Data retention policy
How long we keep each kind of information, and when it is deleted. UK tax and company law require financial records to be kept for six years; we hold them for seven to cover the full period plus the current year.
Retention schedule
- Financial and accounting records
- Invoices, invoice lines, payments and allocations, expenses, ledger (journal) entries, and the supporting documents uploaded against them (supplier invoices, statements, generated PDFs). Kept for 7 years from the end of the financial year they belong to.
- Year-end snapshots
- A closed year-end snapshot and its per-leaseholder balances are a permanent accounting record. They are never deleted while the organisation is live, and are removed only if the organisation itself is closed.
- Audit log
- The record of who changed what. Kept for 7 years from the date of each event. Entries that concern an individual leaseholder are kept until that leaseholder's own records have also expired. Entries that evidence a data-protection request or a retention deletion are marked protected and are never deleted — they are the proof-of-compliance trail.
- Account and contact records
- User accounts, organisation memberships, leaseholder records, and tenancy records. Kept for as long as they are linked to a financial record still inside its retention window. A user with no remaining membership or leaseholder link is removed 12 months after their last activity.
- Outbound email log
- A copy of system emails (invitations, invoice notifications, reminders) retained for support and debugging. Kept for 90 days, then deleted. It is not a legal record.
- Setup and year-end working sessions
- The temporary state of the onboarding wizard and the close-year workflow. Deleted 30 days after the workflow is completed.
- Error monitoring data
- Technical error reports sent to our monitoring provider are retained by that provider for 30 days and then permanently deleted. See the privacy notice for what these reports contain.
Deletion on request
Separately from the schedule above, you can ask us to delete personal data about you. Where the law lets us act on that request we will; where we are required to keep a record (for example, financial records still inside the seven-year window) we will tell you, and we will restrict the data to that legal purpose rather than keep using it. See your rights in the privacy notice.
How deletion happens
Deletion is automated. A scheduled job runs daily and removes records that have passed the windows above. Each run is itself recorded in the audit log so there is a verifiable history of what was deleted and when.
Changes to this policy
We review these windows periodically. If they change, the updated schedule is published here. Material changes are notified to organisation administrators.