Data Retention Policy

If you want us to delete personal data we hold about you, you can submit a request at any time. We act on user data deletion requests as required by applicable law (typically within 30 days) and as required by the Meta Platform Terms when you interact with a service that integrates with Facebook, Instagram, or WhatsApp.

1. Send an email to privacy@gurumood.com with the subject line "Data Deletion Request".
2. Include the email address, phone number, or platform identifier (for example, your Facebook or Instagram username) that you used when interacting with our services.
3. Briefly describe what you want deleted (everything, a specific conversation, a specific account, etc.). If you only want to revoke a Meta or Google integration, mention the platform.
4. We will acknowledge your request within 5 business days and complete the deletion within 30 days, or sooner where the law requires it.
5. If we processed your data on behalf of a Customer (for example, a business that uses our agents), we will forward your request to that Customer and assist them in fulfilling it.

You can also revoke access at any time directly from your Meta Account Center, your Facebook Business Settings, the WhatsApp app, or your Google Account. Doing so automatically removes the associated tokens and schedules deletion of related data in line with the retention periods described below.

This page is the public-facing user data deletion endpoint required by the Meta Platform Terms. URL: https://gurumood.com/en/legal/data-retention

GuruMood applies the GDPR's data minimization and storage limitation principles (Art. 5). We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal obligations, and to exercise or defend legal claims.

The indicative retention periods by category are listed below. When we act as a processor for a Customer, periods follow the Customer's instructions set out in the Order Form/SOW and the DPA.

• Account and billing data: for the duration of the contractual relationship + 6 years to comply with tax and accounting obligations.
• Contracts and legal communications: 10 years after termination, subject to applicable law.
• Marketing and prospecting data: until consent is withdrawn or 36 months from last interaction, whichever comes first.
• Newsletter and optional communications: until the subscriber opts out.
• Consent records (cookies, messaging opt-ins): 5 years as evidence of compliance.
• Contact form submissions: 24 months, unless they convert into a contractual relationship.
• Application logs: 30-90 days, unless required for security investigation or audit.
• Security logs (SIEM, access, audit): at least 12 months.
• End-user conversation data processed on behalf of Customers: per Customer instructions; by default, 12 months for WhatsApp/voice conversations and 24 months for transcripts, unless earlier deletion is requested.
• Aggregated technical and usage data (analytics): up to 14 months in GA4 and pseudonymized/aggregated data without direct identification.
• Backups: retained on rolling 30-90 day cycles; deleted data is purged from the active backup cycle within that window.
• OAuth tokens: for the duration of the authorized access; revoked and deleted upon consent withdrawal or integration termination.

When a retention period ends or deletion is requested, we apply one of the following methods as appropriate: (a) logical deletion followed by scheduled purge; (b) irreversible anonymization for statistical purposes; or (c) secure destruction for physical media. Anonymized data is no longer considered personal data.

Deletion may be subject to legal exceptions: where there is a legal obligation to retain data (for example, accounting or tax records), where the data is needed to exercise or defend legal claims, or for public interest purposes. In those cases we will restrict processing to the minimum necessary until the mandatory retention period expires, and then complete deletion.

If we receive a valid court order, notice of an investigation, or Customer instructions in the context of legal proceedings, we will apply a "legal hold" that suspends deletion of relevant data until the matter is resolved.

We maintain encrypted backups to ensure business continuity and disaster recovery. Backups follow the same deletion schedule as production data, with a maximum lag corresponding to the backup rotation cycle. Backups are subject to restricted access controls and audit logging.

This policy is reviewed at least annually, and whenever there are material changes to the services, providers, or applicable regulations.

For questions about this policy, contact privacy@gurumood.com.