Data Retention & Deletion Policy

1. Overview

Vexor only retains personal data for as long as it is necessary to:

• Provide and maintain the Vexor services and features you use
• Comply with legal and regulatory obligations (e.g., tax, accounting, law enforcement)
• Resolve disputes, investigate incidents, and enforce our Terms of Service
• Maintain security, prevent fraud, and protect users from abuse

Once data is no longer required for these purposes, Vexor either securely deletes it or irreversibly anonymizes it so that it can no longer be associated with an identifiable user.

2. Categories of Data We Store

Depending on how you use Vexor, we may store the following categories of information:

• Account Data: Username, email address, country/region, language preferences, age or age band, account creation date, linked third-party IDs (if applicable), and basic profile metadata.
• Content Data: Videos, live streams, comments, captions, likes, messages (where stored server-side), drafts (if synced), thumbnails, and associated metadata (hashtags, audio references, filters).
• Technical & Log Data: IP addresses, device identifiers, OS version, app version, login timestamps, crash logs, performance logs, security event logs, and configuration data.
• Behavioral & Engagement Signals: Watch time, search queries, follows/unfollows, engagement interactions (likes, shares, favorites), moderation history, and recommendation feedback.
• Purchase & Transaction Records: Purchase history for coins and virtual currency, gift and tip transactions, payout records, subscription status, and partial billing metadata (processed through PCI-compliant providers).
• Security, Safety & Enforcement Data: User reports, internal case notes, device and IP risk scores, policy violation records, strikes, appeals, law enforcement holds, and security investigation artifacts.

Sensitive categories (such as data related to minors, law enforcement requests, or serious safety incidents) are subject to stricter access control and tighter retention limits.

3. Data Retention Timelines

Unless a longer retention period is required or permitted by law, Vexor applies the following baseline retention practices:

• Account Information: Retained for as long as your account remains active. Deleted when you permanently delete your account, subject to legal, accounting, or security exceptions outlined in this policy.
• User-Generated Content (videos, comments, posts): Retained while the account is active or until you delete the content. Some non-personal traces (e.g., aggregate engagement metrics) may persist in anonymized form.
• Deleted Content: When you delete content, it is removed from public visibility immediately and typically purged from active systems and backups within 30–90 days.
• Direct Messages (where stored server-side): Retained until deleted by the sender or recipient, subject to security and abuse detection needs.
• IP Logs & Device Data: Retained for approximately 6–24 months to support security, fraud prevention, and abuse control.
• Security Logs, Abuse Reports & Enforcement Records: Retained for approximately 12–36 months depending on severity, repeat patterns, and legal risk.
• Financial & Transaction Records: Retained for 3–7 years as required by tax, financial reporting, anti–money laundering (AML), and auditing laws in relevant jurisdictions.
• Law Enforcement Holds & Legal Preservation: Retained for the duration of the legal hold, subpoena, or court order and deleted or re-evaluated once the legal obligation expires.

Aggregated and anonymized datasets that cannot be linked back to individual users may be retained indefinitely for analytics, product development, and safety research.

4. Reasons Data May Be Retained Longer

In specific circumstances, Vexor may retain certain data beyond standard timelines where legally justified or operationally necessary, including:

• Preventing repeated policy violations, ban evasion, or security threats
• Compliance with ongoing law enforcement investigations or regulatory inquiries
• Meeting tax, AML, and financial compliance obligations
• Supporting dispute resolution, chargeback investigations, or legal claims
• Preserving evidence for litigation or regulatory defense

5. User Rights Under GDPR & CCPA

Depending on your jurisdiction (for example, as an EU/EEA resident under GDPR or a California resident under CCPA/CPRA), you may benefit from one or more of the following rights:

• Right of Access: Request confirmation whether we process your personal data and receive a copy of your data.
• Right to Rectification: Correct inaccurate or incomplete personal data in your account.
• Right to Deletion (“Right to be Forgotten”): Request permanent deletion of your account and associated personal data, subject to legal exceptions.
• Right to Restrict Processing: Ask us to limit processing of your data in certain circumstances (e.g., while a dispute is under review).
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format where technically feasible.
• Right to Object: Object to certain types of processing, such as personalized advertising or profiling, where applicable.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

CCPA/CPRA also grants California residents additional rights, such as the right to know categories of data collected, right to opt out of certain “sale” or “sharing” of data, and protection from discrimination for exercising those rights.

6. Account Deletion Process

When you choose to permanently delete your Vexor account through in-app settings or via a verified privacy request:

• Your account typically enters a 30–60 day grace period during which you may restore it.
• After this period, your profile, personal settings, content, and most associated data are scheduled for deletion.
• Some records (e.g., financial transactions, fraud logs, legal holds) are retained to comply with regulatory and legal requirements.
• Content that involves other users (e.g., duets, stitches, shared chats) may remain visible or preserved in a modified form.
• Once the process is completed, deletion is irreversible and the account cannot be recovered.

7. Content Deleted by Users

When you individually delete videos, comments, or messages:

• The content is removed from public visibility and standard user access immediately.
• Residual copies may briefly persist in caching layers and backup systems.
• Backups and replicated storage typically purge deleted records within 30–90 days.
• Some non-personal analytical data (e.g., aggregate view counts) may be retained in anonymized form.

8. Security of Stored Data

Vexor applies industry-standard security controls to protect all retained data throughout its lifecycle:

• Encryption at Rest: Sensitive data stored using strong cryptographic standards (e.g., AES-256).
• Encryption in Transit: All communications protected using TLS 1.2+ (preferably TLS 1.3).
• Password Protection: User passwords hashed and salted using secure algorithms (e.g., bcrypt or Argon2).
• Access Controls: Role-based access, least-privilege principles, and strong authentication for internal tools.
• Monitoring & Auditing: Security logs, anomaly detection, and periodic audits of access patterns.
• Backup Security: Backups are encrypted, access-restricted, and subject to retention limits aligned with this policy.

9. Third-Party Data Sharing

Vexor does not sell personal data. We share limited data only with vetted third-party processors and partners under strict contractual safeguards, for purposes such as:

• Cloud hosting and content delivery networks
• Payment processing and fraud prevention
• Security monitoring and DDoS mitigation
• Analytics, performance monitoring, and crash reporting
• Legal compliance, KYC/AML checks (if applicable)

All third parties are bound by data protection agreements that require: encryption, confidentiality, limited purpose use, and timely deletion or return of data when services end.

10. How to Request Deletion or Access

You may exercise your access, export, or deletion rights through:

• In-app privacy and account management tools
• Submitting a written request to the Privacy Office
• Contacting our Data Protection Officer (DPO) where required by law

Contact for Data Rights Requests:
Email (Privacy): privacy@vexor.to
DPO: dpo@vexor.to
Support: support@vexor.to

We will respond to verified requests within the applicable legal timeframe, typically:

• GDPR: Within 30 days, extendable in complex cases with notice
• CCPA/CPRA: Within 45 days, extendable with notice when necessary

11. Data for Law Enforcement

If Vexor receives a lawful data preservation or disclosure request from law enforcement:

• We verify the legal validity, jurisdiction, and scope of the request.
• We retain data under a preservation hold for the duration mandated by law or court order.
• We notify users where legally permitted and safe to do so.
• We disclose only the minimum amount of data required to comply with the legal order.

For more details, please refer to the Law Enforcement Request Guide and Government Requests Terms & Process.

12. Updates to This Policy

Vexor may update this Data Retention & Deletion Policy from time to time to reflect:

• Changes in laws, regulations, or regulatory guidance
• New platform features or data processing activities
• Security, infrastructure, or operational changes

When we make material changes, we will update the effective date and, where appropriate, notify users directly through the app, email, or our legal center.

13. Contact Information

If you have questions about this policy, your data, or your privacy rights, you can contact:

Privacy Office: privacy@vexor.to
Data Protection Officer (DPO): dpo@vexor.to
General Support: support@vexor.to