Policies · Data Retention
Data Retention Policy
We keep data only as long as we need it — to do our job, comply with HMRC and AML laws, and defend ourselves in disputes. The longest we keep most things is 6 years; some types (call recordings, anonymous analytics) are deleted much sooner. When the period ends we delete or fully anonymise.
Why this policy
UK GDPR Article 5(1)(e) — storage limitation — requires that personal data is kept no longer than necessary. This policy sets the retention period for every category of data we hold, the legal basis for that period, and what happens when the period ends.
Core retention periods
Personal customer accounts: Active + 6 years after last shipment (contract + Limitation Act 1980). Customs declarations and supporting documents: 6 years (HMRC). AML / KYC records: 5 years from end of customer relationship or last transaction (Money Laundering Regulations 2017 reg. 40). Bookings, quotes, shipment files: 6 years from delivery. Bills of Lading, AWBs, CMR notes: 6 years from issue. Cargo insurance records: 6 years after policy expiry. Claims files: 6 years after closure. Financial accounts and tax records: 6 years after end of tax year (HMRC, Companies Act 2006).
Marketing and analytics
Marketing consent records: until withdrawn + 30 days (PECR / UK GDPR). Marketing analytics (anonymised): 14 months. Website cookies (analytics): 14 months (per cookie banner). Website session logs: 30 days warm, 6 months cold archive. Server / system logs: 6 months warm, 2 years cold archive. CCTV (premises): 30 days (ICO CCTV guidance).
AI voice call data
Raw audio (service calls): 90 days. Raw audio (complaint / claim related): 6 months. Raw audio (legal hold): until lifted. Transcripts (identifiable): 12 months. Intent labels and routing logs: 12 months. Conversation summary linked to customer: 6 years. AI training extracts (opt-in only): 24 months reviewed annually. Voiceprints / biometric embeddings: NOT STORED — see /policies/call-recording.
End of retention — what happens
Hard delete: default for personal data; logged in deletion register. Anonymisation: where data retains business value but identification no longer needed (e.g. aggregate shipment analytics). Archive (offline encrypted): where regulator may require recovery beyond active life. Return to data subject: on valid erasure or portability request. Return to controller: where we acted as processor for a customer. Deletion performed quarterly via automated job + manual review.
Backups, legal holds, security
Backups: daily incremental, weekly full. Retention: 35 days rolling. Deletion from production triggers deletion from backups within 35 days. Backups encrypted (AES-256), off-site + on-site. Legal holds: where litigation, regulatory investigation, or audit reasonably anticipated, affected records placed on legal hold — retention paused until DPO lifts hold in writing. Storage: UK / EU cloud, encrypted at rest, access-controlled. All processors sign DPAs, annual review.
Subject rights interaction
Erasure requests (right to be forgotten — UK GDPR Art 17) honoured unless exemption applies (legal obligation retention — HMRC, AML, sanctions; legal claims; public interest archiving). Where we cannot fully erase, we tell the data subject which records cannot be erased and why, restrict processing of those records to legal purpose only (no marketing, no analytics), and re-evaluate at end of each applicable retention period.
Last reviewed 2026-06-06.