Data Retention Policy

This policy supports compliance with UK GDPR Article 5(1)(e) - the storage limitation principle. It applies to all personal data held by Crowd Risk Analysis Ltd in connection with the AboutCrowds platform.

AboutCrowds | aboutcrowds.com  ·  Version 1.0  ·  Effective 1 April 2026

Data Retention Policy

This policy supports compliance with UK GDPR Article 5(1)(e) - the storage limitation principle. It applies to all personal data held by Crowd Risk Analysis Ltd in connection with the AboutCrowds platform.

1. Purpose

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. This policy sets out our retention periods for each category of data and the process for secure deletion.

2. Retention Schedule

Account data:

  • User account records (name, email, date of birth): retained for the duration of active account plus 3 years after closure or last activity
  • Login and access logs: retained for 12 months, then deleted

Course and assessment records:

  • Course progress and completion records: 7 years from date of completion
  • Assessment scores and results: 7 years
  • Certificates issued: 7 years to support verification requests

Financial records:

  • Payment transaction records: 7 years in line with HMRC requirements
  • Invoice and purchase order records: 7 years

Communications:

  • Support and enquiry emails: 3 years after the last communication
  • Marketing opt-in records: until consent is withdrawn, plus 1 year for compliance purposes

Technical logs:

  • Moodle platform activity logs: 12 months
  • System error logs: 6 months

3. Deletion and Anonymisation

At the end of the relevant retention period, personal data will be securely deleted or anonymised. Anonymised data (which cannot be re-linked to an individual) may be retained indefinitely for statistical purposes. Deletion is carried out by Crowd Risk Analysis Ltd on an annual basis or as part of account closure requests.

4. Right to Erasure

Individuals may request early deletion of their data under the right to erasure (Article 17 UK GDPR). We will action such requests within one calendar month, unless retention is required by law — for example, financial records required under HMRC rules cannot be deleted early on request.

5. Data Held by Third Parties

Where data is processed by third parties on our behalf (e.g. Stripe, our hosting provider), those parties have their own retention policies. We ensure by contract that they do not retain data beyond what is necessary and that they comply with UK GDPR standards.

6. Review

  • Last reviewed: April 2026
  • Next review due: April 2027
  • Policy owner: Crowd Risk Analysis Ltd
Back
Back to top