Even the data protection regulations which have been in force for over 20 years now advise that we should not hold personal data for any longer than is absolutely necessary, and this is important for two reasons. Firstly, from the data subject's perspective it is reassuring to know that their data is not being exploited for purposes other than what it was originally provided and is no longer necessary for. Secondly, from the data controller's point of view, it makes sense to concentrate on protecting the data which they need rather than also having to worry about protecting data they don't really need to have any more.
GDPR is even more strict on this. Data must not be held or processed without a clear legal basis, which is typically one of the following:
- explicit consent of the individual;
- contractual obligation to be able to provide services to the customer;
- legitimate interest where the data is deemed important enough to retain for the company's obligations to other third parties, e.g. financial accounts.
When customers cease their subscriptions to use our services, the first of these two legal bases disappear, so we will wipe all personal data and retain only the bare minimum to meet our core requirements, e.g. invoices issued to and payments received from customers.
Deletion (anonymisation) of data and files
When a customer ceases an account, the account is marked with a "cleanse date" 60 days from the cease data, after which all personal data will be removed from the account. The account owner will be informed on cancellation that the data will be queued for deletion and will not be recovered after this period.
We do not actually delete the data fully from the database, but rather anonymise it to completely remove all personal identifiers such as names, email addresses, postal address, phone numbers, dates of birth, etc. This anonymised data cannot be reconstructed to identify the individuals to whom it belonged originally.
We have opted for the anonymisation option rather than full deletion since the large volumes of activity and transactions can provide invaluable insights into the performance of the application, as well as the property industry within which our customers operate, and all of this can help us improve our product offering for the future.
All files and documents which have been uploaded by customers to the product platform will be completely and irreversibly removed from the file storage server.
Data will be retained in a number of encrypted backups for a period of up to one year to assist with troubleshooting purposes. These backups are stored in a separate location within the platform, and access is restricted to a small team of trusted admin users within the company and not to the general development team.
Suspended accounts are not queued for deletion since these may be reactivated. Suspensions often happen when otherwise active customers. However, the suspension list is reviewed monthly and accounts which remain suspended for a period with no contact with customers will eventually be ceased and then queued for deletion in the normal manner outlined above.