EarnlyJoin the Wait List
other

Data Retention Policy

Last updated 5/11/2026

1. Purpose

This Data Retention Policy defines how Earnly Ltd (“Earnly”) retains, reviews, and securely disposes of data in accordance with:

  • UK GDPR

  • Data Protection Act 2018

  • HMRC record-keeping requirements

  • Open Banking standards

The objective is to ensure data is not retained longer than necessary, while meeting legal, regulatory, and operational requirements.

2. Scope

This policy applies to:

  • All personal data processed by Earnly

  • Financial and transactional data obtained via Open Banking

  • Data stored in internal systems, cloud infrastructure, and third-party services

Employees, contractors, and third-party processors

3. Data Retention Principles

Earnly applies the following principles:

  • Data minimisation: Only retain what is necessary

  • Purpose limitation: Data retained only for defined purposes

  • Time limitation: Data is deleted or anonymised when no longer required

  • Security: Retained data is protected appropriately

  • Auditability: Retention periods are documented and reviewable

4. Data Categories & Retention Periods

4.1 Customer Account Data

Includes:

  • Name, email, login credentials

  • Account preferences

Retention Period:

  • Retained for duration of active account

  • Deleted or anonymised within 12 months of account closure

4.2 Financial & Transaction Data (Open Banking)

Includes:

  • Bank account data (via authorised providers)

  • Transaction history

  • Income and expense records

Retention Period:

  • Retained while user account is active

  • Upon account closure:

  • Retained for up to 6 years to align with HMRC requirements

  • Then securely deleted or anonymised

4.3 Tax & Derived Data

Includes:

  • Tax calculations (Corporation Tax, VAT, Income Tax)

  • Forecasts and AI-generated insights

Retention Period:

  • Retained for 6 years (aligned with HMRC compliance)

  • May be anonymised for product analytics beyond this period

4.4 Technical & Usage Data

Includes:

  • IP address

  • Device/browser information

  • Platform usage analytics

  • Retention Period:

  • Retained for 12–24 months for analytics and security

  • Aggregated/anonymised thereafter

4.5 Support & Communication Data

Includes:

  • Emails

  • Support tickets

  • Chat logs

Retention Period:

  • Retained for 24 months

  • Extended if required for dispute resolution or legal matters

4.6 Marketing Data

Includes:

  • Email subscriptions

  • Marketing preferences

Retention Period:

  • Retained until user unsubscribes or withdraws consent

  • Deleted within 30 days of opt-out

4.7 Internal Operational Data

Includes:

  • Logs, audit trails

  • System access records

**Retention Period:*8

Retained for 12–36 months depending on security requirements

5. Data Deletion & Anonymisation

When data reaches the end of its retention period, Earnly will:

  • Permanently delete data from live systems

  • Remove data from backups within standard backup cycles

  • Or anonymise data where retention is required for analytics

Deletion methods include:

  • Secure deletion protocols

  • Cryptographic erasure (where applicable)

  • Automated lifecycle policies

6. User-Initiated Deletion Requests

Users may request deletion of their data under GDPR rights.

Earnly will:

  • Process requests within 30 days

  • Delete data unless retention is required for:

  • Legal obligations

  • Ongoing disputes

  • Fraud prevention

7. Exceptions to Retention Periods

Data may be retained beyond standard periods where required for:

  • Legal claims or disputes

  • Regulatory investigations

  • Fraud detection and prevention

  • Compliance with statutory obligations

Such cases must be:

  • Documented

  • Approved by the Data Protection Lead

8. Third-Party Data Retention

All third-party processors (e.g. Open Banking providers, cloud services) must:

  • Adhere to contractual retention obligations

  • Delete or return data upon request

  • Comply with UK GDPR standards

9. Data Storage & Backups

  • Backups are encrypted and securely stored

  • Retention follows defined backup cycles (typically 30–90 days)

  • Expired data is purged automatically

10. Monitoring & Review

  • Retention schedules are reviewed annually

  • Automated controls are implemented where possible

  • Compliance is monitored as part of internal audits

11. Roles & Responsibilities

  • Data Protection Lead: Oversees retention compliance

  • Engineering Team: Implements deletion and lifecycle controls

  • All Staff: Ensure data is not retained unnecessarily

12. Policy Breach

Failure to comply with this policy may result in:

  • Internal disciplinary action

  • Regulatory exposure

  • Legal consequences

All breaches must be reported immediately.

13. Contact

For questions regarding this policy:

Email: support@earnly.co.uk

Company: Earnly Ltd