OSCABEManaged Remote Employees

Data Retention Schedule

Version 2026.05Effective 1 May 2026Next review 1 May 2027

This Data Retention Schedule sets out how long OSCABE LTD retains each category of personal data we process. It implements Article 5(1)(e) UK GDPR / EU GDPR (storage limitation principle) and supports our Privacy Policy.

1. Operational records

| Category | Retention period | Trigger / source | | --- | --- | --- | | Active account data (Client, Engineer, Admin) | Lifetime of the account | Account closure starts the clock | | Closed-account profile and contact data | 6 years from closure | UK Limitation Act 1980; HMRC record-keeping | | Engineer CV, work records, assessment scores | 6 years from account closure | Statutory limitation + audit | | AI chat sessions (anonymous and signed-in) | 12 months from last activity, unless the user requests earlier deletion | Storage limitation; legitimate-interests log | | In-platform messages | 3 years from sending | Necessary to defend dispute claims |

2. Financial and tax records

| Category | Retention period | Trigger / source | | --- | --- | --- | | Invoices issued and received | 6 years from end of accounting period | Companies Act 2006 s388; HMRC VAT Notice 700/21 | | Payment records, Stripe payment metadata | 6 years | HMRC requirement | | Engineer payout records | 6 years | HMRC requirement | | Signed contracts (SignedContract table) | 7 years | Contractual claims under the Limitation Act |

3. Compliance and consent records

| Category | Retention period | Trigger / source | | --- | --- | --- | | Cookie consent records (ConsentRecord) | 24 months from last consent action | ICO PECR enforcement guidance | | Marketing consent records | 6 years from withdrawal | Evidential basis for "soft opt-in" defence | | Data subject request log | 3 years from completion | Accountability under Art 5(2) | | Breach incident log | 6 years from incident closure | Accountability + regulator audits | | Audit log of admin actions (AuditLog table) | 3 years | Internal accountability |

4. Technical / operational logs

| Category | Retention period | Trigger / source | | --- | --- | --- | | Web server access logs (IP, URL, status) | 90 days | Security and abuse investigation | | Application logs containing user IDs | 90 days | Security and abuse investigation | | Database backup snapshots | 35 days | Disaster recovery | | Error / observability traces | 30 days | Performance monitoring |

5. Special cases

  • Special category data voluntarily disclosed by Engineers (e.g. for reasonable adjustments during a platform test) is deleted within 12 months of the adjustment.
  • Account-closure data that is the subject of an ongoing legal dispute is retained until the dispute is finally resolved, then for 6 years from resolution.
  • Children's data: we do not knowingly collect any. Any inadvertently received is deleted within 30 days of detection.

6. Method of deletion

  • Records are hard-deleted from primary databases on schedule via automated retention jobs.
  • Backups containing personal data roll out of scope within 35 days.
  • Documents in offline storage are securely destroyed (cross-cut shred or certified electronic erasure to NIST SP 800-88).

7. Override - your right to earlier deletion

You may request earlier deletion at any time under Article 17 UK GDPR. We will action the request within one calendar month unless one of the Art 17(3) exemptions applies (for example, retention is required by law or to defend a legal claim). Where we cannot delete, we will restrict the data and explain why.

Request deletion at: info@oscabe.com or via the "Request deletion" button in your profile.