Data Retention

This document explains how long oklido retains different types of data and when it's deleted.

Retention Principles

Our data retention follows these principles:

Purpose limitation - Keep data only as long as needed
Legal compliance - Meet regulatory retention requirements
User control - Honour deletion requests
Security - Secure deletion when retention ends

Retention Schedule

Account Data

Data Type	Active Account	After Deletion
Profile information	Duration of account	30 days
Authentication data	Duration of account	Immediate
Preferences	Duration of account	30 days

Documents

Data Type	Retention	After Deletion
Uploaded documents	Until deleted	30 days (soft delete)
Document metadata	Until deleted	30 days
Extracted text	Until deleted	30 days

Operational Data

Data Type	Retention
Audit logs	7 years
Security logs	7 years
Error logs	30 days
Performance metrics	90 days

Billing Data

Data Type	Retention	Basis
Invoices	7 years	UK tax law
Payment records	7 years	UK tax law
Subscription history	7 years	UK tax law

Communication Data

Data Type	Retention
Support tickets	3 years
Email communications	3 years

Deletion Process

When You Delete Documents

Document moves to "Deleted" (soft delete)
Recoverable for 30 days
After 30 days, permanently deleted
Backups retained for 90 days then purged

When You Delete Your Account

Account deactivated immediately
Documents moved to deletion queue
Data deleted within 30 days
Some data retained per legal requirements

What's Retained After Account Deletion

For legal and security reasons:

Data	Retention	Reason
Billing records	7 years	UK tax law
Audit logs	7 years	Security/compliance
Anonymised analytics	Indefinite	Product improvement

Data Deletion Rights

Your Rights

Under GDPR, you can request deletion of:

Your account and profile
Your documents
Your activity history

How to Request Deletion

Self-service: Settings → Account → Delete Account
Support: Email privacy@oklido.com

What We Cannot Delete

Data required by law (billing, audit logs)
Data needed to fulfil legal obligations
Anonymised aggregate data

Backup Retention

Backup Schedule

Backup Type	Frequency	Retention
Database	Daily	30 days
Documents	Real-time replication	N/A
Configuration	On change	90 days

Backup Deletion

When data is deleted:

Production data deleted immediately
Next backup cycle excludes deleted data
Old backups expire per retention schedule
Complete purge within 90 days

External User Data

Beneficiary Data

Data	Retention
Profile	Until access revoked + 30 days
Access logs	7 years

Guest Data

Data	Retention
Access records	Until expiration + 30 days
Access logs	7 years

Data Subject Requests

Response Times

Request Type	Response Time
Access request	30 days
Deletion request	30 days
Rectification	30 days

Process

Verify identity
Locate all data
Process request
Confirm completion

Compliance

Our retention practices comply with:

GDPR - Data minimisation, storage limitation
UK DPA 2018 - Same as GDPR
UK tax law - 7 year retention for financial records
Cyber Essentials - Security log retention

Changes to This Policy

We review this policy annually. Material changes are communicated via email.

Last updated: January 2026

Questions

For data retention questions:

Email: privacy@oklido.com