Data Retention Policy

Chipon Alert v1
Effective Date: March 29, 2026
Last Reviewed: March 29, 2026
Next Review: March 29, 2027

1. Policy Overview

This Data Retention Policy outlines how Chipon Alert (operated by Jyv Tech LLC, Delaware File Number 10316295, globally and Tanta Innovative Limited, CAC RC 1475301, in Nigeria) collects, stores, and deletes user and operational data. The policy governs all personal data processed by the mobile application, backend infrastructure, and associated services.

Scope: All user accounts, incident reports, location data, authentication records, analytics, system logs, and backups.

Compliance Framework:

• Nigeria Data Protection Regulation (NDPR) / National Data Protection Act 2023
• General Data Protection Regulation (GDPR) — where applicable
• Data Protection Directive 2009/136/EC (ePrivacy)
• Local storage regulations for Nigeria, Ghana, Kenya

2. Legal Basis for Data Retention

Data is retained based on the following legal grounds:

3. Data Retention Schedule

Core Retention Table

4. Data Anonymization Procedures

Anonymization Standards

After the anonymization threshold (typically 2 years for incident reports), the following transformations are applied:

1. User Identification Removal

   • User ID, phone number, email → Replaced with non-reversible hash or removed entirely
   • Incident reporter identity → Removed; report marked as "community"

2. Location Generalization

   • Exact lat/long coordinates → Generalized to 100m grid cell (GeoHash precision 6)
   • Street addresses → Neighborhood name only
   • Home/work locations → Deleted if linked to user account

3. Temporal Obfuscation

   • Exact report timestamp → Bucketed to date only (loss of time-of-day)
   • Sequential report data → Shuffled within cohort to prevent inference attacks

4. Content Scrubbing

   • Personal details in report text → Automated NLP-based redaction (names, phone numbers)
   • Photo metadata (EXIF) → Stripped on upload; geotags removed
   • Comments → User attribution removed; text preserved for context

Anonymization Tools & Automation

• On-upload: EXIF stripping via ImageMagick; phone number regex masking
• On-query: Location hashing via PostGIS ST_PointToHash(); PII redaction via AWS Comprehend
• Batch job: Daily 2-year-old incident anonymization (runs 02:00 UTC, reads from replica, updates anonymized flag)
• Audit: All anonymization operations logged to audit table with timestamp, record count, operator

5. Data Deletion Procedures

User-Initiated Deletion (Account Erasure)

Trigger: User taps "Delete Account" in Settings → ConfirmDialog → Confirm via OTP → Backend processes deletion

Process (Right to be Forgotten - GDPR Art. 17):

1. Soft Delete (Day 0):

   • User record flagged deleted_at = NOW()
   • Phone & email hashed; full name replaced with UUID
   • Avatar S3 object deleted immediately
   • All associated OTP codes, session tokens invalidated

2. Hard Delete (Day 30):

   • If user does not restore within 30-day grace period:
     • User record purged from PostgreSQL
     • Search history, location data deleted
     • Push tokens deleted
   • Exception: Incident reports remain (anonymized, if user was reporter)

3. Audit Log:

   • Deletion event written to immutable audit table: user_id, deleted_at, reason ("user_request"), processed_by ("system")
   • Log retained for 7 years (legal hold)

User Notification: Account deletion confirmation email sent immediately; recovery link valid for 30 days.

System-Initiated Deletion (Inactivity / Non-Compliance)

• Inactive account (2+ years): Account flagged for review; user contacted via SMS/email 30 days before deletion
• Non-compliant data (e.g., copyrighted photos, doxxing): Removed within 24h of moderation flag; user notified

Regulatory/Law Enforcement Deletion

See Section 7 (Legal Holds & Regulatory Requests).

6. Retention Exceptions & Legal Holds

Circumstances Preventing Deletion

Data retention may be extended beyond scheduled deletion if:

1. Active Legal Case

   • Fraud investigation, law enforcement request, litigation hold
   • Duration: Until case resolution + statute of limitations (typically 5–7 years in Nigeria)
   • Documentation: Stored in legal_holds table; flagged in automated deletion jobs

2. Regulatory Request

   • NDPR compliance audit, INTERPOL request, court order
   • Duration: As specified in court order or regulatory request
   • Process: Data locked; deletion jobs skip records with active hold

3. Security Incident Investigation

   • Breach attribution, forensics, incident response
   • Duration: Up to 90 days; extended if ongoing investigation
   • Approval: CTO + Legal sign-off required for extension beyond 90 days

4. Backup Retention

   • Backups scheduled for deletion may be held if:
     • Disaster recovery in progress
     • Data corruption/ransomware recovery
     • Duration: Minimum 30 days; maximum 90 days
   • Process: Engineering + CTO approval required

Legal Hold Process

7. Handling Regulatory & Law Enforcement Requests

NDPR Compliance (Nigeria Data Protection Act 2023)

Data Subject Rights:

• Right of Access (Art. 4.5): User can request copy of their data within 30 days
• Right of Rectification (Art. 4.4): User can correct inaccurate data
• Right to Erasure (Art. 4.3): Right to be forgotten (subject to exceptions in Sec. 6)
• Right to Portability (Art. 4.6): Export data in machine-readable format (JSON)
• Right to Object: Opt out of non-essential processing (e.g., analytics)

NDPR Requests Process:

1. User submits request via Settings → "Data Subject Rights" → Email CTO + Privacy Officer
2. Request verified against user account (match phone / OTP)
3. Compliance team (CTO + Legal) responds within 30 calendar days
4. For erasure: Soft delete initiated; hard delete after 30-day grace period (unless legal hold)
5. For data export: PostgreSQL query + JSON export; encrypted email to user
6. Documentation: Request logged in dsar_requests table; audit trail maintained

GDPR Compliance (EU Users)

Regulatory Basis for Processing:

• Article 6(1)(b): Contract performance (service delivery)
• Article 6(1)(c): Legal obligation (fraud prevention, security)
• Article 6(1)(f): Legitimate interest (product improvement)

Controller Details:

• Data Controller: Jyv Tech LLC (Global) / Tanta Innovative Limited (Nigeria)
• Data Protection Officer: dpo@chiponalert.com / legal@chiponalert.com
• Legal Address: 25 Segun Gbelee Street, Ikeja, Lagos, Nigeria

GDPR Request Timeline: 30 days (1 month) for all DSARs; may extend to 60–90 days if complex.

Law Enforcement & Subpoena Requests

Protocol:

1. Request must arrive via registered legal counsel or official government letterhead
2. Verify legitimacy with issuing authority (where possible) before compliance
3. Escalate to CTO + Legal; do NOT provide data without written approval
4. If request is valid:
   • Extract minimal data required (specificity principle)
   • Encrypt file; send to requestor via secure channel (e.g., secure email, in-person)
   • Log request in law_enforcement_requests table
   • Notify user (unless prohibited by law or court order)
5. If request is invalid or overly broad:
   • Decline; refer requestor to legal counsel
   • Document refusal in audit log

8. Data Storage & Technical Security

Storage Infrastructure

Data Residency Compliance

• Nigeria Operations: User data for Nigerian users (phone number, incidents, location) may be stored in AWS eu-west-1 (Ireland) per NDPR regulations requiring data transfer agreements
• GDPR: EU user data stored in AWS eu-west-1; no transfer outside EU without adequacy decision
• Transfers: All international data transfers use Standard Contractual Clauses (SCCs) per GDPR Art. 46

9. Third-Party Data Processors

The following third parties process user data on behalf of Chipon Alert:

Data Processing Agreements (DPA):

• All third parties have signed Data Processing Agreements (DPA) or rely on standard terms (AWS, Firebase)
• Sub-processor changes notified to users annually
• Processors located only in Tier-A jurisdictions (US, EU) with strong privacy laws

10. Data Subject Rights & User Controls

In-App Controls

Users can manage their data via Settings → Privacy & Data:

Rights for Users Not Requesting Deletion

Users who remain active can:

• Request a copy of their data anytime (30 days response)
• Correct inaccurate data immediately
• Object to analytics/tracking (opt-out)
• Revoke push notification consent
• Request explanation of heatmap scoring (legitimate interest transparency)

11. Anonymization & Aggregation for Analytics

How Incident Data Powers the Safety Map

1. Individual incident reports (first 2 years):

   • Linked to user ID, exact coordinates, timestamp
   • Used for community verification, trend detection
   • User can see their own reports; other users cannot identify them

2. After 2 years (anonymized):

   • User ID removed; record marked anonymized=true
   • Lat/long generalized to 100m grid (GeoHash precision 6)
   • Timestamp reduced to date only
   • Used for historical heatmap, long-term trend analysis

3. Aggregated heatmap data (indefinite):

   • Daily roll-up: COUNT(incidents) per 100m grid cell, per severity, per category
   • Stored separately in heatmap_aggregates table
   • No user-level data retained; privacy-preserving SQL queries only
   • Used for public-facing safety map

4. Analytics dashboards (12 months):

   • User ID hashed; location bucketed to neighborhood
   • Session funnel, feature usage, crash rates tracked
   • Deleted after 12 months unless aggregated further

Privacy Guarantee: No individual user can be re-identified from aggregated heatmap data.

12. Data Breach Notification

Notification Procedures

If a data breach occurs that compromises personal data:

1. Detection & Assessment (within 24 hours):

   • Engineering team detects breach / security system alerts
   • CTO + Security Lead assess scope (data types, user count, severity)
   • Determine if breach meets threshold: "likely to result in risk to rights and freedoms" (GDPR Art. 33)

2. Notification to Regulator (within 72 hours):

   • If breach is reportable: Submit to NDPR + GDPR authorities (if EU users affected)
   • Include: Description of breach, likely consequences, measures taken
   • Contact: Nigeria Data Protection Commission (NDPC) + GDPR supervisor (if applicable)

3. Notification to Users (within 30 days):

   • If data breach is high-risk (e.g., passwords, payment data compromised):
     • Send SMS + push notification to all affected users
     • Provide: What data was compromised, what we're doing, what users can do
     • Offer: Free credit monitoring / identity theft protection (if applicable)
   • If low-risk (e.g., anonymized location data): Notification may be withheld if breach is mitigated

4. Public Disclosure (if required):

   • If breach affects >1,000 users or is in media: Public statement on Chipon website
   • Transparency: Acknowledge breach, responsibility taken, corrective actions

Data Breach Log

All breaches (confirmed or suspected) logged in data_breaches table:

• Date detected, scope (user count, data types), severity (low/medium/high/critical)
• Notification status, regulator response, remediation steps
• Retained for 7 years (audit & compliance)

13. International Data Transfers

Transfer Mechanisms

Nigeria → Global Users:

• Data transfers to US/EU servers use Standard Contractual Clauses (SCCs) per GDPR Art. 46
• Third-country adequacy determinations reviewed annually
• No transfers to countries without adequate protection (unless user consent obtained)

GDPR-Protected Data:

• EU user data (phone, location, reports) stored in AWS eu-west-1 only
• Transfers to US/Nigeria prohibited unless data is anonymized
• Exception: Backup replication to us-east-1 encrypted under EU Standard Contractual Clauses

Nigeria Data Protection Act 2023:

• Transfers of Nigerian personal data subject to NDPC approval if transfer to "inadequate" country
• Chipon transfers to AWS US (Tier-A jurisdiction) are considered adequate
• Adequacy determination reviewed during annual compliance audit

14. Data Retention Audit & Compliance Monitoring

Automated Deletion Jobs

Manual Compliance Review

Quarterly Audit (every 90 days):

• Engineer runs SELECT COUNT(*) FROM incidents WHERE anonymized=false AND created_at < NOW() - INTERVAL '2 years'
  • Expected: 0 records (all >2 year old incidents should be anonymized)
  • If non-zero: Debug anonymization job; run manual update
• Engineer runs SELECT COUNT(*) FROM users WHERE deleted_at < NOW() - INTERVAL '30 days'
  • Expected: 0 records (all soft-deleted users should be hard-deleted after 30 days)
  • If non-zero: Debug deletion job; run manual cleanup
• Backup retention verified: 30-day rolling window confirmed

Annual Compliance Audit (March 29):

• Legal + CTO review this policy document
• Update retention periods if legal/regulatory landscape changes
• Verify all third-party DPAs remain current
• Test data export functionality (DSAR process)
• Test account deletion flow (GDPR right to erasure)
• Verify sub-processor list and obtain updated assurances
• Document audit results in compliance_audits table

15. Roles & Responsibilities

Escalation Contacts

16. Policy Review & Updates

Review Frequency: Annually (every March 29)

Triggers for Immediate Review:

• Change in Nigerian Data Protection law or GDPR
• Regulatory inquiry or audit finding
• Data breach or incident
• New data types collected (requires policy amendment)
• Technology stack change (new processor, new storage service)
• M&A activity or acquisition by another company

Process:

1. CTO + Legal meet to review current policy against regulatory landscape
2. Identify gaps, outdated retention periods, missing data types
3. Update policy document; version control (MAJOR.MINOR format)
4. Notify users of material changes via in-app banner or email
5. Archive previous version in legal/ folder with timestamp
6. Document update reason in file header

Current Version: 1.0 (March 29, 2026)
Next Review Date: March 29, 2027

17. Definitions

18. Contact Information

For Data Subject Rights Requests (DSAR, Erasure, etc.):

• Email: legal@chiponalert.com
• Response time: 30 calendar days
• Verification: Will confirm identity via phone OTP before disclosure

For Privacy Concerns or Complaints:

• Email: legal@chiponalert.com
• Escalation: CTO (engineering@jyvtech.com)
• External complaint: NDPR Commissioner / GDPR Supervisory Authority

For Media / Breach Disclosure:

• Email: press@chiponalert.com (if applicable)
• Statement reviewed by CTO + Legal before public release

19. Appendices

Appendix A: Retention Period Justifications

Why incident reports are retained indefinitely (with 2-year anonymization):

• Public safety value: Historical incident patterns inform neighborhood risk assessment
• Community benefit: Enables long-term trend analysis (seasonal spikes, emerging hotspots)
• Research value: Academic partnerships, public health agencies, city planning
• Legal requirement: Nigeria's National Bureau of Statistics (NBS) requests crime data for policy
• Compliance: Retention justified under GDPR Art. 6(1)(f) (legitimate interest in public safety)

Why location data is deleted on account deletion:

• Home/work addresses are sensitive PII; no legitimate interest survives account closure
• Route searches are not linked to identity after 90 days anyway

Why photos are deleted after 1 year:

• Storage cost optimization (S3 costs scale with object count)
• Evidence value decays: Most photos only relevant for 6–12 month investigation window
• User expectation: Photo upload designed for immediate report, not long-term archive

Why analytics are aggregated after 12 months:

• Product decisions are driven by recent cohorts (3–6 month rolling window)
• Older analytics have diminishing value for feature development
• Privacy benefit: Aging out data reduces breach surface area

Appendix B: Data Export Format (DSAR)

When a user requests their data (GDPR Art. 15 / NDPR Art. 4.5), they receive a ZIP file containing:

chipon_export_[USERID]_[DATE].zip
├── account.json                 # Phone, name, account creation date
├── profile.json                 # Optional: bio, emergency contact
├── incidents_submitted.json     # All reports submitted by user
├── incidents_photos/            # Associated photos (1yr only)
├── location_history.json        # Home/work addresses, if set
├── search_history.json          # Last 90 days of searches
├── push_tokens.json             # Active devices/notification settings
├── analytics_consent.json       # Opt-in/opt-out status
├── README.txt                   # Instructions for interpreting data
└── METADATA.json                # Export date, format version

All files in JSON format; human-readable + machine-readable.

Appendix C: Audit Log Schema

All data deletions, exports, and retention exceptions logged to audit_logs table:

CREATE TABLE audit_logs (
  id UUID PRIMARY KEY,
  timestamp TIMESTAMPTZ DEFAULT NOW(),
  action_type ENUM ('delete_user', 'delete_incident', 'anonymize_incident', 
                    'export_dsar', 'legal_hold_create', 'legal_hold_release', 
                    'breach_detected', 'breach_notified'),
  actor_id UUID,                    -- NULL if system job; user ID if manual
  actor_role VARCHAR,               -- 'system', 'engineer', 'legal', 'user'
  target_type VARCHAR,              -- 'user', 'incident', 'report', 'photos'
  target_id UUID,
  record_count INT,                 -- # of records affected
  reason TEXT,                      -- 'legal_request', 'user_erasure', 'inactivity', 'retention_schedule'
  legal_hold_id UUID,               -- If part of legal hold
  documented_by VARCHAR,            -- Engineer/legal who executed
  notes TEXT                        -- Additional context
);

CREATE INDEX ON audit_logs (timestamp DESC);
CREATE INDEX ON audit_logs (target_id);

Document Version: 1.0
Effective Date: March 29, 2026
Last Updated: March 29, 2026
Next Review: March 29, 2027

This policy is binding on all Chipon Alert operations and must be approved by CTO + Legal before any changes to data retention practices.