1. Purpose and Scope
This Data Retention Policy governs how long MPK Development (Pty) Ltd retains personal information processed through the OptEva platform, and how such information is securely disposed of. It applies to all personal information processed by OptEva in any format.
This policy is designed to ensure compliance with POPIA's minimum necessary processing principle and to minimise the risk to data subjects arising from unnecessary retention of personal information.
2. Retention Schedule
| Data Category | Retention Period | Basis / Notes |
|---|---|---|
| User account data | Duration of account + 12 months after deactivation | Service delivery; allows for dispute resolution |
| Contact (Party) records | While company subscription active + 12 months post-termination | Company-controlled data; 12 months for export/dispute |
| Property records | While company subscription active + 12 months post-termination | As above |
| Interest/enquiry records | While company subscription active + 12 months post-termination | As above |
| Uploaded documents | Until deleted by authorised user or 12 months post-termination | Cloudflare R2; company responsible for document retention obligations |
| Password reset tokens | 60 minutes from generation or on first use | Security; tokens expire automatically |
| Google OAuth tokens | Until user disconnects Google Calendar integration | User-controlled; deleted on disconnect |
| Transactional email logs | Governed by Mailgun data retention policy (EU region) | MPK Development does not independently retain email logs |
| JWT tokens (localStorage) | Cleared on browser session or user logout | Client-side only; not stored server-side |
| System/access logs | 90 days | Security monitoring and incident investigation |
| Backup data | 30 days rolling backup retention | Disaster recovery purposes |
3. Extended Retention
Retention periods may be extended beyond those listed above where:
- Legal proceedings are ongoing or anticipated (litigation hold)
- A regulatory investigation is in progress
- A written data subject request or dispute has not been resolved
- Applicable South African law requires longer retention (e.g., FICA 5-year record keeping)
In such cases, the Information Officer must approve the extension and document the reason.
4. Secure Disposal
Upon expiry of the applicable retention period:
- Database records are permanently deleted from PostgreSQL (Railway infrastructure)
- Documents are permanently deleted from Cloudflare R2 storage
- Deletion is irreversible and cannot be recovered from backup after the rolling backup window expires
- Google OAuth tokens are revoked and deleted from the database upon user disconnection or account termination
MPK Development does not retain any personal information beyond the periods specified above except as required by law.
5. Data Export Prior to Deletion
Companies may request a data export at any time during the active subscription. After termination, companies have 12 months to request an export of their data before permanent deletion. Export requests must be submitted to info@opteva.co.za. MPK Development will fulfil export requests within 15 business days.
6. POPIA Alignment
This policy gives effect to the following POPIA principles:
- Section 14 (Minimality): Personal information is retained only as long as necessary for the purpose for which it was collected.
- Section 14(3): Personal information that is no longer required for the original purpose must be destroyed, deleted, or de-identified.
- Section 14(4): MPK Development may retain personal information for longer periods where required by law or legitimate business purposes.
7. Review
This policy is reviewed annually by the Information Officer and updated as necessary to reflect changes in legislation, technology, or business operations.
8. Contact
- Information Officer: Pieter Klynsmith
- Email: info@opteva.co.za
- MPK Development (Pty) Ltd