5.1 Security Measures:
Encryption:
• All data in transit is encrypted using TLS/SSL protocols
• Sensitive data is encrypted at rest using industry-standard encryption
• Password data is hashed using secure algorithms (bcrypt, argon2)
• API communications are encrypted end-to-end
Access Controls:
• Access to personal data is restricted to authorized personnel
• Employee access is limited to "need-to-know" basis
• Role-based access controls limit access by job function
• Access logs are maintained for audit purposes
• Multi-factor authentication for staff access to sensitive systems
Infrastructure Security:
• Firewalls protect against unauthorized access
• Intrusion detection systems monitor for attacks
• Regular security patches and updates
• Vulnerability scanning and penetration testing
• DDoS protection and mitigation
• Redundant systems and backup protocols
Data Backup:
• Regular encrypted backups of user data
• Backups stored in secure, geographically diverse locations
• Backup integrity tested regularly
• Rapid recovery procedures in case of data loss
• Backup retention follows regulatory requirements
5.2 Data Storage Location:
Primary Storage:
• OCDAnchor data is primarily stored on servers in India
• Complies with India's localization requirements
• Data centers follow industry-standard security practices
• Physical security of data centers meets international standards
Secondary Storage:
• Backup data may be stored in secure Indian data centers
• For future international expansion, data may be stored in compliant locations
• Any cross-border data transfer complies with applicable regulations
• Users will be notified of significant storage location changes
5.3 Data Retention Periods:
Active Account Data:
• Personal and account data retained as long as account is active
• Continues for 12 months after account deactivation unless deleted
• Longer retention required for legal or contractual obligations
• Health-related data may be retained longer for continuity of care
Transaction Data:
• Payment and transaction records retained for 7 years
• Required for audit and compliance purposes
• Tax records retained per Income Tax Act requirements
Communications:
• Email and support communications retained for 2 years
• Forum and community posts retained as long as account is active
• Direct messages retained until deleted by users or 2 years of inactivity
• Deleted posts are archived for 30 days, then permanently removed
Analytics Data:
• Raw analytics data retained for 26 months
• Aggregated analytics retained indefinitely (cannot identify users)
• User identifiers removed from analytics after 26 months
Legal Holds:
• Data subject to legal holds retained as required
• Data required by regulatory bodies retained as required
• Data in disputes retained pending resolution
Deleted Data:
• Upon account deletion, personal data is deleted within 30 days
• Some data anonymized rather than deleted for analytics
• Backup copies retained for 90 days then purged
• Legal hold data retained longer if required
5.4 Data Deletion:
Right to Deletion:
• Users can request data deletion at any time
• Deletion request should be submitted through account settings
• OCDAnchor will delete data within 30 days (with exceptions)
• Users will receive confirmation of deletion
Exceptions to Deletion:
• Data required for legal obligations
• Data needed to resolve disputes
• Data necessary for safety or fraud prevention
• Backup data (deleted after 90 days)
• Aggregated, anonymized data that cannot identify you
• Data subject to legal holds
• Data necessary to comply with financial regulations
Anonymization:
• Some data is anonymized rather than deleted
• Anonymized data cannot identify you
• Anonymized data may be retained indefinitely
5.5 Security Incident Response:
In Case of Data Breach:
• OCDAnchor will investigate the breach promptly
• Affected individuals will be notified without undue delay
• Notification will be in writing via email or registered mail
• Notification will describe the breach and types of data involved
• Notification will include steps users should take
• Notification will include OCDAnchor's contact information
• Regulatory authorities will be notified if required by law
Users' Responsibilities:
• Report suspected security breaches immediately
• Use strong, unique passwords
• Do not share account credentials
• Maintain device security and software updates
• Secure your internet connection when accessing the platform