← Flash ai.Legal
Draft — pending legal review. This document is not yet in force.

Flash ai. — Data Retention & Erasure

DRAFT — pending legal review. Not legal advice. Retention periods below MUST be confirmed against the Companies Act 2013, Income Tax Act, and other statutes before publication.

Effective date: [EFFECTIVE DATE] Owner: Grievance Officer, Flash Production Intelligence Private Limited · privacy@flashcinema.ai

This document is both a public statement (what we keep and for how long) and an internal runbook (how erasure is actually executed). It backs the erasure right in the Privacy Policy §7/§9 and the deletion duty in the DPA §9.


1. Principle

We keep personal data only as long as needed for the purpose it was collected, or as long as a law requires — whichever is longer. When neither applies, we delete or anonymise it.

Statutory retention overrides erasure. If a Data Principal asks us (or a tenant asks us) to erase data that a law requires us to keep — most importantly financial and accounting records — we retain the minimum the law requires, isolate it, restrict access, and delete it when the period ends. We tell the requester this is why.

2. Retention schedule

Confirm every period in this table with CA Shimon / counsel. The financial rows are driven by statute, not preference.

Data categoryRetentionBasis
Account & identity (users)Duration of subscription + 30 daysContract; then erased
Authentication logs / sessions90 daysSecurity
Application & error logs90 days (longer if under investigation)Security
WhatsApp / notification metadata12 monthsOperational
Crew/cast/vendor personal data (tenant-controlled)Per tenant instruction; default deleted 30 days after subscription endsDPA; tenant is Fiduciary
Books of account & financial records (bank txns, cash, invoices, payment requests, salaries, tax)8 years from end of financial yearCompanies Act 2013 s.128; Income Tax Actconfirm
Uploaded financial documents (bank statements, contracts with financial terms)Aligned to the 8-year financial ruleSame as above
Vehicle location logs12 monthsOperational; minimise
BackupsRolling; oldest expires within [BACKUP WINDOW] daysDisaster recovery

3. The erasure path (internal runbook)

When a valid erasure request arrives (via privacy@flashcinema.ai), the Grievance Officer runs these steps:

  1. Log the request (date, requester, identity-verification method, scope).
  2. Verify identity — confirm the requester is the Data Principal or an authorised nominee. For tenant-controlled data, confirm with the tenant (they are the Fiduciary).
  3. Classify the data — separate (a) freely erasable personal data from (b) data under statutory retention (financial/accounting).
  4. Erase (a) — delete the person's records from the relevant tables and stored files; remove from search/embeddings; purge from caches. Record what was deleted.
  5. For (b) — do not delete. Restrict access, flag as retained-for-legal-reason, and set the deletion date at the end of the statutory period. Tell the requester which categories are retained and why.
  6. Backups — erasure is applied to live systems immediately; residual copies in backups age out within the backup window ([BACKUP WINDOW] days) and are not restored except for disaster recovery, after which the erasure is re-applied.
  7. Confirm to the requester within the timeline the law requires, stating what was erased and what was lawfully retained.

Engineering note (to be built): today this runbook is manual (SQL against the affected tables + storage deletion). A self-service "export & delete account" flow and a scripted erasure helper are tracked as follow-up work — they are not required for the first customer but should exist before scale. The RLS model and per-tenant organisation_id make scoped deletion straightforward.

4. Tenant-initiated deletion

A tenant can request export and deletion of their whole workspace on termination. We provide an export for 30 days, then delete Customer Data per §2, subject to the statutory financial-records exception, which we retain on the tenant's behalf as required by law.

5. Anonymisation

Where we need aggregate data for legitimate analytics (e.g. platform usage), we may retain anonymised data that can no longer identify a person; this is not subject to erasure.


Flash ai. is a product of Flash Production Intelligence Private Limited. OPM Cinemas is a tenant of the platform, not the operator.

Data Retention & Erasure — Flash ai.