Data Retention Policy

This policy explains how long we keep different types of personal data and our procedures for secure data deletion in compliance with GDPR and UK GDPR.

Last Updated: August 1, 2024

Version: 2.0

🕒 Quick Reference - Retention Periods

Active User Accounts

While account is active

Inactive Accounts

3 years after last login

Application Data

2 years after application

Marketing Consents

Until withdrawn + 3 years

Support Tickets

3 years after resolution

Financial Records

7 years (legal requirement)

1. Legal Framework and Principles

GDPR Article 5(1)(e) - Storage Limitation

"Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."

This policy ensures we comply with the storage limitation principle by defining clear retention periods based on the purposes for which we process personal data.

Key Principles

  • • Data minimization - collect only what's necessary
  • • Purpose limitation - retain only for specific purposes
  • • Regular review of retention periods
  • • Secure deletion when no longer needed
  • • Legal obligations consideration

Applicable Laws

  • • EU General Data Protection Regulation (GDPR)
  • • UK Data Protection Act 2018 (UK GDPR)
  • • Companies Act 2006 (financial records)
  • • Employment law requirements
  • • Tax and accounting regulations

2. Job Seeker Data Retention

Active User Accounts

Retention Period

Duration: While account remains active (user continues to log in and use services)

Legal Basis: Contract performance, legitimate interests for service improvement

Data Categories

  • • Profile information and CV data
  • • Job application history
  • • Skill assessments and results
  • • Communication preferences
  • • Platform usage analytics

Inactive User Accounts

Retention Period

Duration: 3 years after last login or account activity

Deletion Process: Automated review and deletion on rolling basis

Warnings: Email notifications at 2 years, 2.5 years, and 30 days before deletion

Reactivation Options

  • • Login reactivates account immediately
  • • Data export available before deletion
  • • Account recovery options during grace period
  • • New account creation always possible

Job Application Data

Data TypeRetention PeriodReason
Successful applications2 years after hire dateReference purposes, employment records
Unsuccessful applications12 months after decisionEquality monitoring, potential future opportunities
Withdrawn applications6 months after withdrawalStatistical analysis, process improvement
Interview recordings/notes6 months after decisionFeedback purposes, dispute resolution

3. Company and Employer Data Retention

Active Company Accounts

Business Information

  • Company profile: While account active
  • Contact details: While account active + 1 year
  • Billing information: 7 years (legal requirement)
  • Tax records: 7 years (HMRC requirement)

Recruitment Data

  • Job postings: 2 years after posting ends
  • Candidate interactions: 18 months
  • Hiring decisions: 2 years
  • Equality data: 12 months

Inactive Company Accounts

Retention Schedule

  • Basic profile: 5 years after last login
  • Financial records: 7 years (legal requirement)
  • Contract data: 6 years after termination
  • Communication records: 3 years

Special Considerations

  • • Legal disputes: Retained until resolved + 3 years
  • • Regulatory investigations: As required by authorities
  • • Ongoing contracts: Until fulfillment + 6 years
  • • Data processing agreements: 3 years after termination

4. Technical and Analytics Data

Website Analytics and Usage Data

Data CategoryRetention PeriodStorage MethodPurpose
Google Analytics data26 months (automatically deleted)Anonymized/AggregatedWebsite optimization
Server logs90 daysIP addresses masked after 7 daysSecurity, performance monitoring
Error logs1 yearPersonal data redactedTechnical debugging
Security logs2 yearsEncrypted storageIncident investigation
Performance metrics18 monthsAggregated onlyService improvement

Cookies and Tracking Data

Essential Cookies

  • Duration: Session only
  • Auto-deletion: Browser close
  • Content: Authentication tokens

Functional Cookies

  • Duration: 30 days maximum
  • Auto-deletion: Expiry date
  • Content: User preferences

Marketing Cookies

  • Duration: 12 months maximum
  • Consent-based: Can be withdrawn
  • Content: Advertising identifiers

5. Communication and Marketing Data

Email Marketing and Communications

Active Subscribers

  • Email addresses: Until unsubscribed
  • Preferences: Until updated/withdrawn
  • Engagement data: 2 years rolling
  • Segmentation data: While relevant

Unsubscribed Users

  • Suppression list: Indefinitely (legal compliance)
  • Historical data: 3 years after unsubscribe
  • Preference history: 1 year
  • Unsubscribe reason: 2 years

Customer Support Communications

Support Tickets

  • Open tickets: Until resolved + 90 days
  • Closed tickets: 3 years after closure
  • Escalated issues: 5 years
  • Legal complaints: 7 years

Communication Records

  • Chat transcripts: 2 years
  • Phone call logs: 1 year (metadata only)
  • Email correspondence: 3 years
  • Feedback surveys: 2 years

6. Data Deletion Procedures

Automated Deletion Process

System Automation

  • • Daily automated scans for expired data
  • • Flagging system for manual review
  • • Multi-stage deletion process
  • • Audit logs of all deletion activities
  • • Exception handling for legal holds

Deletion Standards

  • • NIST 800-88 secure deletion guidelines
  • • Multiple overwrite passes for sensitive data
  • • Cryptographic erasure where applicable
  • • Physical destruction of hardware when needed
  • • Certificate of destruction for compliance

Manual Review and Exceptions

Legal Holds

  • • Litigation preservation
  • • Regulatory investigations
  • • Audit requirements
  • • Dispute resolution

Business Continuity

  • • Active contract obligations
  • • Financial audit trails
  • • Insurance claim support
  • • Tax compliance records

Security Incidents

  • • Breach investigation data
  • • Forensic evidence
  • • Law enforcement requests
  • • Security monitoring logs

Data Subject Deletion Requests

Right to Erasure Process

  • • Request verification within 72 hours
  • • Identity confirmation procedures
  • • Legal basis assessment
  • • Exception evaluation (if applicable)
  • • Deletion execution within 30 days
  • • Confirmation to data subject

Scope of Deletion

  • • Primary data stores
  • • Backup systems
  • • Log files and archives
  • • Third-party processors
  • • Cached and temporary data
  • • Analytics and reporting systems

7. Monitoring and Compliance

Regular Policy Reviews

Review Schedule

  • Annual review: Complete policy assessment
  • Quarterly review: Retention periods evaluation
  • Monthly review: Deletion process efficiency
  • Ad-hoc review: Triggered by law changes

Review Criteria

  • • Legal and regulatory updates
  • • Business process changes
  • • Technology system updates
  • • Data subject feedback
  • • Incident learnings

Audit and Documentation

Audit Trail Requirements

  • • All deletion activities logged
  • • User authentication records
  • • System access monitoring
  • • Exception approvals documented
  • • Regular audit reports generated

Documentation Standards

  • • Data flow mapping maintained
  • • Retention justifications documented
  • • Legal basis assessments recorded
  • • Third-party processor agreements
  • • Incident response documentation

8. Contact Information and Questions

Data Protection Team

Data Protection Officer: support@skillthrive.io

Privacy Team: support@skillthrive.io

Legal Team: support@skillthrive.io

Subject Rights Requests

Online Form: /legal/privacy-request

Email: support@skillthrive.io

Post: Data Protection Team, Asterix Technologies LLP, 167-169 Great Portland Street, London W1W 5PF

Questions About Data Retention?

Contact our Data Protection team or submit a privacy rights request to exercise your data rights.

Submit Privacy Request Contact DPO