Data Retention Policy
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
We keep personal data only as long as necessary for the purpose it was collected, in line with the storage-limitation principle of the EU GDPR and UK GDPR. Retention is set per client deployment and enforced automatically, not left to manual housekeeping.
Retention by record type
| Record type | What it contains | Default retention | How it is enforced |
|---|---|---|---|
| Lead records | Name, contact details, enquiry category, outcome, de-identified summary | The controller's configured retentionDays (default 365 days) |
Automated purge script deletes leads older than the configured period on a schedule |
| Bookings | Appointment details linked to a lead | Deleted with the linked lead | Cascades with lead deletion |
| Consent records | Consent timestamp and consent policy version | Kept with the lead record | Deleted when the lead record is deleted |
| Audit log | Event metadata only, no personal data | Retained for accountability | Contains no personal data, so storage limitation does not bite; reviewed periodically |
| Raw chat transcripts | Full conversation text | Not stored by default | If a controller enables transcript storage, transcripts carry the same or shorter retention than the linked lead |
| Backups | Managed database provider backups | Provider's rolling backup schedule | Deleted data ages out of backups within the provider's backup cycle; backups are not used to restore purged records |
| Browser localStorage | Conversation state held on the visitor's own device | 24 hours by default (persistHours) |
Expires automatically; the visitor can clear it at any time via their browser (see the Cookie Notice) |
How the purge works
- A scheduled purge script runs against every client deployment and deletes lead records created before the cutoff implied by that client's
retentionDayssetting. - The period is configurable per client (controller), so each firm can set the retention its own analysis requires.
- Deletion of a lead removes the linked booking and consent records with it.
What we do not keep
- Raw chat transcripts, unless the controller expressly enables transcript storage.
- Free-text contact details in AI-bound messages: these are redacted before AI processing.
- AI provider content copies for training: the AI sub-processor operates under no-training commercial terms with short bounded retention (a zero-data-retention arrangement is on our roadmap and will be reflected here once in place).
- Lead alert emails contain a de-identified summary, not raw chat content; retention of the notification itself is governed by the controller's own mailbox policies.
Notes and overrides
- Erasure requests override retention. A valid erasure request under the EU GDPR or UK GDPR is honoured ahead of the configured retention period. See the DSAR procedure.
- Special-category data is minimised by design (structured capture, redaction of free text, no transcripts by default) and, where any is retained, it is subject to the same or shorter retention than the containing lead record.
- Controller instructions govern. As processor, we apply the retention the controller configures; the controller remains responsible for choosing a period it can justify. See the DPA.
Recommendation for sensitive intake
Firms handling sensitive intake, including legal intake involving prospective clients, commonly configure 90 to 180 days for records of prospects who do not engage. Following recent US case law on pre-engagement AI conversations, shorter retention of unconverted prospect data is widely recommended as confidentiality hygiene for prospective clients, and it aligns with the storage-limitation principle of the EU GDPR and UK GDPR. The per-client retentionDays setting supports this directly: agree the period during onboarding (see the Client Onboarding Compliance SOP) and the purge enforces it without further action.
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.