Data Retention Policy

1. Purpose

This policy establishes the process and responsibilities for retaining and deleting client and user data in compliance with:

• General Data Protection Regulation (GDPR)
• UK data protection legislation
• Internal governance standards
• Contractual obligations

The policy ensures that personal data is kept secure, retained only as long as necessary, and deleted in a verifiable, auditable manner.

2. Scope

This policy applies to:

• All teams responsible for managing, processing, or storing client and user data
• All systems including:
  • Databases (production and development)
  • Application systems
  • Backup systems and archives
  • Log files and monitoring systems
  • CDN caches and temporary storage
  • Third-party processors and data shared with partners
  • Any other data stores used for operational purposes

3. Data Retention Periods

3.1 Non-Financial Client Data

• Retention Period: six (6) months from the date of contract termination
• Rationale: Allows for contractual wind-down, dispute resolution, and final reconciliation
• Deletion Deadline: Based on agreement with the client, latest 6 months after contract termination

3.2 Financial Records (including Client Financial Data containing personal data)

• Retention Period: Six (6) years from the end of the financial year to which the records relate, unless a longer retention period is required by law, regulatory obligation, or where necessary for the establishment, exercise, or defence of legal claims
• Relevant Legislation: 
  • Corporation Tax Act 2009
  • VAT Act 1994
  • Companies Act 2006
  • Limitation Act 1980

3.3 Database Backups

• Retention Period: One (1) year
• Backup Handling: Backups containing deleted client data will be:
  • Marked with deletion metadata to prevent restoration of deleted records
  • Overwritten in the next backup cycle after data deletion
  • Subject to automated purge scripts that remove deleted client data from backup snapshots where technically and financially feasible

3.4 User Data (Individual Deletion Requests)

• Response Time: Within thirty (30) calendar days of receipt of request
• Retention: No retention period; deletion must be completed within the 30-day window

4. Deletion Triggers and Workflow

4.1 Individual User Data Deletion Request

Trigger Events (both required):

1. Email request received at dpo@synchtank.net from the user
2. Deletion if there are no financial data attached to the user, within 30 days from receipt of the request

Workflow:

1. Request received and logged
2. Identity verification performed (user must confirm ownership of the user data)
3. Deletion 

Priority Handling: If a user deletion request is received during an active contract or within the 6-month post-termination window, the user request takes precedence and must be completed within 30 days, if no attached financial records forbid us to do so.

5. Data Deletion Requirements

5.1 Deletion Scope

The assigned team must delete/anonymize ALL data associated with the client or user from:

Core Systems:

• Production databases
• Application file systems
• User-generated content stores

Supporting Systems:

• Application logs (retain only anonymized/aggregated data if needed for security)
• Monitoring and analytics systems
• Error tracking systems (e.g., Sentry)
• CDN caches and edge locations
• Search indexes
• Queue systems and message brokers

Third-Party Systems:

• Issue deletion instructions to any third-party processors
• Document confirmation of deletion from partners

Backups:

• Mark deleted entities in backup metadata

5.2 Deactivation Before Deletion

Before deletion, the client or user must be:

1. Deactivated in all authentication systems
2. Removed from all access control lists
3. Flagged as “pending deletion” in relevant systems
4. Prevented from any further data generation

5.3 Deletion Method

• Databases: Delete or anonymize personal information 
• File Systems: Secure deletion tools
• Backups: Metadata marking and automated purge where possible
• Third Parties: Formal deletion requests with confirmation required

6. Verification and Documentation

6.1 Evidence Requirements

Upon completing deletion based on a request, the assigned engineer must collect and log the following (does not apply to automated deletion/anonymization after retention period is over):

1. Third-Party Confirmations: Email confirmations from any external processors
2. Timestamp Evidence: Exact date and time of each deletion action

7. Audit Trail

7.1 Regular Compliance Audits

Frequency: Quarterly

Conducted By: Data Protection Officer (DPO) or designated Data Protection Representative

Audit Scope:

• Review all completed offboarding tickets from previous quarter
• Verify documentation and policies are up to date and valid 
• Spot-check systems to confirm data was actually deleted and that automated removal systems are working
• Report findings to CTO and CFO

8. Responsibilities

8.1 Data Protection Officer (DPO) / Data Protection Representative

• Conduct quarterly compliance audits
• Advise on retention periods and legal requirements
• Handle escalations and complex cases
• Maintain audit log access and oversight
• Report compliance status to executive team

8.2 Third-Party Vendor Managers

• Maintain current list of all data processors with reasons/requirements for personal data processing
• Issue deletion instructions to relevant vendors
• Obtain and document deletion confirmations
• Inform DPO of any vendor non-compliance

9. Review and Updates

This policy will be reviewed:

• Annually on or before the policy anniversary date
• Upon any change to relevant legislation
• Upon any personal changes in regards to the positions mentioned
• When business practices change

10. Questions and Support

For questions about this policy, deletion or data information requests contact the DPO at: dpo@synchtank.net

Appendix 1: Document retention schedule 

Personal Data records: 

Appendix 2: Personal Data sub-processors