Data Retention Policy

Last updated: April 2026

1. Introduction

This Data Retention Policy describes how Keyton ApS ("we", "us", "Keyton"), operating the Attensus platform, retains, archives, and deletes data. We retain data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and support the legitimate operation of our services.

Data Controller: Keyton ApS CVR: 44301958 Copenhagen, Denmark Contact: hello@attensus.com

2. Data Categories and Retention Periods

Account Data

Account data is retained for as long as the account is active and the service agreement is in effect.

Operational Data

Operational data is retained for the duration of the service agreement. Customers may delete individual datasets, forecasts, or configurations at any time through the platform interface.

Audit Logs

Audit logs are append-only and retained for 2 years to support compliance, security investigations, and accountability requirements. Audit logs cannot be modified or deleted during the retention period.

System Backups

Backups older than 30 days are automatically and permanently deleted.

Usage and Server Logs

Server logs contain minimal information (timestamps, request paths, status codes) and do not include personal data beyond IP addresses, which are truncated.

3. Data Deletion on Account Closure

When an account is closed or a data purge is requested:

1. Within 24 hours: Active sessions are terminated and access is revoked.
2. Within 30 days: All account data, operational data, forecast results, ETL configurations, and associated files in object storage are permanently deleted from production systems.
3. Within 60 days: Data is removed from all backup systems as existing backups rotate out.
4. Exception — Audit logs: Audit log entries are retained for the remainder of their 2-year retention period, after which they are permanently deleted. This is necessary for compliance and security purposes.

4. How to Request Data Deletion

Customers can request deletion of their data through either of the following methods:

• Self-service: Navigate to Settings in the Attensus platform to delete individual datasets or request full account data deletion.
• Email: Send a request to dpo@attensus.com. We will acknowledge your request within 2 business days and complete deletion within 30 days.

Deletion requests are processed in accordance with GDPR Article 17 (Right to Erasure). We will verify the identity of the requester before processing any deletion request.

5. Data Export Before Deletion

Before requesting account closure or data deletion, we recommend exporting your data. You can export your operational data and forecast results through the platform's export functionality. You may also request a full data export by contacting dpo@attensus.com.

6. Legal Holds

In the event of a legal proceeding, regulatory investigation, or audit, relevant data may be placed on a legal hold, overriding the standard retention periods. Data under legal hold will be retained until the hold is lifted, after which normal retention schedules resume.

7. Compliance

This policy is designed to comply with:

• GDPR (Regulation (EU) 2016/679) — particularly the data minimization principle (Article 5(1)(e)) requiring that personal data is kept no longer than necessary
• Danish Data Protection Act (Databeskyttelsesloven)
• ePrivacy Directive (Directive 2002/58/EC)

8. Review

This policy is reviewed annually and updated as necessary to reflect changes in our practices, legal requirements, or regulatory guidance.

9. Contact

For questions about data retention or deletion:

• Data Protection Officer: dpo@attensus.com
• General inquiries: hello@attensus.com
• Supervisory authority: Datatilsynet — www.datatilsynet.dk