Data Retention & Deletion Policy
⚠ Draft — not yet in force
This document is still a working draft. It has 1 unfilled placeholder (highlighted below) — including items like the legal entity name and effective date. It needs review by qualified counsel in Pakistan before it binds anyone. This page is noindex until then, and should not be submitted to the Play Console yet.
Effective date: [•] · Version: 1.0 (draft) · Companion to the Privacy Policy.
⚠️ Legal review required. Retention periods in brackets are recommended defaults — confirm against Pakistani statutory requirements (tax, accounting, PECA record-keeping) before publication. The app is currently distributed as a direct-install Android APK; when Google Play distribution begins, this document also satisfies Google Play's account/data deletion requirement — publish the deletion instructions (§3) at a public URL.
1. Retention schedule
| Data category | Where | Retention | Reason |
|---|---|---|---|
Account profile (users/{uid}: phone, name, photo, roles) |
Firestore | Life of account, then deleted within [90] days of a deletion request | Service provision |
Rider KYC record (riders/{uid}) |
Firestore | Active rider + [12] months after deactivation | Safety, dispute & regulatory defence |
| KYC document images (CNIC, licence, vehicle registration, police certificate) | Cloud Storage | Same as KYC record; [30] days after a rejected application | Verification evidence |
| Ride / pool / rental records | Firestore | [12] months after completion, then deleted or irreversibly anonymised (kept only as aggregate statistics) | Disputes, support, analytics |
Chat messages (rideChats/{rideId}) |
Realtime DB | [90] days after ride completion | Dispute evidence |
Live GPS (driverLocations/{riderId}) |
Realtime DB | Transient — overwritten continuously; cleared when the rider goes offline | Live tracking only |
| Wallet balances | Firestore | Life of account; paid out/zeroed at closure | Prepaid value |
| Transaction ledger & payment settlement records | Firestore | [6] years | Statutory accounting/tax; fraud investigation |
| Push tokens | Firestore | Until logout/uninstall-detected or account deletion | Notifications |
| Technical logs | Firebase | [90] days | Debugging, security |
| OTP verification data | Firebase Auth | Managed by Firebase Auth per its policy | Authentication |
Backups (where enabled) expire on the backup provider's cycle (target ≤ [35] days); deleted data may persist in backups until that cycle completes.
Coordinates sent to Google Maps Platform (Google LLC) to render map tiles and Static Maps images are processed by Google as a service provider and are not a data store retained by Drivio; they are not kept by us beyond the categories above.
2. Anonymisation
Where records must be kept past account deletion (e.g. the financial ledger), we remove or replace direct identifiers (phone, name, photo, document images) and retain only the transactional facts required by law, keyed to a non-identifying reference.
3. How users delete their account and data
- In-app: Profile → [Account → Delete account] (if the build does not yet expose this, the email route below is authoritative); or
- Email: send a request from any address to driviodevdrivio@gmail.com including the registered phone number; we verify by OTP to that number.
On a verified request we: disable the account immediately; cancel open bookings per the Refund & Cancellation Policy; pay out any withdrawable balance; delete or anonymise personal data per §1 within [90] days, except records under statutory retention (§1 ledger row), which are deleted when their period expires.
4. Admin & operational access
- KYC images: readable only by the data subject and administrators (enforced by Storage rules).
- Payment settlement records: administrators only; never client-readable.
- Deletion operations are performed with the Admin SDK by authorised personnel and logged.
5. Review
This schedule is reviewed at least annually and whenever a new data category (e.g. payment gateway data) is introduced.
[Drivio legal entity name] · driviodevdrivio@gmail.com
Rendered from docs/legal/DATA_RETENTION_DELETION.md at build time — that markdown is the single source of truth. Edit it there, not here.