Lunio retains log level data for a two-year period.

Under GDPR, the principle of data minimisation requires personal data to be limited to what is necessary for specific purposes. When it comes to fraud detection, particularly in bot and botnet detection, retaining log-level data, including IP addresses, for two years is reasonable.

Fraudulent activity, especially through bots, often involves sophisticated techniques that unfold over long periods. Attackers frequently use methods like changing IP addresses or launching sporadic attacks. A two-year retention period allows for comprehensive pattern analysis, helping to detect these threats over time. Shorter periods may leave gaps in identifying fraud, reducing the effectiveness of detection systems.
​

While GDPR stresses minimising data, it also allows for data retention when necessary for legitimate purposes like security and fraud prevention. A two-year period strikes a balance by providing enough time to analyze fraud patterns (including year-on-year seasonality comparisons) without holding onto data unnecessarily. This aligns with GDPR's data minimisation principle while ensuring effective fraud prevention. Note that the only data that's under scope is the IP address and it's not combined with other data that would elevate the sensitivity of them.