1. How We Apply This Schedule
This schedule explains the current operational retention periods Tradelynx intends to apply across production systems. It should be read with our Privacy Notice.
We may retain data for longer where a legal hold, active dispute, fraud investigation, security incident, regulatory inquiry, chargeback, or other legitimate need applies.
2. Retention Schedule
| Dataset | Retention period / trigger | Why | What happens after |
|---|---|---|---|
| Customer account records | While the account remains active and for 6 years after closure or last materially relevant activity | Contract administration, complaint handling, fraud prevention, and legal claims defence | Delete or irreversibly anonymise unless a legal hold or open dispute applies |
| Trader account, onboarding, and compliance records | While the trader account remains active and for 6 years after closure | Platform safety, contract administration, auditability, disputes, and claims defence | Delete or suppress non-essential records; retain only what is needed for legal/compliance reasons |
| Customer enquiries, routed leads, jobs, booking history, and core timelines | 6 years from job closure, cancellation, expiry, or last substantive activity | Operational history, customer/trader support, dispute handling, and legal defence | Delete or anonymise where feasible, while preserving necessary finance/audit references |
| Customer/trader messages and standard job attachments | 3 years from the last message or attachment activity, unless linked to an active dispute or legal hold | Service support, evidence of interactions, and moderation review | Delete or anonymise message content and expire storage objects where feasible |
| Job completion photos and review photos | 6 years from job completion or review submission | Evidence, support, dispute handling, and property-history linkage | Delete storage objects unless still needed for disputes, property-history entitlements, or legal defence |
| Support tickets and support attachments | 3 years from ticket closure, or 6 years where the ticket relates to a payment dispute, legal claim, or serious complaint | Support operations and complaint handling | Delete or anonymise routine tickets; retain escalated matters for the longer period |
| Payment, subscription, refund, billing portal, and accounting records | 6 years from the end of the relevant financial year, or longer if tax/accounting law requires | Accounting, tax, reconciliation, fraud prevention, and audit | Delete or minimise personal data while preserving required accounting records |
| Property-history purchases, entitlements, subscription records, and report access logs | 6 years from expiry of the entitlement/subscription or the last report access event | Access control, product auditability, fraud prevention, and entitlement disputes | Delete or anonymise access logs where no longer needed; preserve aggregated usage data if non-identifiable |
| Property owner verification requests and evidence links | Current request lifecycle plus 6 years from final decision or revocation | Ownership/access disputes, property-history access control, and auditability | Delete raw evidence where no longer needed and retain minimal decision/audit metadata if justified |
| Property documents uploaded by customers | Until deleted by the user or 6 years after the related property record becomes inactive, whichever is later, subject to legal hold | Home-record functionality and evidential continuity | Delete storage objects and linked metadata unless still required |
| Trader verification evidence processed through Didit | Verification status/audit trail: while account is active plus 7 years after closure. Raw third-party verification evidence: while account is active plus 7 years after closure, then deleted | Trust, fraud prevention, auditability, limitation period for contract and negligence claims, and insurer/lender due-diligence obligations | Delete raw evidence and retain minimal audit trail (pass/fail, date, provider reference) only |
| Trader uploaded insurance/certification documents and AI-extracted metadata | Active life of the document plus 7 years after replacement, expiry, or account closure, whichever is later | Compliance monitoring, trader trust, dispute handling, and limitation period coverage | Delete raw files and extracted metadata; retain minimal audit trail (document type, expiry date, decision, provider reference) |
| OTP, magic-link, session, and auth-security records | OTP codes and ephemeral auth artifacts: until expiry/consumption plus up to 30 days in operational tables or logs where applicable. Session/security logs: up to 12 months | Authentication, fraud prevention, and security investigation | Expire/delete ephemeral records and rotate logs in the normal security cycle |
| Telephony and SMS logs | 12 months for routine operational logs unless longer retention is needed for a complaint, security issue, or billing dispute | Troubleshooting, abuse prevention, and communications audit | Delete or minimise content and retain only redacted/aggregated operational metrics where feasible |
| Audit events, routing audit, payments audit, telephony audit, and security logs | 12 months for routine operational logs; 6 years for high-value audit trails tied to payments, disputes, verification, or enterprise access | Security, legal defence, platform governance, and enterprise accountability | Delete routine logs on schedule; retain only the audit subset needed for legal/compliance purposes |
| Launch-interest, contact-form, and labour-interest submissions | 24 months from submission unless converted into an active account, support ticket, or ongoing relationship | Follow-up, launch operations, and business development | Delete or anonymise unless a longer retention period is justified |
| Public trader profile data and public listing records | While publication remains enabled and for up to 12 months after depublication in backups, logs, and search-engine propagation cycles | Public directory operation and search visibility | Remove from live public pages and allow reindexing/deindexing to catch up; backup retention still applies |
| Enterprise/org accounts, org webhooks, and API key records | While the organisation relationship remains active and for 6 years after termination | Contracting, auditability, security, and B2B support | Delete or revoke keys and endpoints; keep minimal audit history where required |
3. Deletion, Suppression, and Anonymisation Rules
Where possible, we prefer deletion of no-longer-needed personal data. Where deletion would undermine accounting, auditability, dispute handling, or legal compliance, we may instead suppress access, minimise fields, or irreversibly anonymise the data.
Backups may persist for a limited operational period after live deletion and are overwritten on the normal backup cycle. If data is subject to a legal hold or active dispute, deletion may be delayed until that matter ends.
4. Supplementary Notes
The following decisions have been confirmed as of 31 March 2026:
- Raw trader verification evidence is retained in Tradelynx for the active account period plus 7 years after closure, then deleted. Didit retains its own records per its data processing agreement.
- Uploaded trader compliance documents (insurance certificates, gas safe cards, etc.) are retained in full for the active life of the document plus 7 years, then raw files and extracted metadata are deleted. A minimal audit trail (document type, expiry, decision) is preserved.
- Enterprise contracts may specify longer retention periods. Where they do, the enterprise-specific terms take precedence over the standard schedule for data processed under that contract.
- Property-history records are not retained indefinitely. They follow the 6-year post-inactivity schedule and are then anonymised or deleted.
- Tradelynx does not record calls. Telephony data consists of event logs (call start, duration, outcome) only.