Data Retention and Disposal Policy

1. Purpose

This policy sets out how long CompleteFlow keeps data, how data is securely deleted or returned at end of life, and how retention and deletion obligations apply both to CompleteFlow Ltd as a business and to customer data processed through the CompleteFlow platform.

It implements the storage-limitation principle under UK GDPR Article 5(1)(e) and the integrity and confidentiality principle under Article 5(1)(f), in conjunction with CF-POL-002 Data Protection Policy.

2. Scope

Personal and business data processed by CompleteFlow Ltd as controller
Customer data processed by CompleteFlow as processor within customer Azure subscriptions
System logs, backups, and audit records
Physical records where held

3. Principles

Retain no longer than necessary. Data is retained only for as long as needed for the purpose for which it was collected, or as required by law or contract.
Customer control. For customer data processed through the platform, retention is configurable by the customer within the technical bounds of the system.
Structural minimisation. Customer data does not leave the customer's Azure subscription. CompleteFlow does not hold separate copies outside that subscription.
Secure deletion. Deletion uses methods that render data non-recoverable, consistent with NIST SP 800-88 media sanitisation guidance.
Documented. Deletion and return events are recorded and can be evidenced on request.

4. Customer data retention (processor)

4.1 Retention configurations

The default retention posture for customer data within a CompleteFlow deployment is:

Data category	Storage	Default retention	Customer-configurable
Application data (users, workflows, conversations, documents)	Azure PostgreSQL (customer subscription)	Active for duration of contract; retained for agreed return/deletion period post-termination	Yes (contract-dependent)
Documents and generated outputs	Azure Blob Storage (customer subscription)	As above	Yes
Vector embeddings (RAG)	Azure PostgreSQL with vector indexing (customer subscription)	Linked to source document; deleted on source deletion	Yes
Session/cache state	Azure Cache for Redis (customer subscription)	Ephemeral (no disk persistence by default)	Yes
Application audit log	Azure PostgreSQL (customer subscription)	Duration of contract; available for customer export at termination	Yes
Azure Monitor technical logs	Azure Log Analytics (customer subscription)	90 days hot, 12 months archived	Yes
PostgreSQL backups	Azure managed backup store (customer subscription)	Point-in-time restore up to 35 days	Yes (within Azure limits)
Azure OpenAI abuse-monitoring retention	Microsoft (customer region)	30 days (default); can be eliminated under Limited Access Program	Via Microsoft LAP opt-out

Customers may extend or shorten retention within the technical capabilities of the Azure services. Any bespoke retention requirement is agreed in the customer's deployment specification.

4.2 Deletion on customer request

CompleteFlow actions data deletion requests from the customer within 30 calendar days (or sooner if contractually specified). The process is:

Customer raises a deletion request specifying scope (for example, a single document, a case, a user, or the entire deployment)
CompleteFlow verifies scope and confirms the request with a named customer contact
Deletion is performed within the customer's Azure subscription using the mechanisms in section 4.4
Written confirmation is issued, identifying what was deleted, the mechanism used, the date of completion, and any residual data retained under legal or contractual obligation

4.3 Deletion on contract termination

At the end of the contractual return-and-deletion period following termination:

A data return plan is agreed (format, destination, timing)
Data is exported in industry-standard formats (PostgreSQL dumps for structured data; original file formats for documents; JSON for audit logs)
Once return is acknowledged by the customer, deletion proceeds per section 4.4
The customer's Azure subscription remains under customer control throughout; CompleteFlow access is revoked at the end of the return period

4.4 Secure deletion methods

Azure Blob Storage: soft-delete followed by immediate purge; where Customer-Managed Keys are used, cryptographic deletion via key destruction is available as an additional assurance step
Azure Database for PostgreSQL: row-level and schema-level deletion using SQL; vacuum operations reclaim space; point-in-time restore windows expire per section 4.1
Azure Cache for Redis: data is not persisted to disk by default; shutdown removes all in-memory state
Azure Log Analytics: retention-period-based purge; targeted customer-data purge via the workspace Data Purge API
Physical media: Microsoft's responsibility under the Azure service agreement; Azure data destruction conforms to NIST SP 800-88

4.5 Deletion certificates

CompleteFlow issues written confirmation of deletion on request. The confirmation identifies:

The scope of data deleted (dataset, date range, location)
The mechanism or methods used
The date of completion
Any residual data retained under legal or contractual obligation (for example, minimum audit-log retention mandated by sectoral regulation)

Microsoft's data destruction certificates for Azure infrastructure are available to customers via the Microsoft Trust Center.

5. CompleteFlow business data retention (controller)

Retention periods for data held by CompleteFlow Ltd as controller:

Data category	Retention	Basis
Employee records	Duration of engagement + 6 years	Employment law, limitation, pension / tax
Payroll and tax records	6 years from end of tax year	HMRC requirements
Training records	Duration of engagement + 3 years	CF-POL-001 section 7.3
Background check records	Duration of engagement + 12 months	Data minimisation
Prospect and customer contacts	Active + 3 years after last contact, or on consent withdrawal	Legitimate interests / PECR
Contracts and DPAs	Duration + 7 years	Contractual limitation periods
Financial records	6 years from end of tax year	Companies Act and HMRC
Marketing consent records	Duration of consent + 2 years	Demonstrable consent (UK GDPR / PECR)
Website analytics	Per privacy notice on completeflow.ai	Legitimate interests / consent
Incident records	7 years	ICO and audit defensibility

Where a legal hold or regulatory investigation requires retention beyond the scheduled period, affected records are preserved until the matter is concluded. Legal holds are logged and reviewed periodically by the Information Security Officer in consultation with legal counsel.

6. Secure deletion of business data

Electronic records: deleted using supported application or OS mechanisms, with supporting backups cycled out under normal backup rotation
Cloud services: deletion via service-provided APIs; confirmation retained where the service supports it
Local storage on managed devices: device wipe uses full-device reset; devices pending disposal are wiped to NIST SP 800-88 guidance by the MDM
Physical records: cross-cut shredding or secure confidential waste collection
End-of-life devices: secure disposal via an approved waste contractor with certificate of destruction

7. Backups

Backup data is subject to the same retention periods and security controls as production data. Backups are encrypted at rest, stored in the customer's Azure subscription (for customer data) or in CompleteFlow-managed stores (for business data), and cycled out per the configured retention window.

Where a customer requests deletion, residual copies may persist in backup for the duration of the backup retention window; these copies are not accessible for operational use, are subject to the same access controls, and age out automatically.

8. Exceptions

Exceptions to this policy require documented justification and approval by the Information Security Officer. Exceptions are logged in the risk register (CF-REG-001) and reviewed quarterly.

9. Document control

Version	Date	Author	Change
1.0	2026-04-24	J. Griffin	Initial approved version