DATA RETENTION AND DELETION POLICY
Hunch — operated by CMA Solutions LLP
Document Reference: HUN-LEG-DRP-V3.0 Version: 3.0 (Draft for attorney review) Effective Date: [TO BE INSERTED] Last Updated: [TO BE INSERTED]
NOTICE — DRAFT INSTRUMENT. For counsel review before publication. Not legal advice.
1. PURPOSE
1.1 This Data Retention and Deletion Policy ("Policy") describes the periods for which CMA Solutions LLP ("Company") retains data collected through the conversational AI service marketed as "Hunch" (the "Service"), and the manner in which such data is archived, deleted, and restored to the User.
1.2 This Policy is published in compliance with: (a) the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules; (b) the SPDI Rules, 2011; (c) the Income Tax Act, 1961, and the Central Goods and Services Tax Act, 2017; (d) the Consumer Protection Act, 2019.
1.3 This Policy is a Constituent Document under the Terms of Service (HUN-LEG-TOS-V3.0) and prevails over inconsistent retention statements in companion documents.
2. DEFINITIONS
Capitalised terms used and not defined in this Policy bear the meaning given in the Privacy Policy. In addition:
"Active Account" — an account having had at least one interaction with the Service within the preceding twelve (12) months.
"Inactive Account" — an account that ceases to be an Active Account.
"Deletion" — permanent, irreversible removal of data from all systems, including primary databases, secondary storage, and backups, within the prescribed timeframe.
"Pseudonymisation" — has the meaning given in the Privacy Policy.
3. RETENTION SCHEDULE
3.1 The Company retains the following categories of data for the periods stated:
| Category | Examples | Retention Period | Lawful Basis |
|---|---|---|---|
| Personal Data | Name, phone number, language preference | Active Account + 12 months from last interaction or account deletion request | DPDP Act §8; SPDI Rules; contract |
| Astrological Data | Birth date, time, place; Kundli; Dasha and Mahadasha periods; transits; Nakshatras; Yogas | Active Account + 12 months | DPDP Act; contract; service delivery |
| Conversation Data | All messages exchanged | Active Account + 12 months | DPDP Act; consent |
| Behavioural Data | Patterns, emotional-state inferences, topic clusters, trigger correlations | Active Account + 12 months | DPDP Act; consent; legitimate purpose |
| Payment Data | Transaction IDs, amount, status, timestamp, Razorpay references | 7 years from date of transaction | Income Tax Act, 1961; CGST Act, 2017; accounting standards |
| Consent Records | Consent timestamps, scope, layer, language, withdrawals | 7 years from date of grant or withdrawal | DPDP audit; SPDI Rules |
| Grievance Records | Complaints, investigations, resolutions, correspondence | 3 years from resolution | SPDI Rules; CPA |
| Technical / Log Data | IP address, device data, session metadata | 6 months from collection | IT Act reasonable security practices |
| Pseudonymised Data | De-identified behavioural patterns; aggregate statistics | Indefinite, subject to Clause 7 | Not Personal Data; subject to re-identification risk acknowledgement |
| Therapist Handoff records (Version 2) | Behavioural Brief, consent record, transmission log | 5 years from Handoff date | Legal evidence; professional indemnity |
3.2 The retention periods set out in this Clause 3 are aligned with, and prevail over, retention statements appearing in the Privacy Policy.
4. CONSENT WITHDRAWAL AND USER-INITIATED DELETION
4.1 User-initiated deletion request. A User may request deletion of identifiable data at any time by: (a) messaging "DELETE MY DATA" or "DELETE MY ACCOUNT" to the Service; (b) emailing support@use-hunch.com bearing the subject line "Data Deletion Request".
4.2 Processing of deletion request. On receipt of a verified request: (a) processing of identifiable Personal Data, Astrological Data, Conversation Data, and Behavioural Data shall cease within seventy-two (72) hours; (b) identifiable data shall be permanently deleted within thirty (30) days, save where retained on grounds set out in Clause 4.3; (c) Payment Data shall be retained for the period stated in Clause 3, isolated from active processing and used solely for legal and tax compliance; (d) Consent Records shall be retained for the period stated in Clause 3; (e) Pseudonymised Data already incorporated into a trained model or research dataset cannot be retroactively reversed; (f) the User shall receive written confirmation of deletion through the channel by which the request was made.
4.3 Lawful retention exceptions. Data may be retained beyond the period stated in Clause 4.2 only where: (a) retention is required by Applicable Law; (b) data is necessary for the establishment, exercise, or defence of legal claims; (c) data is the subject of an ongoing regulatory investigation; (d) a court or competent authority has directed retention.
In each case, retained data shall be isolated, access-restricted, and used solely for the specific legal purpose, and shall be deleted promptly upon expiry of the legal basis.
4.4 Withdrawal of consent without deletion. Where the User withdraws a specific layer of consent (Layer 2, 3, or 4) without requesting deletion: (a) processing for the withdrawn purpose ceases within seventy-two (72) hours; (b) the User's account and core Service access continue; (c) Pseudonymised Data already processed under the withdrawn consent cannot be unwound.
5. INACTIVE ACCOUNTS
5.1 For an account becoming an Inactive Account: (a) Month 10: A reminder shall be sent via WhatsApp or Telegram notifying the User that the account will be marked inactive at month 12. (b) Month 12: Account is marked Inactive. (c) Month 13: A final notice shall be sent indicating that identifiable data will be deleted at month 15 unless the User re-engages. (d) Month 15: All identifiable data is permanently deleted in accordance with Clause 6.
5.2 Pseudonymised Data and Payment Data are retained in accordance with the retention schedule and not affected by inactive-account deletion.
6. DELETION PROCESS
6.1 Upon a deletion event: (a) Step 1: Data is flagged for deletion in active systems. (b) Step 2: Data is removed from active databases within seven (7) days. (c) Step 3: Data is removed from backup systems within thirty (30) days. (d) Step 4: Deletion is verified by automated audit. (e) Step 5: A deletion-confirmation record is logged in the Company's compliance register.
6.2 The Company uses industry-standard secure-deletion methods (overwrite or cryptographic erasure). Deleted data is not recoverable.
7. THIRD-PARTY DELETION
7.1 On receipt of a deletion request, the Company shall: (a) instruct Open Router LLC and Underlying LLM Providers to delete the User's data from their active systems, to the extent technically and commercially feasible under applicable processor agreements; (b) instruct Razorpay to delete the User's data save where Razorpay is required to retain it on grounds of legal obligation (such retention being typical for transaction records); (c) where a Professional (Version 2) holds a Behavioural Brief, instruct the Professional to delete the Brief in accordance with the Therapist Handoff Consent and Protocol, while recognising that Professional Records authored by the Professional are governed by the Professional's own retention regime.
7.2 Acknowledgement on AI training data. Data already used to train an Underlying LLM Provider's foundation model may not be individually deletable from the model. The Company shall use commercially reasonable efforts to procure deletion of the User's data from the provider's active records, but cannot warrant reversal of model training.
8. PROFESSIONAL RECORDS (VERSION 2)
8.1 The Behavioural Brief shared with a Professional is retained by the Professional for the duration of the Engagement plus thirty (30) days, after which the Professional shall delete the Brief in accordance with the Data Processing Agreement.
8.2 Professional Records authored by the Professional during the Engagement are governed by the Professional's own retention obligations under the RCI Code, the MHCA where applicable, and the engagement letter between the User and the Professional. The Company has no control over Professional Records.
8.3 Upon a User's request to delete data from the Service, the Company shall: (a) instruct the Professional to delete the Behavioural Brief and ancillary data within seven (7) calendar days; (b) facilitate the User's communication with the Professional in respect of Professional Records; (c) record confirmation of deletion in the Handoff audit log.
9. DATA PORTABILITY
9.1 The User has the right to receive Personal Data in a structured, commonly used, machine-readable format under the DPDP Act.
9.2 The User may exercise such right by emailing support@use-hunch.com bearing the subject line "Data Portability Request".
9.3 The Company shall provide the export within thirty (30) days of receipt of a verified request, comprising: (a) Personal Data; (b) Astrological Data; (c) Conversation Data; (d) Behavioural Data, in summary form (raw model-internal representations being excluded); (e) Payment Data in transaction-history form (full instrument details being held by Razorpay).
9.4 The export shall be provided in JSON format. Alternative formats may be supplied on request where technically feasible.
10. AUDIT AND COMPLIANCE
10.1 The Company maintains: (a) automated enforcement of the retention schedule, with data flagged for deletion on expiry of the retention period; (b) quarterly internal audits of retention compliance; (c) deletion logs retained for three (3) years; (d) an annual review of this Policy to ensure continuing alignment with Applicable Law.
10.2 The Company shall provide audit records to a regulatory authority on lawful request.
11. SIGNIFICANT DATA FIDUCIARY OBLIGATIONS
11.1 As at the Effective Date, the Company is not classified as a Significant Data Fiduciary under Section 10 of the DPDP Act.
11.2 The Company adopts proactive practices in anticipation of classification as set out in Clause 13 of the Privacy Policy.
11.3 Upon classification as SDF, the Company shall additionally implement: (a) appointment of an independent India-resident Data Protection Officer; (b) appointment of an independent data auditor; (c) periodic Data Protection Impact Assessments; (d) submission of compliance reports to the Data Protection Board of India; (e) publication of DPIA summaries.
12. RETENTION-RELATED GRIEVANCES
12.1 A User may file a grievance concerning the application of this Policy under the Grievance Redressal Policy (HUN-LEG-GRP-V3.0).
12.2 Such grievances are addressed within thirty (30) days of receipt.
13. AMENDMENTS
13.1 The Company may amend this Policy from time to time. Material amendments shall be notified in accordance with Clause 16 of the Terms of Service.
14. CONTACT
CMA Solutions LLP LLPIN: ACP-6029 Grievance Officer / Data Protection Officer: Sanhit Jain Email: support@use-hunch.com Telephone: +91 9667674105 Postal address: Kh No. 316/274, Ground Floor, Front Side Saidulajab, Western Marg, near Lane No. 3, Gadaipur, Saidulajab, New Delhi, South West Delhi – 110030, India.
SCHEDULE 1 — REVISION HISTORY
| Version | Date | Summary |
|---|---|---|
| 2.0 | 16 May 2026 | Initial; conflict with Privacy retention table |
| 3.0 | [date] | Counsel-ready draft; retention unified to 12 months past last interaction (G-8); pseudonymisation throughout (G-9); Therapist Handoff records added |
END OF DATA RETENTION AND DELETION POLICY.
Draft for attorney review. Not legal advice.