Data Retention and Deletion Policy

Version: 1.0
Effective Date: January 14, 2024

1. Introduction and Purpose

This Data Retention and Deletion Policy (the “Policy”) outlines VeroMotion’s commitment to securely retaining and deleting personal data processed on behalf of its customers (“Customer Personal Data”) through its SaaS products and services, including the Quallie platform (the “Services”). This Policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the UK GDPR, and to uphold the principles of data minimization and storage limitation.

VeroMotion acts as a data processor for its customers. The Customer, as the data controller, is responsible for determining the purposes and lawful bases for processing Customer Personal Data and for providing VeroMotion with instructions regarding its retention and deletion.

2. Scope

This Policy applies to all Customer Personal Data processed by VeroMotion and its sub-processors in the course of providing the Services. It covers data stored in active systems, archives, and backups.

3. General Principles

  • Data Minimization: VeroMotion collects and processes only the Customer Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed on behalf of the Customer.
  • Storage Limitation: Customer Personal Data is stored for no longer than is necessary for the purposes for which it is processed, as instructed by the Customer, or as required by applicable law.
  • Accuracy: VeroMotion relies on the Customer to ensure the accuracy of the Customer Personal Data it provides.
  • Integrity and Confidentiality: Customer Personal Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

4. Retention Periods for Customer Personal Data

The retention periods for Customer Personal Data are primarily determined by the Customer’s instructions and their legal and business requirements. VeroMotion will retain Customer Personal Data for the duration of the Customer’s subscription to the Services and as necessary to fulfill the purposes for which the data was collected and processed on Customer’s behalf, unless otherwise instructed by the Customer in writing or required by applicable law.

Below are the retention periods for different categories of Customer Personal Data:

  • Customer User Records (Lists) stored in SaaS services: Deleted 30 days after account closure.
  • User Data stored in SaaS services (e.g., Project data, data extensions): If not deleted earlier by the user, a soft delete will occur after 5 years (data moved from app database to archive); a hard delete will occur after 10 years.
  • System Data and Logs with User Data from SaaS services: Retained for 5 years.

5. Deletion of Customer Personal Data

5.1. Deletion from Active Systems
Upon Customer’s written instruction (e.g., through Service functionality, API call, or direct request), or upon termination/expiration of the Agreement, VeroMotion will, and shall procure that its Sub-processors will, delete or return Customer Personal Data from active systems in accordance with the Customer’s instructions and this Policy. Deletion from active systems will occur as soon as reasonably practicable.

5.2. Deletion from Backups
Customer Personal Data contained in backup systems will be securely deleted, overwritten, or anonymized as soon as reasonably practicable following its deletion from active systems. Due to the nature of backup systems, immediate, instantaneous deletion from all backups may not be technically feasible.

Notwithstanding the above, VeroMotion commits to securely delete, overwrite, or anonymize Customer Personal Data from its back-up systems within a maximum of ninety (90) days from the date of deletion from active systems or the termination/expiration of the Agreement, whichever is later.

VeroMotion employs technical and organizational measures to ensure that Customer Personal Data in backups is isolated and inaccessible, except for purposes of disaster recovery or as required by law.

5.3. Confirmation of Deletion
Upon Customer’s written request, VeroMotion shall provide written confirmation of the deletion of Customer Personal Data from its systems, including backups, in accordance with this Policy.

6. Exceptions to Deletion

VeroMotion may be required to retain Customer Personal Data for longer periods than specified above if:

  • Retention is required by applicable law (e.g., tax, accounting, or regulatory obligations). In such cases, VeroMotion will limit the processing of such retained data solely to the purpose required by the applicable law.
  • The data is necessary for the establishment, exercise, or defense of legal claims.
  • The data has been aggregated or anonymized in such a way that it can no longer be linked to an identified or identifiable natural person. Anonymized data is no longer considered personal data and is therefore not subject to the retention and deletion obligations for personal data.

7. Policy Review

This Policy will be reviewed periodically (at least annually) and updated as necessary to reflect changes in legal requirements, industry best practices, or VeroMotion’s data processing activities. The current version will always be available at the URL specified in the DPA.