This page explains how long we keep different types of personal data and what happens to that data when it is no longer needed. It should be read alongside our Privacy and cookies policy and the other GDPR pages in this section.
The principle is simple: we don’t keep personal data for longer than we reasonably need it, unless we have to keep it for legal or regulatory reasons.
Our retention principles
When deciding how long to keep data, we consider:
- the purpose we collected it for
- any legal or regulatory requirements
- the impact of keeping it longer than necessary
- the practicalities of deletion from live systems and backups
We aim to keep retention rules small and sensible rather than building a separate rule for every possible field.
Typical retention periods
The table below shows typical retention periods for the main categories of data we handle. Actual periods may vary slightly depending on the services you use and any specific agreements we have with you.
| Data type | Typical retention | Reason |
|---|---|---|
| Customer account and contract details | For the duration of your relationship with us, plus up to 7 years | To administer your account, manage services and meet legal and tax requirements. |
| Contact details of customer staff | For as long as they are an active contact, plus a short period afterwards | So we can support and communicate with the right people; then removed or updated when people change roles or leave. |
| Support tickets and logs | Typically 3-7 years | To provide support history, investigate recurring issues and evidence our actions if needed. |
| Monitoring and security logs | From weeks to months, depending on the system | To detect and investigate security events, and to meet operational needs. |
| Website and application data hosted on Cultrix Cloud | For the duration of the hosting agreement; removed when the service ends | We keep hosted data while your service is active and for a short period afterwards to allow for migration. |
| Microsoft 365 data covered by our backup service | In line with the chosen backup plan and for as long as the service is in place | Backups are retained to meet the agreed recovery requirements. |
| Financial records (invoices, payment records) | At least 6-7 years | To meet legal and tax obligations. |
| Marketing contact details | Until you unsubscribe or we consider the record inactive | To keep in touch about services, where permitted; we remove or suppress records if you opt out. |
These periods are reviewed periodically and may be adjusted, for example if legal requirements change.
How deletion works in practice
When data reaches the end of its retention period, we aim to:
- delete it from live systems; or
- anonymise it so it can no longer be linked to an identifiable person.
In some cases, for example where data is part of a financial record or legal file, we may need to keep it for longer even if you ask us to delete it. Where that’s the case, we will let you know.
Backups and archived copies
Backups exist to help us recover from incidents, not to create a second copy of everything forever. This does have some implications for deletion:
- when we delete or anonymise data in live systems, older copies may still exist in backups for a time
- those backups are kept for limited periods and then overwritten, in line with our backup policies
- we do not normally edit individual records inside backup archives
If we restore from backup, we will apply any necessary deletions or changes as part of the recovery process or shortly afterwards, where practicable.
Your responsibilities as a customer
As our customer, you remain responsible for:
- deciding how long you keep data in your own systems and records
- defining retention policies for your organisation
- instructing us where you need specific deletions carried out in systems we manage for you
We can help you understand what is technically possible in systems we manage, so you can build realistic retention policies of your own.
Your rights
You have a number of rights under data protection law, including the right to ask us to delete personal data in certain circumstances. These are explained on our Your rights page.
Our Privacy and cookies policy explains how to contact us to exercise those rights.
More information
If you need more detail about retention for a particular system or service, or if you are working through an internal policy or audit, please contact us. We can usually provide the information you need quickly.