Data retention schedule · UK GDPR storage limitation
What we keep. For how long. Why.
UK GDPR Article 5(1)(e) — the storage-limitation principle — says we must keep personal data “no longer than is necessary”. This is our master schedule: every category of data we hold, the lawful basis, the retention period, and the source of the rule.
Last updated: 10 June 2026
| Category | What it is | Lawful basis | Retention | Source |
|---|---|---|---|---|
| Account & profile data | Name, email, business name, role, configuration choices | Performance of contract · Art. 6(1)(b) | Life of account + 30 days · then deleted from production · backups expire on 35-day rolling window | Internal |
| Authentication artefacts | Hashed passwords (legacy), passkey credentials, sign-in events, magic-link tokens | Performance of contract · Legitimate interests (security) | Active credentials: life of account · sign-in event log: 12 months · magic-link tokens: 60 minutes | Internal |
| Customer-data business content | Invoices, customers, employees, learners, projects, files — controlled by the business | Business is controller; we are processor under DPA | As long as the business keeps it · on business termination per DPA Clause 11 (30 days then deleted) | DPA Clause 11 |
| Invoicing & accounting records | YionStack invoices to customers, payment records, VAT submissions | Legal obligation · Art. 6(1)(c) | 6 years from end of accounting period | Companies Act 2006 · HMRC |
| Payroll & employee tax records | Internal payroll for our own staff (PAYE, NI, statutory pay) | Legal obligation · Art. 6(1)(c) | 3 years from end of tax year (HMRC) · 6 years for some payroll records | HMRC |
| Right-to-work documentation | Documents establishing right to work in the UK for our employees | Legal obligation · Art. 6(1)(c) | 2 years after employment ends | Home Office Code of Practice on Preventing Illegal Working |
| Support correspondence | Email threads, attached screenshots, ticket history | Performance of contract · Legitimate interests | 3 years from last contact | Internal |
| Audit logs (in-product) | Every user action with actor, timestamp, payload reference, outcome | Legitimate interests · Legal obligation | 7 years (rolling) — required for forensics + dispute resolution | Internal |
| Server / application logs | HTTP request logs, error reports, performance traces — operational data | Legitimate interests · Art. 6(1)(f) | 90 days · then deleted | Internal |
| Backups | Encrypted snapshots of the production database | Legitimate interests · Art. 6(1)(f) | 35-day rolling window · oldest snapshot rotated daily | Internal |
| Marketing list | Email address, opt-in source, unsubscribe state | Consent · Art. 6(1)(a) · PECR | Until you unsubscribe · proof of opt-out kept indefinitely (suppression list) | PECR |
| Cookie / analytics consent | The choice you saved on the cookie banner | Necessary · Art. 6(1)(b) for the consent record itself | Until you clear browser storage · consent should be re-asked every 12 months | PECR · ICO guidance |
| Anonymous analytics (if opted in) | Pseudonymous page views, feature usage | Consent · Art. 6(1)(a) | 13 months from collection · then deleted | ICO analytics guidance |
| CCTV / physical access logs | Not applicable — we do not operate CCTV or physical office access systems | — | — | — |
| Legal hold | Any data relevant to a live legal claim, regulatory investigation, or court order | Legal obligation · Legitimate interests | Until the matter is concluded + the relevant limitation period | Limitation Act 1980 · case-specific |
Where two retention periods conflict — for example, account erasure on request vs. statutory accounting retention — the longer statutory period wins, but we restrict processing to the legal-obligation purpose only.
Want a category that's not here?
Email privacy@yionstack.co.uk with the specifics. We update this page each time we add a new processing activity.
See also: data subject requests · DPA Clause 11 (termination & deletion).
Reference: ICO storage-limitation guidance