top of page

 

Data Retention Information

 

Data retention
We set fixed retention periods by data category and review them annually in line with the storage limitation principle in Article 5(1)(e) UK GDPR and ICO guidance. Where a legal hold, complaint or claim is ongoing, we pause deletion until the matter is resolved. (Legislation.gov.uk, Information Commissioner's Office)

 

Client and potential client data
• Enquiries and sales leads: 24 months from the date of last meaningful contact.
• Marketing preferences and consent records: kept for as long as we carry out the relevant marketing activity or until you withdraw consent or object. We keep a minimal suppression record indefinitely so we can honour your opt out. (Information Commissioner's Office)

 

Client delivery and contracts
• Engagement files, advice, deliverables and correspondence: 7 years from contract end to support our legitimate interests in establishing, exercising or defending legal claims.
• Data sharing agreements, IDTAs and other transfer safeguards: life of the agreement plus 6 years.
• Records of processing, DPIAs and risk assessments: for the life of the activity plus 6 years.

Financial and tax
• Invoices, purchase records and general accounting records: 6 years from the end of the financial year they relate to. HMRC,  Anti-Money Laundering, Proceeds of Crime legislation, and Companies Act rules may require longer in some cases. (GOV.UK)

 

Security, incidents and compliance
• Security logs and access logs: 12 months unless an investigation requires longer.
• Personal data breach logs, incident files and notifications: 6 years from closure in line with ICO accountability expectations. (Information Commissioner's Office)

 

Data subject rights
• Requests and our responses, including identity checks and correspondence: 3 years from closure, or 6 years where a dispute is raised.

 

Recruitment and HR
• Job applicant data: 6 months from the end of the recruitment process unless you consent to a longer talent-pool period.
• Employee records: 6 years after employment ends, unless a longer period is required by law or to defend a legal claim.

 

Web and communications
• Website analytics data and server logs: up to 14 months.
• Cookies: retained only for their stated lifespan. A full list of cookies and lifespans is available on request.
• Routine call recordings for quality and training: up to 6 months, longer if a complaint or investigation is open. PECR applies to electronic marketing and consent where relevant. (Information Commissioner's Office)

 

Backups and deletion
• Backups are overwritten on a rolling 90-day cycle. When data reaches the end of its retention period, we securely delete or anonymise it. Where anonymisation meets ICO expectations, we may retain aggregated, non-identifiable information for statistics. (Information Commissioner's Office)

 

Legislative basis
These periods reflect our obligations under the UK GDPR, the Data Protection Act 2018 and PECR 2003 as amended, and take account of changes introduced by the Data Use and Access Act 2025 and related ICO commentary. (Legislation.gov.uk, Information Commissioner's Office, GOV.UK)

​

cyberalarm.jpg

Click on the Hiscox icon for insurance details

Hiscox logo.jpg
OGL.jpg
0333 772 1510

Hebborn Consultancy Ltd. is a private company limited by shares, registered in England and Wales number 11479220. ICO registration number ZA768371

Hebborn Consultancy Ltd. Chapman Way Hethel Norfolk  NR14 8FB.

The Company's' registered office is Tedder House Tedder Close Watton Norfolk IP25 6HU

©2026 Hebborn Consultancy Ltd. 

bottom of page