Important: Tradelynx introduces customers and independent traders. Any work contract is between customer and trader.
Legal · Data retention

Data retention schedule

How long we keep each category of data, and what triggers deletion. Read this with the Privacy Notice.

Last updated08 May 2026
Versionv1.4
Reading time5 min
JurisdictionEngland & Wales

1 · Our principles

This schedule explains the operational retention periods Tradelynx applies across production systems. Read alongside the Privacy Notice.

We may retain data for longer where a legal hold, active dispute, fraud investigation, security incident, regulatory inquiry, chargeback, or other legitimate need applies.

  • Minimisation — we don't ask for, or store, data we don't need to operate the platform.
  • Storage limitation — every category has a maximum lifetime tied to a clear lawful basis.
  • Auditability — every retention decision is logged and reviewed annually.

2 · Headline schedule

A visual summary of the main retention categories. The full row-by-row schedule is in section 3.

Category
Retention (months)
Basis
Customer / trader account
72 mo
UK Limitation Act 6y
Job records & messages
72 mo
UK Limitation Act 6y
Financial / VAT records
72 mo
HMRC 6y
Trader verification evidence
84 mo
Active + 7y post-closure
Trader compliance documents
84 mo
Active + 7y post-replacement
Telephony / SMS routine logs
12 mo
Operational
OTP / session security logs
12 mo
Security ops
Audit events (high-value)
72 mo
Legal defence
Marketing consent
Until withdrawn

3 · Detailed schedule

Each row of the schedule below is the operational retention applied to that data category, the rationale, and what we do at the end of the period.

Account and trader records

  • Customer account records. Active life of the account plus 6 years after closure (UK Limitation Act). Then deleted or irreversibly anonymised unless a legal hold or open dispute applies.
  • Trader account, onboarding, and compliance records. Active life plus 6 years after closure. Non-essential records deleted; only what is needed for legal/compliance reasons is retained.

Jobs and communications

  • Customer enquiries, routed leads, jobs, and timelines. 6 years from job closure, cancellation, expiry, or last substantive activity. Then deleted or anonymised where feasible, while preserving necessary finance/audit references.
  • Customer / trader messages and standard job attachments. 3 years from the last message or attachment activity, unless linked to an active dispute or legal hold. Then content is deleted or anonymised and storage objects expired.
  • Job completion photos and review photos. 6 years from job completion or review submission. Then deleted unless still needed for disputes, property-history entitlements, or legal defence.
  • Quote records and acceptance signatures. 6 years from quote acceptance, expiry, or closure (UK Limitation Act). Covers the quote, its line items, the append-only event log, and — where the customer chose to sign — the signature image and the signing IP / device captured as evidence of acceptance. Then deleted or anonymised unless a dispute or legal hold applies.
  • Support tickets and attachments. 3 years from ticket closure, or 6 years for tickets relating to a payment dispute, legal claim, or serious complaint. Routine tickets deleted or anonymised; escalated matters retained for the longer period.

Payments and entitlements

  • Payment, subscription, refund, billing-portal, and accounting records. 6 years from the end of the relevant financial year, or longer if tax/accounting law requires (HMRC).
  • Property-history purchases, entitlements, and report access logs. 6 years from expiry of the entitlement / subscription or the last report-access event.

Trader verification (DiDit-backed)

  • Property-owner verification requests and evidence links. Current request lifecycle plus 6 years from final decision or revocation.
  • Property documents uploaded by customers. Until deleted by the user or 6 years after the related property record becomes inactive (whichever is later), subject to legal hold.
  • Trader verification evidence processed through DiDit. Verification status / audit trail: active life plus 7 years after closure. Raw third-party verification evidence: active life plus 7 years after closure, then deleted. DiDit retains its own records per its data-processing agreement.
  • Trader-uploaded insurance / certification documents and AI-extracted metadata. Active life of the document plus 7 years after replacement, expiry, or account closure (whichever is later). Then raw files and extracted metadata are deleted; a minimal audit trail (document type, expiry date, decision, provider reference) is preserved.

Security, telephony, and audit

  • OTP, magic-link, session, and auth-security records. OTP codes and ephemeral auth artefacts: until expiry / consumption plus up to 30 days in operational tables or logs. Session and security logs: up to 12 months.
  • Telephony and SMS logs. 12 months for routine operational logs (no call recordings — Tradelynx does not record calls; telephony data is event logs only). Longer where needed for a complaint, security issue, or billing dispute.
  • Audit events, routing audit, payments audit, telephony audit, security logs. 12 months for routine operational logs; 6 years for high-value audit trails tied to payments, disputes, verification, or enterprise access.

Public-facing and enterprise

  • Launch-interest, contact-form, and labour-interest submissions. 24 months from submission unless converted into an active account, support ticket, or ongoing relationship.
  • Public trader profile data and public listing records. While publication is enabled, plus up to 12 months after depublication (backups, logs, search-engine propagation).
  • Enterprise / org accounts, webhooks, and API keys. Active relationship plus 6 years after termination.
  • Marketing consent. Until withdrawn.

4 · Deletion, suppression, anonymisation

Where possible, we prefer deletion of no-longer-needed personal data. Where deletion would undermine accounting, auditability, dispute handling, or legal compliance, we may instead suppress access, minimise fields, or irreversibly anonymise the data.

When data reaches the end of its retention period it is cryptographically erased from primary storage on the daily retention sweep, and from analytics warehouses within 7 days. Backups may persist for a limited operational period after live deletion and are overwritten on the normal backup cycle.

If data is subject to a legal hold or active dispute, deletion may be delayed until that matter ends.

5 · Supplementary notes

The following decisions have been confirmed by founder review:

  • Raw trader verification evidence is retained in Tradelynx for active period plus 7 years after closure, then deleted. DiDit retains its own records per its DPA.
  • Uploaded trader compliance documents (insurance certificates, Gas Safe cards, etc.) are retained in full for the active life of the document plus 7 years, then raw files and extracted metadata are deleted. A minimal audit trail (document type, expiry, decision) is preserved.
  • Enterprise contracts may specify longer retention periods. Where they do, the enterprise-specific terms take precedence for data processed under that contract.
  • Property-history records are not retained indefinitely. They follow the 6-year post-inactivity schedule and are then anonymised or deleted.
  • Tradelynx does not record calls. Telephony data is event logs (call start, duration, outcome) only.

You can request earlier deletion of personal data ahead of the schedule using your right to erasure. We will comply unless we have an overriding legal obligation. Submit a request from Account → Privacy → Erase my data, or email privacy@tradelynx.co.uk.