Data Retention & User Rights

5.1 Our Position

AssetIndex is not a vault that holds you hostage to your records. Your registry exists to serve you, and you should be able to walk away with everything you have entered, at any time, for any reason — or no reason at all.

This policy describes the practical mechanics of those rights.

5.2 What We Store and For How Long

a. Account Data

Your name, email address, hashed password, and account settings are retained for as long as your account is active. If you delete your account, this data is removed from our active systems.

b. Asset Metadata and Trusted Contacts

The records you create — asset names, descriptions, your written instructions, designated contacts — are retained while your account exists. They are removed when you delete the account or when you delete individual records.

c. Audit and Security Logs

Limited operational logs (failed login attempts, IP addresses, request timestamps) are retained for up to 30 days for security and abuse prevention. These logs do not contain your asset records — only metadata about platform usage.

d. Disclosure Logs

If a disclosure event occurs, the record of that event — including timestamp, contact identifiers, and permission levels applied — is retained as part of the platform's audit trail. This is retained for longer than security logs (typically up to 7 years) because it represents a legally significant action that the platform performed under your direction.

e. Backups

Encrypted backups may briefly contain your data after deletion for operational redundancy. These backups are rotated and overwritten on a regular schedule, with full removal occurring within 30 days of account deletion.

5.3 Your Rights Under UK GDPR

You have the following rights, all of which we are committed to honouring:

a. Right of Access

You can request a copy of all personal data we hold about you. We will provide this in a structured, commonly-used format within 30 days of the request (in line with UK GDPR Article 12).

b. Right to Rectification

You can correct or update any information about yourself. Most fields are directly editable within your account. For fields you cannot edit yourself, contact us and we will make the correction promptly.

c. Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data. Your asset records, contact list, and account information will be removed from our active systems within 30 days. Backup removal follows the schedule described in section 5.2(e).

Some information may need to be retained for legal or accounting purposes (for example, records of disclosure events that already occurred). We will tell you specifically what cannot be deleted and why.

d. Right to Restrict Processing

You can ask us to pause our processing of your data while a dispute or query is resolved. During restriction, we will retain your data but not actively process it.

e. Right to Data Portability

You can request an export of your data in a structured, machine-readable format (typically JSON or CSV). This allows you to take your records to another service if you choose to do so.

f. Right to Object

You can object to specific types of processing. Where you object to processing required to operate the platform, we may not be able to continue providing the service — but we will clearly explain this before any action is taken.

g. Right to Withdraw Consent

Where we rely on your consent for any processing, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

h. Right to Complain

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

5.4 How to Exercise These Rights

To exercise any of the rights above, send an email to hello@assetindex.io from the email address registered with your account. Please specify:

• The right you wish to exercise (access, deletion, export, etc.).
• Any specific details about the request.

We will acknowledge your request within 7 days and complete it within 30 days. If your request is unusually complex, we may extend by up to 60 additional days — we will notify you in advance if this applies.

Identity verification may be required for sensitive requests, particularly account deletion, to ensure that requests are genuinely from the account holder.

5.5 No Cost

Exercising your rights under UK GDPR is free of charge. We may, in line with UK law, charge a reasonable fee only if a request is manifestly unfounded or excessive — for example, repetitive requests for the same data within a short period. Such fees would be communicated in advance.

5.6 What Happens to Your Trusted Contacts' Data

The names and email addresses of contacts you have designated as trusted are stored only to enable the disclosure process you have set up. We do not contact your trusted contacts for any other purpose, do not include them in any list, and do not share their information with third parties.

Your trusted contacts have their own data rights with respect to the limited information we hold about them. If a designated contact wishes to be removed, they can email us directly at hello@assetindex.io.

5.7 Contact

For any questions about data retention, your rights, or to make a request:

Email: hello@assetindex.io

Postal: Nexvira Technologies Ltd, United Kingdom