Skip to main content

Data Retention Policy

Effective: 17 April 2026|
v2026-04-17
Download PDF
Also available in:Turkish (TR)

Data Retention Policy

Generated: 2026-04-17T04:02:34.232Z Status: DRAFT — Pending Legal Review


DATA RETENTION POLICY


Document Reference: SBH-DRP-001 Version: 1.0 Issue Date: 17 April 2026 Next Review Date: 17 April 2027 Document Owner: Umut Dede, Data Protection Officer Approved By: Umut Dede, Director


SummitBridge Horizon Ltd Company Number: 16419201 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ICO Registration Number: ZC112810 [email protected] | www.summitbridgehorizon.co.uk


TABLE OF CONTENTS

  1. Introduction and Purpose
  2. Scope
  3. Legal Framework
  4. Roles and Responsibilities
  5. Data Retention Schedule
  6. Deletion and Destruction Procedures
  7. Legal Holds and Exceptions
  8. Backup Data Management
  9. AI Training Data
  10. Third-Party and Processor Obligations
  11. Annual Review Schedule
  12. Breach of This Policy
  13. Related Documents
  14. Version Control

1. INTRODUCTION AND PURPOSE

1.1 Purpose

SummitBridge Horizon Ltd ("the Company," "we," "us," or "our") is a business-to-business (B2B) Software-as-a-Service (SaaS) provider delivering AI-powered agent solutions to commercial clients. In the course of our operations, we collect, process, and store significant volumes of personal data and business data across our platform, internal systems, and supporting infrastructure.

This Data Retention Policy ("Policy") sets out the principles, obligations, and procedures that govern how long the Company retains data, how that data is securely disposed of at the end of its retention period, and the limited circumstances in which data may be retained beyond its standard retention period.

1.2 Policy Objectives

This Policy is designed to:

(a) ensure that the Company complies with its legal obligations under applicable data protection legislation, tax law, employment law, and other regulatory requirements;

(b) protect individuals whose personal data we hold by ensuring such data is not kept longer than is necessary;

(c) reduce organisational risk by minimising the volume of data held at any given time;

(d) ensure operational efficiency by establishing clear, consistent standards for data lifecycle management across all teams and systems;

(e) provide transparency to customers, employees, contractors, and other stakeholders regarding how long their data is retained.

1.3 Commitment to UK GDPR Principles

The Company is committed to the principle of storage limitation under Article 5(1)(e) of the UK General Data Protection Regulation ("UK GDPR"), which requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. This Policy gives operational effect to that commitment.


2. SCOPE

2.1 Application

This Policy applies to:

(a) all personal data processed by SummitBridge Horizon Ltd, regardless of the medium in which it is held (electronic, paper, or any other format);

(b) all business data held by the Company, including operational, financial, and technical records;

(c) all individuals who create, access, handle, or process data on behalf of the Company, including directors, employees, contractors, consultants, and authorised third-party processors;

(d) all systems and environments operated or managed by the Company, including cloud infrastructure, SaaS platform environments, internal business systems, backup systems, and development environments.

2.2 Geographic Scope

The Company is incorporated in England and Wales and processes data primarily within the United Kingdom. Where data is transferred to or processed in jurisdictions outside the UK, appropriate transfer mechanisms in accordance with UK GDPR Chapter V shall be in place, and this Policy shall continue to apply to those data sets.

2.3 Out of Scope

This Policy does not replace or supersede the Company's Privacy Notice(s), Data Processing Agreements, or contractual data retention obligations agreed with individual customers. Where a customer's Data Processing Agreement specifies a shorter retention period than this Policy, the shorter period shall govern in respect of that customer's personal data processed on their behalf. Where a customer agreement specifies a longer period, legal requirements shall take precedence.


3. LEGAL FRAMEWORK

3.1 Primary Legislation

This Policy is informed by and designed to achieve compliance with the following legislation and regulatory guidance:

Instrument Relevance
UK General Data Protection Regulation (UK GDPR) Core data protection obligations, including storage limitation (Article 5(1)(e)), accountability (Article 5(2)), and data subject rights
Data Protection Act 2018 ("DPA 2018") UK supplementary data protection legislation
Limitation Act 1980 Six-year limitation period for contractual and certain tortious claims, informing retention of commercial records
Companies Act 2006 Obligations in respect of company accounting records (minimum 6 years for public companies; 3 years for private companies, though 6 years is adopted here as best practice)
Value Added Tax Act 1994 and HMRC guidance VAT records must be retained for 6 years
Income Tax (Earnings and Pensions) Act 2003 PAYE and payroll records
Employment Rights Act 1996 Employment record obligations
Health and Safety at Work etc. Act 1974 Incident record-keeping obligations
Network and Information Systems (NIS) Regulations 2018 Security incident logging obligations for digital service providers
Electronic Commerce (EC Directive) Regulations 2002 Records relating to electronic transactions

3.2 Regulatory Guidance

The Company has regard to guidance issued by:

(a) the Information Commissioner's Office (ICO), including the ICO's guidance on storage limitation, records management, and employment practices;

(b) His Majesty's Revenue and Customs (HMRC);

(c) the Financial Conduct Authority (FCA), to the extent applicable;

(d) the National Cyber Security Centre (NCSC).


4. ROLES AND RESPONSIBILITIES

4.1 Data Protection Officer (DPO)

Umut Dede acts as the Company's Data Protection Officer. The DPO is responsible for:

(a) overseeing and maintaining this Policy and ensuring it is reviewed at least annually;

(b) advising staff and management on data retention obligations;

(c) conducting or commissioning periodic audits to verify compliance with retention schedules;

(d) managing the relationship with the ICO (Registration Number: ZC112810);

(e) advising on legal holds and coordinating with legal counsel where applicable.

The DPO can be contacted at: [email protected]

4.2 Director

Umut Dede, as sole director of SummitBridge Horizon Ltd, holds ultimate accountability for compliance with this Policy and for ensuring adequate resources are allocated to its implementation and enforcement.

4.3 All Staff and Contractors

All individuals who access Company systems or handle Company data are responsible for:

(a) understanding and complying with this Policy as it applies to their role;

(b) not storing data beyond its designated retention period without authorisation;

(c) reporting suspected breaches of this Policy to the DPO promptly;

(d) participating in training on data retention as required.

4.4 System Administrators and Technical Staff

Technical personnel responsible for platform and infrastructure management are responsible for:

(a) implementing automated deletion and archiving workflows consistent with this Policy;

(b) maintaining audit trails of deletion events;

(c) applying legal holds to relevant data sets when instructed by the DPO;

(d) ensuring backup configurations comply with the rolling retention periods specified herein.


5. DATA RETENTION SCHEDULE

5.1 Interpretation

The following retention schedule sets out the standard retention periods applicable to each category of data processed by the Company. Unless a legal hold is in place (see Section 7), data shall be deleted or anonymised upon expiry of the applicable retention period.

Where "deletion" is specified, this means secure and irreversible deletion in accordance with Section 6. Where "anonymisation" is specified, this means irreversible anonymisation such that the data can no longer be attributed to an identifiable individual or business.

The retention clock begins on the date specified for each category. Where that date is described as a trigger event (e.g., "contract termination"), the clock begins on the date that event occurs.


5.2 Category 1 — Customer Account Data

Field Detail
Description All data relating to business customer accounts on the SummitBridge Horizon platform, including account registration details, contact information, user credentials (hashed), configuration data, usage records, correspondence, and contractual documents
Includes Personal Data? Yes — contact names, email addresses, telephone numbers of authorised users within customer organisations
Legal Basis for Processing Article 6(1)(b) UK GDPR (performance of contract); Article 6(1)(c) (legal obligation)
Retention Period Duration of the contract + 6 years from the date of contract termination or expiry
Rationale The six-year post-termination period reflects the standard limitation period for contractual claims under the Limitation Act 1980. Retaining account data during this period allows the Company to defend or pursue contractual disputes, demonstrate service delivery, and comply with audit obligations
Trigger Event Date of contract termination, expiry, or account closure
Responsible Owner DPO / Platform Operations
Deletion Method Secure deletion from live systems; removal from backups upon backup expiry per Section 8

5.3 Category 2 — Payment and Financial Records

Field Detail
Description All financial and accounting records, including invoices, receipts, payment confirmations, bank statements, VAT records, purchase orders, expense claims, and any records relating to revenue, expenditure, and assets
Includes Personal Data? Potentially — name and address of individuals acting as sole traders or named on invoices; payment card data is not stored (handled by PCI-DSS compliant processors)
Legal Basis for Processing Article 6(1)(c) UK GDPR (legal obligation)
Retention Period 6 years from the end of the financial year to which the records relate
Rationale HMRC requires businesses to retain VAT records for a minimum of 6 years (Value Added Tax Act 1994, Schedule 11). The Companies Act 2006 requires accounting records to be kept for 3 years (private companies), but 6 years is adopted as best practice and to align with the Limitation Act 1980
Trigger Event End of the relevant financial year
Responsible Owner Director / Finance function
Deletion Method Secure deletion of electronic records; cross-cut shredding of physical records

5.4 Category 3 — Audit Logs

Field Detail
Description System-level and application-level audit logs recording user actions, administrative events, configuration changes, access events, and data processing activities on the SummitBridge Horizon platform, including AI agent interactions attributable to specific user sessions
Includes Personal Data? Yes — user identifiers, IP addresses, timestamps
Legal Basis for Processing Article 6(1)(f) UK GDPR (legitimate interests: security, fraud prevention, compliance demonstration); Article 6(1)(c) (legal obligation under NIS Regulations 2018)
Retention Period 3 years from the date of the logged event
Rationale Three years provides a sufficient window to investigate security incidents, support regulatory enquiries, and respond to legal proceedings, whilst balancing the privacy interests of data subjects. This period exceeds common investigation timescales and aligns with NCSC guidance on log retention for digital service providers
Trigger Event Date of the individual log entry
Responsible Owner DPO / Platform Operations / Security
Deletion Method Automated scheduled deletion; deletion confirmed by audit trail

5.5 Category 4 — AI Agent Event Data

Field Detail
Description Transactional and operational data generated by AI agent executions on the platform, including task inputs, outputs, intermediate steps, tool calls, error states, and performance metrics, where such data is attributable to a specific customer, user, or session
Includes Personal Data? Potentially — depending on the data that the customer's authorised users input into agent workflows
Legal Basis for Processing Article 6(1)(b) UK GDPR (performance of contract — to deliver and improve the service); Article 6(1)(f) (legitimate interests — debugging and service optimisation)
Retention Period 1 year from the date the agent event was generated
Rationale One year provides sufficient time for operational debugging, customer dispute resolution, and short-term service improvement analysis. Beyond this period, the identifiable agent event data is no longer necessary; any longer-term analytical value is captured through anonymisation (see Section 9)
Trigger Event Date of the agent event
Responsible Owner Platform Operations / Engineering
Deletion Method Automated deletion pipeline; residual data in backups removed per Section 8 rolling schedule
Note Where agent event data is anonymised prior to the end of the one-year period, the anonymised data may be retained indefinitely for AI training and improvement purposes (see Section 9). Anonymisation must be genuine and irreversible

5.6 Category 5 — Customer Support Tickets

Field Detail
Description All records of customer support interactions, including helpdesk tickets, email correspondence, live chat transcripts, call recordings (if any), and associated attachments or screenshots submitted in connection with a support request
Includes Personal Data? Yes — names, contact details, and potentially other personal data shared in the course of seeking support
Legal Basis for Processing Article 6(1)(b) UK GDPR (performance of contract); Article 6(1)(f) (legitimate interests — quality assurance, dispute resolution)
Retention Period 2 years from the date the support ticket was marked as resolved or closed
Rationale Two years allows the Company to reference prior support history to improve service quality, handle re-opened issues, and respond to complaints or disputes arising from the original incident. This period is proportionate given the typically operational nature of support content
Trigger Event Date of ticket resolution or closure
Responsible Owner Customer Success / Support Operations
Deletion Method Automated deletion from support platform; review for any escalated matters prior to deletion
Note Where a support ticket relates to a security incident, data breach, or matter subject to a legal hold, the Incident Record (Category 9) or Legal Hold provisions shall govern and may extend retention beyond 2 years

5.7 Category 6 — Marketing Consent Records

Field Detail
Description Records evidencing the consent of individuals (including individuals at customer or prospect organisations) to receive direct marketing communications, including the date and method of consent, the identity of the data subject, the specific consent given, and any subsequent withdrawal of consent
Includes Personal Data? Yes — names, email addresses, consent timestamps, and preference data
Legal Basis for Retention Article 6(1)(c) UK GDPR (legal obligation — to demonstrate valid consent under UK GDPR Article 7); Article 7(1) requires the controller to be able to demonstrate consent was given
Retention Period Duration of the consent (i.e., until withdrawn or lapsed) + 1 year from the date of withdrawal, lapse, or opt-out
Rationale Retaining consent records for one year after withdrawal allows the Company to demonstrate that it acted lawfully in sending communications prior to withdrawal, to defend against complaints to the ICO, and to manage suppression lists effectively. Records of consent withdrawal (suppression records) shall be retained for the same period to prevent inadvertent re-contact
Trigger Event Date of consent withdrawal, opt-out, or lapse
Responsible Owner DPO / Marketing
Deletion Method Deletion of consent record data; suppression list entries may be retained in pseudonymised form to prevent re-contact where technically necessary
Note Suppression records (i.e., records that a person has opted out) may need to be retained in minimal form (e.g., hashed email address) beyond the standard period to prevent inadvertent re-subscription. The DPO shall review such records on a case-by-case basis

5.8 Category 7 — Employee and Contractor Data

Field Detail
Description All data relating to individuals engaged by the Company as employees or contractors, including application documents, identity verification records, employment or service contracts, payroll records, performance reviews, disciplinary records, absence records, expense claims, and termination records
Includes Personal Data? Yes — comprehensive personal data including in some cases special category data (e.g., health information for sick leave)
Legal Basis for Processing Article 6(1)(b) UK GDPR (performance of contract of employment or service); Article 6(1)(c) (legal obligation — employment law, tax law, health and safety); Article 9(2)(b) for special category data (employment law obligations)
Retention Period Duration of employment or engagement + 6 years from the date of termination
Rationale The six-year post-termination period reflects the Limitation Act 1980 limitation period for contractual claims. Employment tribunal claims must ordinarily be brought within 3 months (or up to 6 months for some claims), but discrimination claims under the Equality Act 2010 may be brought within 3 months and subsequent civil proceedings within 6 years. Six years provides adequate protection
Trigger Event Date employment or engagement terminates
Responsible Owner Director / DPO
Deletion Method Secure deletion of electronic records; cross-cut shredding of physical records
Note Payroll and PAYE records shall be retained for a minimum of 6 years in any event in accordance with HMRC requirements. Pension records may be subject to separate, longer retention requirements where applicable

5.9 Category 8 — Data Subject Access Request (DSAR) Records

Field Detail
Description All records relating to the handling of data subject rights requests under UK GDPR, including requests for access (DSARs), erasure, rectification, restriction, portability, and objection. This includes the original request, identity verification records, the Company's response, any internal communications regarding the request, and records of actions taken
Includes Personal Data? Yes — identity of the requestor and potentially other personal data
Legal Basis for Retention Article 6(1)(c) UK GDPR (legal obligation — to demonstrate compliance with data subject rights obligations); Article 5(2) (accountability principle)
Retention Period 3 years from the date the request was completed (i.e., the response was sent or the final action was taken)
Rationale Retaining DSAR records for 3 years allows the Company to demonstrate compliance in the event of an ICO investigation or complaint, bearing in mind the ICO's powers to investigate historical compliance. Three years is proportionate given that ICO complaints are typically made within a relatively short period of the relevant decision
Trigger Event Date of completion of the request
Responsible Owner DPO
Deletion Method Secure deletion; DPO to review prior to deletion to ensure no related proceedings are pending

5.10 Category 9 — Incident Records

Field Detail
Description All records relating to information security incidents, data breaches, near-misses, and any other operational incidents affecting Company systems or data, including incident reports, root cause analyses, remediation plans, and records of notifications made to the ICO or affected data subjects
Includes Personal Data? Potentially — details of affected data subjects may be included in breach records
Legal Basis for Retention Article 6(1)(c) UK GDPR (legal obligation — Article 33(5) requires the controller to document any personal data breaches); Article 6(1)(f) (legitimate interests — organisational learning, legal defence)
Retention Period 5 years from the date the incident was recorded or formally closed
Rationale Five years reflects the potential for regulatory investigations and civil litigation arising from data breaches and security incidents. Article 33(5) UK GDPR requires breach records to be maintained, and the ICO may investigate incidents over an extended period. Five years provides a prudent margin
Trigger Event Date of incident recording or formal closure, whichever is later
Responsible Owner DPO / Security
Deletion Method Secure deletion; DPO to confirm no active ICO investigation or litigation before deleting
Note Where an incident has led to ICO notification, litigation, or regulatory action, a legal hold (see Section 7) shall be applied for the duration of those proceedings plus a further period as advised by legal counsel

5.11 Category 10 — Session and Authentication Logs

Field Detail
Description Logs recording user authentication events (login, logout, failed login attempts, multi-factor authentication events), session tokens, IP addresses, device identifiers, and session duration records generated by the SummitBridge Horizon platform
Includes Personal Data? Yes — IP addresses and user identifiers constitute personal data
Legal Basis for Processing Article 6(1)(f) UK GDPR (legitimate interests — platform security, fraud prevention, detection of unauthorised access)
Retention Period 90 days from the date the session or authentication event was recorded
Rationale Ninety days provides a sufficient window for security monitoring, detection of suspicious access patterns, and investigation of access-related incidents, whilst minimising unnecessary retention of personal data in accordance with the storage limitation principle. Beyond 90 days, granular session data is not required for security purposes
Trigger Event Date of the individual session or authentication event
Responsible Owner Platform Operations / Security
Deletion Method Automated rolling deletion; retention period enforced at infrastructure level
Note Where a specific session record is identified as relevant to a security incident under investigation, it shall be preserved under a legal hold for the duration of that investigation (see Section 7)

5.12 Category 11 — AI Training Data

(See also Section 9 for full treatment of AI training data)

Field Detail
Description Data used or derived for the purpose of training, fine-tuning, evaluating, or benchmarking the Company's AI models and agents, including synthetic data, anonymised interaction data, and labelled datasets
Includes Personal Data? No — AI training data shall only be retained in this category if it has been genuinely and irreversibly anonymised such that no individual can be identified from it, directly or indirectly. Personal data shall not be used for AI training purposes without a separate lawful basis and shall be subject to the retention period applicable to its primary category
Legal Basis for Retention Not applicable — anonymised data falls outside the scope of UK GDPR
Retention Period Indefinite, subject to periodic utility review
Rationale Genuinely anonymised data does not constitute personal data under UK GDPR and is therefore not subject to storage limitation obligations. Indefinite retention of anonymised training data serves the Company's legitimate commercial interest in continuously improving its AI systems
Trigger Event N/A
Responsible Owner Engineering / AI/ML Team
Review Obligation The DPO shall annually review the anonymisation methodology applied to training datasets to confirm that data remains genuinely anonymised and that no re-identification risk has emerged as a result of advances in technology or changes in the data environment

5.13 Retention Schedule Summary Table

# Data Category Retention Period Trigger Event
1 Customer Account Data Contract duration + 6 years Contract termination/expiry
2 Payment / Financial Records 6 years End of relevant financial year
3 Audit Logs 3 years Date of log entry
4 AI Agent Event Data 1 year Date of event
5 Support Tickets 2 years Date of ticket resolution
6 Marketing Consent Records Consent duration + 1 year Date of withdrawal/opt-out
7 Employee / Contractor Data Engagement duration + 6 years Date of termination
8 DSAR Records 3 years Date of completion
9 Incident Records 5 years Date of recording / closure
10 Session / Authentication Logs 90 days Date of event
11 AI Training Data (anonymised) Indefinite N/A
12 Backup Data 30-day rolling Date of backup creation

6. DELETION AND DESTRUCTION PROCEDURES

6.1 General Principles

The Company shall ensure that all data reaching the end of its retention period is deleted or destroyed in a secure and irreversible manner. Deletion shall not be conducted informally or inconsistently. The method of deletion shall be appropriate to the sensitivity of the data and the medium on which it is stored.

6.2 Electronic Data — Standard Deletion

For electronic data held on managed cloud infrastructure and SaaS systems:

(a) Automated deletion pipelines shall be configured for high-volume, time-bounded data categories (Categories 3, 4, 5, 10, and 12), triggering deletion upon expiry of the retention period without manual intervention;

(b) Scheduled manual deletion reviews shall be conducted for lower-volume categories (Categories 1, 2, 7, 8, 9) on a quarterly basis, with the DPO confirming that no legal hold applies before authorising deletion;

(c) Deletion shall use methods that render data irrecoverable, including cryptographic erasure (where data is encrypted and the encryption key is securely destroyed) or secure overwriting compliant with NCSC guidance.

6.3 Electronic Data — Cloud and Third-Party Systems

Where data is held in third-party cloud systems or via sub-processors:

(a) the Company shall issue deletion instructions to relevant processors in accordance with contractual provisions in the applicable Data Processing Agreement;

(b) the Company shall obtain written confirmation from processors that deletion has been completed;

(c) the Company shall retain records of such confirmations as part of its accountability documentation.

6.4 Physical Data

Where data is held in physical form (e.g., printed contracts, physical invoices):

(a) physical documents shall be stored securely in locked facilities for the duration of the applicable retention period;

(b) upon expiry of the retention period, physical documents containing personal data shall be destroyed by cross-cut shredding or by a secure destruction service;

(c) a destruction certificate shall be obtained and retained where a third-party destruction service is used.

6.5 Deletion Records

For each deletion event, the following information shall be recorded and retained for a period of 3 years from the date of deletion:

  • the category of data deleted;
  • the volume of records deleted (approximate);
  • the date and method of deletion;
  • the name of the individual who authorised or performed the deletion;
  • confirmation that no legal hold was in force in respect of the deleted data.

Deletion records are themselves administrative records and shall not contain personal data from the deleted dataset.

6.6 Failed or Incomplete Deletion

Where a scheduled deletion cannot be completed (e.g., due to a technical failure or system error), this shall be reported to the DPO within 5 working days. The DPO shall ensure that the deletion is completed as soon as reasonably practicable and shall document the reason for the delay.

6.7 Anonymisation as an Alternative to Deletion

Where the Company wishes to retain the analytical or operational value of data beyond its retention period, anonymisation may be applied as an alternative to deletion, provided that:

(a) the anonymisation method applied is genuinely irreversible — pseudonymisation (i.e., where re-identification remains possible with a key) does not satisfy this requirement;

(b) the DPO has confirmed in writing that the anonymisation technique is robust and appropriate;

(c) the anonymisation is applied prior to the expiry of the retention period, not retrospectively after the period has passed.


7. LEGAL HOLDS AND EXCEPTIONS

7.1 What Is a Legal Hold?

A legal hold (also known as a litigation hold or preservation notice) is a directive to preserve data beyond its standard retention period because that data is, or may be, relevant to:

(a) actual, threatened, or reasonably anticipated litigation;

(b) a regulatory investigation or enquiry by the ICO, HMRC, or another competent authority;

(c) a formal complaint requiring investigation;

(d) a data subject rights dispute under UK GDPR;

(e) a criminal investigation or law enforcement request.

7.2 Triggering a Legal Hold

A legal hold may be triggered by:

(a) receipt of a claim form, pre-action correspondence, or formal notice of legal proceedings;

(b) receipt of an information notice, assessment notice, or enforcement notice from the ICO;

(c) receipt of a production order, court order, or law enforcement request;

(d) the DPO forming a reasonable belief that litigation or regulatory action is imminent or likely;

(e) a decision by the Director following legal advice.

7.3 Legal Hold Procedure

Upon the triggering of a legal hold:

(a) The DPO shall issue a Legal Hold Notice to all relevant data custodians and system administrators, identifying:

  • the categories of data to be preserved;
  • the relevant time periods;
  • the systems in which the data is held;
  • the reason for the hold;
  • the prohibition on deletion, modification, or destruction of the identified data.

(b) Automated deletion pipelines applicable to the identified data categories shall be suspended for the duration of the legal hold;

(c) The DPO shall maintain a Legal Hold Register, recording:

  • the date the hold was imposed;
  • the scope of the hold;
  • the matter to which it relates;
  • the individuals notified;
  • the date the hold was lifted (once applicable);

(d) The legal hold shall remain in force until the DPO, in consultation with legal counsel, determines that it is no longer required and issues a formal Release Notice.

7.4 Lifting a Legal Hold

A legal hold shall be lifted once:

(a) the relevant litigation, investigation, or dispute has been concluded and all appeal periods have expired;

(b) legal counsel has confirmed in writing that the hold is no longer required;

(c) the DPO has issued a Release Notice.

Upon lifting a legal hold, data that has exceeded its standard retention period shall be deleted in accordance with Section 6 within 30 days of the Release Notice, unless another legal hold or retention obligation applies.

7.5 Statutory Exceptions

Certain statutory obligations may require data to be retained beyond the periods set out in this Policy. In such cases, the statutory obligation shall govern. Examples include:

  • HMRC enquiry windows, which may extend beyond 6 years in cases of fraud or deliberate non-disclosure;
  • Court orders requiring preservation of specific records;
  • Directions from the ICO under its enforcement powers.

Where a statutory exception applies, the DPO shall document the exception, the applicable statutory basis, and the extended retention period.

7.6 Data Subject Rights and Retention

Where a data subject exercises their right to erasure under Article 17 UK GDPR, this Policy does not override the Company's ability to refuse erasure where retention is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims (Article 17(3)(b) and (e) UK GDPR). The DPO shall assess each erasure request individually and provide a reasoned response to the data subject.


8. BACKUP DATA MANAGEMENT

8.1 Backup Retention Period

Backup data (comprising copies of production data created for business continuity and disaster recovery purposes) shall be retained on a rolling 30-day basis. No backup shall be retained for more than 30 calendar days from the date it was created, unless subject to a legal hold.

8.2 Interaction with Primary Retention Periods

The 30-day rolling backup retention period operates independently of the primary retention periods in Section 5. This means that:

(a) when data is deleted from primary/live systems upon expiry of its retention period under Section 5, that data may remain present in backups for up to 30 days until the backup containing it is itself overwritten or deleted;

(b) this is an accepted and unavoidable consequence of backup architecture and does not constitute a breach of the storage limitation principle, provided backups are not used to restore data that has been intentionally deleted from primary systems at the end of its retention period;

(c) backups shall not be used to restore data solely for the purpose of accessing data that has been deleted from primary systems at the end of its retention period. Restoration shall only occur for legitimate business continuity or disaster recovery purposes.

8.3 Backup Security

All backup data shall be:

(a) encrypted at rest using industry-standard encryption;

(b) stored in geographically separated locations from primary data where reasonably prac

This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].