Legal
Data retention policy
Version 1.0 · Aligned with UK GDPR Art. 5(1)(e) storage limitation.
We keep personal data only as long as we need it, and for as long as UK law requires. This policy sets the retention periods for each category of data. Customers can override individual retention windows contractually where a legitimate business or legal reason applies (e.g. a fleet operator subject to a specific DVSA audit obligation).
| Data category | Retention period | Basis / obligation |
|---|---|---|
| Active customer account data | Duration of contract | Necessary to deliver the service (Art. 6(1)(b)) |
| Customer data after termination | 30 days, then hard-deleted | 30-day soft-delete window for accidental cancellation reversal, then erasure |
| PCN records + walkaround checks | 7 years | DVSA record-keeping obligation for commercial fleet operators |
| Billing and payment records | 7 years | UK Companies Act + HMRC record retention requirements |
| Audit logs (RBAC actions) | 2 years | Security monitoring + incident forensics |
| Webhook event log (Stripe, GoCardless) | 2 years | Reconciliation + dispute investigation |
| Application error logs (Sentry) | 90 days | Operational — PII is scrubbed by the SDK |
| Server / access logs (Vercel) | 30 days | Security investigation window |
| Marketing consent records | Until withdrawn + 6 years | Prove basis for lawful processing under PECR |
| Backup archives | 35 days (rolling) | Disaster recovery |
User-initiated deletion
Any user can request account deletion under UK GDPR Art. 17 from Settings → Privacy & Data. A 30-day reversal window applies to prevent accidental loss; after 30 days the data is hard-deleted from primary storage. Backups containing the erased data cycle out within a further 35 days, at which point the erasure is complete.
Enterprise customer deletion
On contract termination, 5nPay deletes all customer-controlled personal data within 30 days, excluding categories the Customer directs 5nPay to retain for a specified statutory purpose (e.g. DVSA audit records for commercial fleets), and excluding rolling backups which cycle out per the schedule above. A written deletion confirmation is available on request.
Log data
Application, access, and error logs are excluded from GDPR export because they are not personal data in the ordinary sense (they may contain user identifiers but not personal content). They are subject to the retention windows above and access is restricted to the on-call engineering team.
Contact
Retention queries and specific deletion requests: privacy@5npay.co.uk.