MessageBird will either return or delete (or both) as instructed by the customer. However, in compliance with the applicable laws and regulations, we only retain personal data when we have a specified purpose that allows us to keep it. Our legal obligations include:

• Detection and prevention of misuse of MessageBird's services and products (such as fraud, phishing and other fraudulent behaviour), for which account holder data, traffic data and content data are retained for 6 months after the electronic communication;

• Financial purposes; obligations from the Dutch tax authorities and EU MOSS, for which invoices and personal data related to it are retained for 7-10 years;

• Proof of exercising rights has been fulfilled. MessageBird has to be able to show that requests made have been fulfilled based on the Dutch General Administrative Law Act (Algemene Wet Bestuursrecht), for which confirmation emails and closed tickets are kept for 5 years;

• Provision of the services, for which account holder data is retained for as long as the service is used.