Data Retention Policy
Last Updated: 23/07/2025
Version: 1.0
1. Purpose and Scope
This policy defines how long Lingly retains personal data in accordance with UK GDPR requirements. We retain data only as long as necessary for legitimate business purposes and delete it securely when no longer needed.
2. General Principles
-
Lawful basis: We only retain data while we have a lawful basis for processing
-
Proportionality: Retention periods are proportionate to the purpose
-
Regular review: We regularly review stored data and delete when appropriate
-
Secure deletion: All data is securely deleted or anonymized when retention expires
3. Retention Periods by Data Category
3.1 User Account Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Core account info (name, email, phone) | Account lifetime + 12 months after last login | Service provision + potential reactivation |
| Authentication data (password hashes, tokens) | Account lifetime only | Security - deleted immediately on account closure |
| Learning preferences (timezone, daily commitment) | Account lifetime + 6 months | Service personalization |
3.2 Assessment and Learning Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Screening results | 5 years after completion | Certification validity + audit requirements |
| Module progress/completion | 3 years after completion | Skills development tracking |
| Voice recordings (assessments) | 2 years after creation | Assessment verification + quality assurance |
| Practice session transcripts | 18 months after creation | Learning analytics + improvement |
3.3 Communication Data
| Data Type | Retention Period | Justification |
|---|---|---|
| AI conversation logs (roleplay sessions) | 12 months after creation | Service improvement + support |
| Corrections and feedback | 18 months after creation | Learning analytics + AI training |
| Notification logs | 6 months after sending | Delivery tracking + debugging |
3.4 Analytics and System Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Usage analytics (aggregated) | 3 years | Business intelligence + product development |
| Error logs | 12 months | System maintenance + debugging |
| Audit logs | 7 years | Legal compliance + security investigations |
3.5 Marketing and Consent Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Marketing consent records | 3 years after consent withdrawn | Legal compliance + proof of consent |
| Email marketing data | Until consent withdrawn + 30 days | Compliance with marketing regulations |
3.6 Provider/Admin Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Provider admin accounts | Contract lifetime + 6 years | Business relationship + tax/legal requirements |
| Contract and billing data | 6 years after contract end | Tax compliance + dispute resolution |
4. Special Circumstances
4.1 Early Deletion Triggers
Data may be deleted earlier than scheduled if:
-
User exercises right to erasure (Right to be Forgotten)
Account is deleted voluntarily
Data becomes inaccurate and cannot be corrected
Processing becomes unlawful
4.2 Extended Retention
Data may be retained longer than scheduled for:
-
Legal proceedings: Until resolution + 12 months
-
Regulatory investigations: Until resolution + statutory limitation period
-
Safeguarding concerns: Until risk assessed as resolved
4.3 Anonymization Option
Where possible, personal identifiers may be removed to create anonymous datasets for:
Product improvement research
Academic research partnerships
Statistical analysis
Anonymous data is not subject to retention limits.
5. Implementation
5.1 Automated Deletion
We implement automated processes to:
Flag data approaching retention limits
Automatically delete expired data
Generate deletion reports for audit
5.2 Manual Review Process
Monthly review process includes:
Checking for data past retention periods
Reviewing anonymization opportunities
-
Updating retention schedules if business needs change
5.3 User Rights
Users can request:
-
Data deletion before scheduled retention expires
-
Data portability before account closure
-
Information about what data we hold and retention periods
6. Documentation and Audit
We maintain records of:
When data was deleted and by what process
-
Any extended retention decisions and justifications
User deletion requests and responses
Regular retention policy reviews and updates
7. Roles and Responsibilities
-
Data Protection Officer: Policy oversight and compliance monitoring
-
Engineering Team: Implementation of automated deletion systems
-
Customer Success: Handling user deletion requests
-
Legal Team: Reviewing retention periods and regulatory requirements
8. Policy Review
This policy is reviewed annually or when:
Regulations change
Business practices change
New data types are collected
Incidents occur
Contact
For questions about data retention, contact support@lingly.ai or our Data Protection Officer at harry@lingly.ai.