Data Retention Policy
This policy explains how long we keep different types of personal data and our procedures for secure data deletion in compliance with GDPR and UK GDPR.
Last Updated: August 1, 2024
Version: 2.0
🕒 Quick Reference - Retention Periods
Active User Accounts
While account is active
Inactive Accounts
3 years after last login
Application Data
2 years after application
Marketing Consents
Until withdrawn + 3 years
Support Tickets
3 years after resolution
Financial Records
7 years (legal requirement)
1. Legal Framework and Principles
GDPR Article 5(1)(e) - Storage Limitation
"Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
This policy ensures we comply with the storage limitation principle by defining clear retention periods based on the purposes for which we process personal data.
Key Principles
- • Data minimization - collect only what's necessary
- • Purpose limitation - retain only for specific purposes
- • Regular review of retention periods
- • Secure deletion when no longer needed
- • Legal obligations consideration
Applicable Laws
- • EU General Data Protection Regulation (GDPR)
- • UK Data Protection Act 2018 (UK GDPR)
- • Companies Act 2006 (financial records)
- • Employment law requirements
- • Tax and accounting regulations
2. Job Seeker Data Retention
Active User Accounts
Retention Period
Duration: While account remains active (user continues to log in and use services)
Legal Basis: Contract performance, legitimate interests for service improvement
Data Categories
- • Profile information and CV data
- • Job application history
- • Skill assessments and results
- • Communication preferences
- • Platform usage analytics
Inactive User Accounts
Retention Period
Duration: 3 years after last login or account activity
Deletion Process: Automated review and deletion on rolling basis
Warnings: Email notifications at 2 years, 2.5 years, and 30 days before deletion
Reactivation Options
- • Login reactivates account immediately
- • Data export available before deletion
- • Account recovery options during grace period
- • New account creation always possible
Job Application Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Successful applications | 2 years after hire date | Reference purposes, employment records |
| Unsuccessful applications | 12 months after decision | Equality monitoring, potential future opportunities |
| Withdrawn applications | 6 months after withdrawal | Statistical analysis, process improvement |
| Interview recordings/notes | 6 months after decision | Feedback purposes, dispute resolution |
3. Company and Employer Data Retention
Active Company Accounts
Business Information
- • Company profile: While account active
- • Contact details: While account active + 1 year
- • Billing information: 7 years (legal requirement)
- • Tax records: 7 years (HMRC requirement)
Recruitment Data
- • Job postings: 2 years after posting ends
- • Candidate interactions: 18 months
- • Hiring decisions: 2 years
- • Equality data: 12 months
Inactive Company Accounts
Retention Schedule
- • Basic profile: 5 years after last login
- • Financial records: 7 years (legal requirement)
- • Contract data: 6 years after termination
- • Communication records: 3 years
Special Considerations
- • Legal disputes: Retained until resolved + 3 years
- • Regulatory investigations: As required by authorities
- • Ongoing contracts: Until fulfillment + 6 years
- • Data processing agreements: 3 years after termination
4. Technical and Analytics Data
Website Analytics and Usage Data
| Data Category | Retention Period | Storage Method | Purpose |
|---|---|---|---|
| Google Analytics data | 26 months (automatically deleted) | Anonymized/Aggregated | Website optimization |
| Server logs | 90 days | IP addresses masked after 7 days | Security, performance monitoring |
| Error logs | 1 year | Personal data redacted | Technical debugging |
| Security logs | 2 years | Encrypted storage | Incident investigation |
| Performance metrics | 18 months | Aggregated only | Service improvement |
Cookies and Tracking Data
Essential Cookies
- • Duration: Session only
- • Auto-deletion: Browser close
- • Content: Authentication tokens
Functional Cookies
- • Duration: 30 days maximum
- • Auto-deletion: Expiry date
- • Content: User preferences
Marketing Cookies
- • Duration: 12 months maximum
- • Consent-based: Can be withdrawn
- • Content: Advertising identifiers
5. Communication and Marketing Data
Email Marketing and Communications
Active Subscribers
- • Email addresses: Until unsubscribed
- • Preferences: Until updated/withdrawn
- • Engagement data: 2 years rolling
- • Segmentation data: While relevant
Unsubscribed Users
- • Suppression list: Indefinitely (legal compliance)
- • Historical data: 3 years after unsubscribe
- • Preference history: 1 year
- • Unsubscribe reason: 2 years
Customer Support Communications
Support Tickets
- • Open tickets: Until resolved + 90 days
- • Closed tickets: 3 years after closure
- • Escalated issues: 5 years
- • Legal complaints: 7 years
Communication Records
- • Chat transcripts: 2 years
- • Phone call logs: 1 year (metadata only)
- • Email correspondence: 3 years
- • Feedback surveys: 2 years
6. Data Deletion Procedures
Automated Deletion Process
System Automation
- • Daily automated scans for expired data
- • Flagging system for manual review
- • Multi-stage deletion process
- • Audit logs of all deletion activities
- • Exception handling for legal holds
Deletion Standards
- • NIST 800-88 secure deletion guidelines
- • Multiple overwrite passes for sensitive data
- • Cryptographic erasure where applicable
- • Physical destruction of hardware when needed
- • Certificate of destruction for compliance
Manual Review and Exceptions
Legal Holds
- • Litigation preservation
- • Regulatory investigations
- • Audit requirements
- • Dispute resolution
Business Continuity
- • Active contract obligations
- • Financial audit trails
- • Insurance claim support
- • Tax compliance records
Security Incidents
- • Breach investigation data
- • Forensic evidence
- • Law enforcement requests
- • Security monitoring logs
Data Subject Deletion Requests
Right to Erasure Process
- • Request verification within 72 hours
- • Identity confirmation procedures
- • Legal basis assessment
- • Exception evaluation (if applicable)
- • Deletion execution within 30 days
- • Confirmation to data subject
Scope of Deletion
- • Primary data stores
- • Backup systems
- • Log files and archives
- • Third-party processors
- • Cached and temporary data
- • Analytics and reporting systems
7. Monitoring and Compliance
Regular Policy Reviews
Review Schedule
- • Annual review: Complete policy assessment
- • Quarterly review: Retention periods evaluation
- • Monthly review: Deletion process efficiency
- • Ad-hoc review: Triggered by law changes
Review Criteria
- • Legal and regulatory updates
- • Business process changes
- • Technology system updates
- • Data subject feedback
- • Incident learnings
Audit and Documentation
Audit Trail Requirements
- • All deletion activities logged
- • User authentication records
- • System access monitoring
- • Exception approvals documented
- • Regular audit reports generated
Documentation Standards
- • Data flow mapping maintained
- • Retention justifications documented
- • Legal basis assessments recorded
- • Third-party processor agreements
- • Incident response documentation
8. Contact Information and Questions
Data Protection Team
Data Protection Officer: support@skillthrive.io
Privacy Team: support@skillthrive.io
Legal Team: support@skillthrive.io
Subject Rights Requests
Online Form: /legal/privacy-request
Email: support@skillthrive.io
Post: Data Protection Team, Asterix Technologies LLP, 167-169 Great Portland Street, London W1W 5PF
Questions About Data Retention?
Contact our Data Protection team or submit a privacy rights request to exercise your data rights.