Data Retention & Destruction Policy
Last updated: 7 April 2026
1. Purpose
This policy defines how long Tapnet Solutions (Pty) Ltd ("Tapnet") retains personal information collected through hustler.co.za and all other websites, applications, and digital services operated by Tapnet, and the procedures for secure destruction of data once the retention period expires, in compliance with POPIA Section 14.
2. Principles
- Personal information is retained only for as long as it is needed for the purpose for which it was collected, or as required by law
- Once the retention period expires, data is permanently destroyed so it cannot be reconstructed (POPIA Section 14(4))
- If data was used to make a decision about a person, it is retained long enough for them to request access (POPIA Section 14(2))
- Financial records are retained for the minimum periods required by South African tax legislation
3. Retention Schedule
| Data category | Retention period | Legal basis | Destruction method |
|---|---|---|---|
| User account data (name, email, password hash) | Duration of account + 1 year after account deletion | POPIA S14 (purpose fulfilled) | Permanent deletion from database |
| Profile & services (bio, listings, photos) | Duration of account; deleted upon account deletion | Contract performance | Permanent deletion from database and storage |
| Quotes & invoices | 5 years from date of creation | Tax Administration Act S29 | Permanent deletion after 5 years |
| Analytics data (page views, clicks, hashed IPs) | 24 months from the date of collection | POPIA S14 (purpose limitation) | Automatic batch deletion |
| Consent records | 5 years from date of consent (to demonstrate compliance) | POPIA accountability obligation | Permanent deletion after 5 years |
| Data subject requests | 3 years from date of completion | POPIA accountability obligation | Permanent deletion after 3 years |
| Subscription/payment records | 5 years from date of transaction | Tax Administration Act | Permanent deletion after 5 years |
| Email communications | 3 years from date sent | ECTA requirements | Deletion from email service provider |
4. Account Deletion Process
When a user requests account deletion:
- The request is logged and processed within 30 days
- Profile, services, and public content are removed immediately from the platform
- Account data (name, email) is retained for 1 year in case of disputes, then permanently deleted
- Financial records (quotes, invoices) are retained for 5 years as required by tax law, then permanently deleted
- Analytics data linked to the profile is anonymised (profile ID removed)
- Consent records are retained for 5 years to demonstrate compliance
5. Destruction Methods
- Database records: Permanent deletion (SQL DELETE) from the PostgreSQL database. Neon (our database provider) handles physical storage destruction.
- Uploaded files (photos, receipts): Permanent deletion from cloud storage. Files are not recoverable after deletion.
- Backups: Database backups are automatically cycled by Neon. Deleted data is purged from backups within the backup retention window (typically 7-30 days).
- Logs: Application logs containing personal information are automatically rotated and deleted within 30 days.
6. Automated Retention Enforcement
The platform implements automated processes to enforce retention limits:
- Analytics events older than 24 months are automatically deleted via scheduled task
7. Exceptions
Data may be retained beyond the stated periods if:
- Required by a court order or law enforcement request
- Needed for ongoing legal proceedings
- The data subject has given specific consent for extended retention
8. Contact
Information Officer: Wynand de Beer
Email: wynand@tapnet.co.za
Phone: 079 174 8357