Bybull Record Retention Policy
Last Updated: February 21, 2026
This Record Retention Policy describes the types of data Bybull collects, how long we retain it, and the legal basis for retention. This policy complies with the Nigeria Data Protection Regulation (NDPR), the Nigeria Data Protection Act (NDPA), the California Consumer Privacy Act (CCPA/CPRA), Central Bank of Nigeria (CBN) record-keeping directives, and applicable financial regulations.
1. Retention Schedule
Account profile (name, email)
Retention: Duration of account + 5 years after deletion
CBN record-keeping; AML regulations; tax compliance
Transaction records (on-ramp, off-ramp, swaps)
Retention: 5 years from transaction date
CBN AML/CFT Regulations; Money Laundering (Prevention and Prohibition) Act; FinCEN BSA requirements
KYC/identity verification data (BVN hash)
Retention: Duration of account + 5 years after deletion
CBN KYC requirements; AML compliance
Exchange API credentials (encrypted)
Retention: Duration of account; deleted immediately upon account deletion or unlinking
Contractual necessity; no regulatory retention required
Bank account details (encrypted)
Retention: Duration of account; anonymized upon account deletion
Contractual necessity; transaction record integrity
AI conversation history
Retention: Session-based only; cleared when session expires
Data minimization principle (NDPR/NDPA)
Transaction PIN (bcrypt hash)
Retention: Duration of account; deleted upon account deletion or PIN reset
Security and contractual necessity
Security logs (login attempts, PIN failures, abuse flags)
Retention: 1 year from event date
Fraud prevention; legitimate interest; incident response
AML transaction flags
Retention: 5 years from flag date
Suspicious Transaction Report obligations; CBN AML/CFT Regulations; FinCEN BSA
Consent records
Retention: Duration of account + 5 years (proof of lawful processing)
NDPR/NDPA accountability; CCPA compliance
Cookie consent preferences
Retention: 1 year from consent date (browser-side)
User preference
Price alert configurations
Retention: Duration of account; deleted upon account deletion
Contractual necessity
2. Account Deletion and Data Anonymization
When you request account deletion:
- Your email address and name are immediately anonymized (replaced with non-identifying placeholders).
- API credentials and bank account details are permanently deleted.
- Transaction records are retained in anonymized form for the legally required retention period (5 years).
- KYC verification hashes are retained for the legally required period but cannot be used to identify you without the original data.
- Your account is marked as deleted and cannot be reactivated.
3. Data Disposal
When retention periods expire, data is disposed of using the following methods:
- Database records: Permanently deleted from production databases and all replicas.
- Encrypted data: Encryption keys are destroyed, rendering the data unrecoverable, before the underlying data is deleted.
- Backups: Expired data is excluded from new backup cycles. Existing backups containing expired data are overwritten within the backup rotation schedule (maximum 90 days).
- Logs: Automatically purged based on the retention schedule through log rotation policies.
4. Legal Holds
If data is subject to a legal hold (e.g., pending litigation, regulatory investigation, or law enforcement request), the applicable retention period is extended until the hold is released. Legal holds override the standard retention schedule and any deletion requests for the affected data.
5. Your Rights Regarding Retained Data
You may request information about what data we retain about you and for how long. To exercise your data access, correction, or deletion rights, see the "Your Rights" section in our Privacy Policy or contact privacy@bybull.ai.
6. Policy Updates
This policy is reviewed annually and updated as regulatory requirements change. Material updates will be communicated through the consent management process described in our Privacy Policy.