Data Retention Policy

Retention Periods at a Glance

Data Category	Retention Period	Trigger Event	Legal Basis
Customer account data	Contract term + 7 years	Contract termination	UK tax law, Limitation Act 1980
Customer CRM/contact data (Platform)	Contract term + 30 days	Contract termination	Contractual (processor obligation)
Payment and financial records	7 years	Date of transaction	HMRC, Finance Act 1998
Support tickets and correspondence	3 years	Date of last interaction	Limitation Act 1980
Security and audit logs	12 months	Date of event	UK GDPR — proportionality
Marketing consent records	Active + 1 year post-withdrawal	Date of withdrawal	PECR, UK GDPR Article 7
Employee and contractor data	Employment term + 6 years	Date of termination	Limitation Act 1980, HMRC
Legal correspondence	7 years from resolution	Date of resolution/execution	Limitation Act 1980
CCTV footage	30 days	Date of recording	ICO guidance

1. Purpose and Scope

1.1 Purpose

This Data Retention Policy establishes the periods for which Avantwerk retains personal data and the procedures by which data is securely deleted or anonymised upon expiry of those periods. The policy is designed to ensure compliance with the storage limitation principle set out in Article 5(1)(e) of the UK General Data Protection Regulation (UK GDPR) and with the Data Protection Act 2018.

1.2 Scope

This policy applies to:

• all personal data processed by Avantwerk in connection with the provision of the Avantwerk AI Work Platform to customers in the United Kingdom;
• all personal data processed by Avantwerk in its capacity as a data controller (for example, customer account data, marketing records, and support interactions);
• all personal data processed by Avantwerk in its capacity as a data processor on behalf of its customers (for example, contact and CRM data stored within the Platform by customers); and
• all Avantwerk employees, contractors, and sub-processors handling personal data in connection with the Platform or Avantwerk's business operations.

1.3 Exclusions

This policy does not govern the retention of anonymous or fully pseudonymised data that cannot reasonably be used to identify an individual, nor does it govern the retention of aggregated statistical data used for business analytics.

2. Legal Basis and Principles

2.1 Storage Limitation Principle

Article 5(1)(e) of the UK GDPR requires that personal data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Avantwerk is committed to respecting this principle and will not retain personal data beyond the periods specified in this policy unless a lawful exception applies (see Section 8).

2.2 Accountability

Avantwerk, as data controller, is responsible for and must be able to demonstrate compliance with the principles set out in Article 5 of the UK GDPR. This policy forms part of Avantwerk's accountability framework.

2.3 Purpose Limitation

Personal data will be retained only for the purposes for which it was originally collected, or for compatible purposes. Where data is retained beyond its original purpose (for example, for compliance or legal obligations), this is noted in Section 4 below.

2.4 Data Minimisation

Where data is retained for compliance purposes, Avantwerk will apply data minimisation practices, retaining only the minimum amount of data necessary to satisfy the applicable legal obligation.

3. Roles and Responsibilities

4. Data Categories and Retention Periods

4.1 Customer Account Data

Retention: Contract term + 7 years

Description: Name, email address, company name, billing address, account credentials (hashed), subscription tier, and account activity logs.

Legal basis: 7-year post-termination period satisfies HMRC record-keeping requirements (Taxes Management Act 1970) and general limitation periods under the Limitation Act 1980.

Role: Data controller.

4.2 Customer CRM and Contact Data (Platform Data)

Retention: Contract term + 30 days

Description: Contact records, CRM data, interaction histories, notes, tags, and other data uploaded or generated by customers within the Avantwerk Platform.

Legal basis: Avantwerk processes this data on behalf of the customer as a data processor. The 30-day export window aligns with the customer's right to data portability.

Role: Data processor (on behalf of the customer as controller).

4.3 Payment and Financial Records

Retention: 7 years

Description: Records of transactions, invoices, subscription fees charged, payment method identifiers (tokenised card details, not full card numbers), refunds, and billing correspondence.

Legal basis: HMRC requires records relevant to a business's tax return be kept for at least 6 years (Finance Act 1998 and HMRC guidance). An additional year is applied as a buffer for late assessments.

Role: Data controller.

4.4 Customer Support Tickets and Correspondence

Retention: 3 years

Description: Support tickets, email correspondence with the support team, live chat transcripts, and records of resolutions and escalations.

Legal basis: 3 years provides adequate coverage for claims that may arise from a support interaction, within the general 6-year limitation period but applying the more specific period for consumer service matters.

Role: Data controller.

4.5 Security and Audit Logs

Retention: 12 months

Description: Platform access logs, login events, failed authentication attempts, administrative action logs, IP addresses, and security monitoring data.

Legal basis: Security logs are retained for 12 months to support incident investigation, breach notification obligations, and forensic analysis. Retention beyond this period is disproportionate to the purpose.

Role: Data controller.

4.6 Marketing Consent Records and Communications

Retention: Active + 1 year post-withdrawal

Description: Records of marketing consent (opt-in), consent timestamps, consent text presented at opt-in, email unsubscribe records, and copies of marketing communications sent.

Legal basis: Retention for 1 year post-withdrawal is necessary to demonstrate compliance with PECR and UK GDPR Article 7(1) in the event of a regulatory enquiry or individual complaint.

Role: Data controller.

4.7 Employee and Contractor Personal Data

Retention: Employment term + 6 years

Description: Personnel records, payroll data, contracts of employment, performance records, disciplinary records, and tax information for Avantwerk employees and contractors.

Legal basis: The 6-year post-termination period aligns with limitation periods for employment claims under the Limitation Act 1980 and HMRC PAYE record-keeping obligations.

Role: Data controller.

4.8 Legal Correspondence and Documentation

Retention: 7 years from resolution

Description: Legal notices, correspondence with solicitors, court documents, regulatory correspondence, internal legal memoranda, and contractual documentation.

Legal basis: The 7-year period covers the primary limitation period for contract claims (6 years under the Limitation Act 1980) plus a 1-year buffer, and reflects HMRC requirements.

Role: Data controller.

4.9 CCTV Footage (if applicable)

Retention: 30 days

Description: CCTV footage from any Avantwerk business premises. Avantwerk is a primarily remote and cloud-based business; CCTV is not currently in operational use but this entry is included for future applicability.

Legal basis: The ICO recommends a maximum of 31 days for routine CCTV retention in the absence of a specific investigation.

5. Data Deletion Procedures

5.1 Automated Deletion

Where technically feasible, Avantwerk implements automated deletion processes that trigger upon expiry of the applicable retention period. Automated deletion applies principally to:

• customer CRM and contact data stored on the Platform (deleted 30 days post-cancellation);
• security and audit logs (deleted 12 months after the date of the logged event); and
• other categories of data where the deletion trigger is a clearly defined event recorded in Avantwerk's systems.

5.2 Manual Review and Deletion

For categories of data requiring judgment prior to deletion (for example, legal correspondence or employee records subject to a legal hold), the DPO conducts an annual review and approves deletion where no exception applies.

5.3 Secure Deletion

All deletion of personal data is performed using processes that render the data unrecoverable. For data held in cloud environments, deletion instructions are issued to the relevant sub-processor in accordance with their published data deletion procedures. Avantwerk will, upon request from an authorised party, provide a certificate of deletion.

5.4 Anonymisation as an Alternative to Deletion

Where Avantwerk requires data for legitimate statistical or analytical purposes beyond the retention period, it may anonymise the data rather than delete it. Anonymised data is not subject to the UK GDPR and may be retained indefinitely. Avantwerk will only apply anonymisation where the process is genuinely irreversible.

5.5 Deletion Logs

Avantwerk maintains logs of data deletion activities. These logs record the category of data deleted, the date of deletion, the method of deletion, and the individual or automated process responsible. Deletion logs are themselves retained for 3 years.

6. Customer Data Export and Post-Cancellation Procedures

6.1 Export Window

Upon cancellation or non-renewal of a subscription, customers will have a 30-day window during which they may export their data from the Platform. This export window begins on the date of account cancellation or subscription expiry (whichever is earlier).

6.2 How to Export

Customers may export their data using the Platform's built-in export functionality: Settings > Data > Export. Exports are provided in commonly used, machine-readable formats (CSV, JSON, or equivalent).

6.3 Deletion After the Export Window

After the 30-day export window has expired, all customer CRM and contact data will be permanently deleted from the Platform and from Avantwerk's sub-processors' systems. This deletion cannot be reversed.

6.4 Notification

Avantwerk will send a reminder to the customer's registered email address 7 days before the expiry of the export window, noting that their data will be permanently deleted upon expiry.

7. Right to Erasure (UK GDPR Article 17)

7.1 Right to Erasure

Under Article 17 of the UK GDPR, individuals have the right to request erasure of their personal data where one of the following grounds applies:

• the personal data is no longer necessary in relation to the purposes for which it was collected;
• the individual withdraws consent and there is no other legal basis for processing;
• the individual objects to processing under Article 21 and there are no overriding legitimate grounds;
• the personal data has been unlawfully processed; or
• erasure is required to comply with a legal obligation.

7.2 Response Timeframe

Avantwerk will respond to a valid right to erasure request within 30 calendar days of receipt. Where the request is complex or Avantwerk receives a high volume of requests, this period may be extended by a further 2 months, in which case Avantwerk will notify the individual of the extension and the reason within the initial 30-day period.

7.3 How to Submit a Request

7.4 Exceptions to the Right to Erasure

The right to erasure does not apply where retention is necessary:

• for compliance with a legal obligation under UK law (for example, HMRC record-keeping obligations);
• for the establishment, exercise, or defence of legal claims;
• for reasons of public interest in the area of public health; or
• for archiving purposes in the public interest, scientific research, or statistical purposes where erasure would seriously impair those purposes.

Where an exception applies, Avantwerk will inform the individual which exception applies and why, and will specify when, if ever, the data will be deleted.

8. Exceptions and Legal Holds

8.1 Legal Hold

Where Avantwerk reasonably anticipates or is involved in litigation, a regulatory investigation, or any legal proceedings, it may place a legal hold on data that would otherwise be due for deletion. A legal hold suspends the automatic deletion process for the affected data until the hold is lifted.

8.2 Approval of Legal Holds

Legal holds must be approved in writing by the Legal team and notified to the DPO. The Legal team will specify the categories of data subject to the hold, the reason for the hold, and the expected duration.

8.3 Lifting Legal Holds

Legal holds will be lifted as soon as the matter giving rise to the hold has been resolved. Upon lifting the hold, data will be assessed against the applicable retention periods and deleted or retained accordingly.

8.4 Regulatory Requirements

Where a regulatory authority requires Avantwerk to retain specific data beyond the periods set out in this policy, Avantwerk will comply with that requirement. The DPO will document the regulatory requirement and the extended retention period.

8.5 Ongoing Disputes

Where an individual has raised a complaint or dispute regarding a refund or a data-related matter that has not yet been resolved, data relevant to that dispute may be retained until the dispute is finally resolved, notwithstanding the standard retention periods.

9. Third-Party and Sub-Processor Data

9.1 Sub-Processor Obligations

Where personal data is processed by Avantwerk's sub-processors (including HighLevel Inc., Google Cloud Platform, Amazon Web Services, Mailgun Technologies, Twilio Inc., Stripe Inc., and Cloudflare Inc.), Avantwerk's contracts with those sub-processors include obligations to:

• process personal data only on Avantwerk's documented instructions;
• delete or return all personal data upon termination of the sub-processing arrangement; and
• assist Avantwerk in fulfilling its data deletion and erasure obligations.

9.2 Data Flows and Transfers

Where personal data is transferred to sub-processors outside the United Kingdom, such transfers are governed by the applicable transfer mechanism as set out in Avantwerk's Data Processing Agreement (UK International Data Transfer Agreement or equivalent standard contractual clauses).

9.3 Third-Party Integrations

Where customers connect third-party applications to the Avantwerk Platform (for example, via API integrations), Avantwerk is not responsible for the data retention practices of those third parties. Customers are responsible for ensuring their use of third-party integrations complies with applicable data protection law.

10. Backups and Archiving

10.1 Backup Retention

Avantwerk maintains automated backups of Platform data for business continuity purposes. Backups are retained for a maximum of 30 days, after which they are overwritten or deleted. Where a retention period for a particular category of data has expired, that data will be excluded from subsequent backups at the next scheduled deletion cycle.

10.2 Archiving

Where data is moved to an archive tier (for example, for compliance record-keeping), access controls are applied to ensure that archived data can only be accessed by authorised personnel for specified purposes. Archived data is subject to the same retention periods as live data.

10.3 Restoration from Backup

If personal data that has been deleted is subsequently restored from a backup (for example, following a system failure), the restored data will be re-deleted at the earliest practicable opportunity if the retention period has expired.

11. Policy Review

11.1 Annual Review

This policy will be reviewed by the DPO annually, or following any significant change to:

• Avantwerk's processing activities or data flows;
• applicable UK data protection legislation or ICO guidance;
• Avantwerk's sub-processor arrangements; or
• any other factor that materially affects the basis on which retention periods have been set.

11.2 Version Control

Any amendments to this policy will be recorded in the Version History table. Material changes affecting customer rights will be communicated to customers via email and by publication on the Avantwerk website.

12. Contact Details

For any questions regarding this policy or Avantwerk's data retention practices, please contact us.