.3 Right to Portability
Request data export: Email admin@autodigitalcoin.com
We will provide JSON export of:
- API key metadata
- Usage statistics
5. Automated Deletion
5.1 DynamoDB TTL
Aggregated telemetry automatically deleted after 90 days via DynamoDB Time-To-Live (TTL) attribute.
5.2 CloudWatch Logs Expiration
Technical logs automatically deleted after 7 days via CloudWatch Logs retention policy.
5.3 API Key Expiration
Inactive API keys (no usage for 1 year after subscription ends) automatically deleted.
6. Data Backup and Recovery
6.1 Backups
- DynamoDB: Point-in-time recovery (35 days)
- S3: Versioning enabled (static assets only)
- No backup of PII: Not applicable (stateless)
6.2 Disaster Recovery
- Primary region: us-east-1
- Secondary region: ap-southeast-2 (static assets only)
- RTO (Recovery Time Objective): 4-24 hours
- RPO (Recovery Point Objective): 1 hour (telemetry only)
7. Third-Party Data Retention
7.1 Stripe (Payment Processor)
- Retains billing data for 7 years (tax compliance)
- See Stripe Privacy Policy: stripe.com/privacy
7.2 AWS (Infrastructure Provider)
- CloudWatch Logs: 7 days (per our configuration)
- DynamoDB: 90 days (per our TTL configuration)
- See AWS Privacy Policy: aws.amazon.com/privacy
7.3 External RPC Providers
- May log API requests (not under our control)
- Refer to their respective privacy policies
8. Compliance
8.1 GDPR (EU)
- Data minimization: Only essential data stored
- Purpose limitation: Data used only for stated purposes
- Storage limitation: Automatic deletion after retention period
- User rights: Access, deletion, portability supported
8.2 CCPA (California)
- Right to know: Data access requests supported
- Right to delete: Deletion requests supported
- Right to opt-out: Not applicable (we don't sell data)
9. Policy Updates
This policy may be updated with 30 days notice via email and website announcement. Continued use constitutes acceptance.
10. Contact
Data Retention Inquiries: admin@autodigitalcoin.com
Data Deletion Requests: admin@autodigitalcoin.com