Phone: 03301 333 013 Mobile: 07798 693 285 Email: info@ltcsoftware.co.uk

Data Retention & GDPR Policy

Account Deletion, Data Retention, and Customer Data Management

Overview

Last Updated: December 14, 2025 | Effective Date: December 14, 2025

This Data Retention & GDPR Policy outlines how LTC Software Ltd manages data retention, account deletion procedures, and GDPR compliance for your customer data. As a business customer, you are responsible for ensuring your use of our Services complies with applicable data protection laws when managing your end customers' data.

Related Policies:
• For information about how we handle your business account data, see our Privacy Policy
• For your end customers' GDPR rights (data access, deletion, etc.), see our Customer Data Protection Rights page

Quick Navigation

Jump to section:

1. Account Deletion Timeline | 2. Data Retention Policy | 3. Customer GDPR Compliance | 4. Data Access Requests | 5. Contact Information

1. Account Deletion Timeline (Non-Payment)

In the event of non-payment or subscription cancellation, we follow a structured, defensible account deletion process that balances data protection obligations with legitimate business interests. This timeline ensures you have adequate opportunity to export your data while maintaining compliance with data protection regulations.

Day 0: Account Suspension

Status: Read-Only Mode

  • Account Access: Your account is immediately suspended and placed in read-only mode
  • Data Access: You can view all your data but cannot create, edit, or delete records
  • Notification: Email notification sent to account administrator with payment instructions
  • Service Interruption: All automated features (email campaigns, scheduled tasks) are paused
  • API Access: API access is restricted to read-only operations

Day 14–30: Data Export Window

Status: Export Available

  • Export Capability: Full data export functionality remains available through account settings
  • Export Formats: Data can be exported in CSV, JSON, and Excel formats
  • Included Data: All customer records, communication logs, email templates, and business documents
  • Reminder Notifications: Email reminders sent at Day 14, Day 21, and Day 28
  • Final Warning: Day 28 notification includes final warning before anonymization begins
  • Support Access: Limited support available for export-related queries only
Important: After Day 30, personal data will begin the anonymization process and cannot be recovered. Ensure you export all required data before this deadline.

Day 30–60: Personal Data Anonymization

Status: Anonymization in Progress

  • Anonymization Process: All personally identifiable information (PII) is systematically anonymized
  • Customer Data: Customer names, email addresses, phone numbers, and addresses are replaced with anonymized identifiers
  • User Data: Account user names and contact details are anonymized
  • Communication Logs: Email content and communication records are anonymized or deleted
  • Retained Metadata: Non-personal metadata (record counts, timestamps, categories) may be retained for analytics
  • Irreversible Process: Anonymization is permanent and cannot be reversed
  • Account Status: Account remains suspended with no login access

Day 60+: Full Deletion of Customer Data

Status: Permanently Deleted

  • Complete Deletion: All remaining customer data is permanently deleted from production systems
  • Database Purge: Customer records, communication logs, and uploaded files are removed from databases
  • Backup Retention: Data may persist in encrypted backups for up to 90 days before complete purge
  • Account Termination: Account is permanently closed and cannot be reactivated
  • Deletion Confirmation: Final email confirmation sent to account administrator
  • Audit Trail: Deletion event is logged in our audit system (see Data Retention Policy below)

Reactivation During Deletion Timeline

Before Day 30: You can reactivate your account at any time by settling outstanding payments. All data will be immediately restored to full functionality.

After Day 30: Reactivation is not possible as personal data has been anonymized. You would need to create a new account and re-import your data from exports.

2. Data Retention Policy

Even after account deletion, certain business records must be retained to comply with legal obligations, tax regulations, and legitimate business interests. This section outlines what data we retain, for how long, and why retention is necessary.

Legally Required Retention

The following data is retained beyond account deletion to comply with UK tax law, accounting standards, and regulatory requirements. This retention is legally defensible and necessary for business operations.

Invoices & Financial Records

Retention Period: 7 years

  • All invoices, receipts, and payment records
  • Subscription billing history and transaction logs
  • VAT records and tax documentation
  • Credit notes and refund records

Legal Basis: UK tax law requires businesses to retain financial records for a minimum of 6 years from the end of the accounting period. We retain for 7 years to provide a safety margin and comply with HMRC requirements.

Contract Metadata

Retention Period: 7 years

  • Service agreement details (dates, terms, pricing)
  • Subscription plan information
  • Account creation and termination dates
  • Business name and registration details
  • Anonymized user count and feature usage statistics

Legal Basis: Contract metadata is retained for legal compliance, dispute resolution, and to defend against potential claims. Personal contact details are anonymized, but business relationship records are maintained.

Deletion Audit Log

Retention Period: Indefinite

  • Date and time of account deletion
  • Deletion method (non-payment, user request, etc.)
  • Anonymized account identifier
  • Data categories deleted
  • Confirmation of deletion completion

Legal Basis: Audit logs demonstrate GDPR compliance and provide evidence of proper data handling. These logs contain no personal data and serve as proof of our data protection practices.

Data Permanently Deleted

The following data is permanently deleted during the account deletion process and is not retained:

  • Customer Personal Data: All customer names, email addresses, phone numbers, and addresses stored in your CRM
  • Communication Content: Email content, message history, notes, and communication logs
  • Uploaded Files: Documents, images, attachments, and business files uploaded to the platform
  • User Personal Data: Account user names, email addresses, and profile information (except as required for invoices)
  • Custom Templates: Email templates, custom fields, and personalized configurations
  • Activity Logs: Detailed user activity logs and session histories

3. Customer GDPR Compliance (Your Responsibilities)

As a business customer using our CRM platform to manage your own customers' data, you act as a Data Controller under GDPR. LTC Software Ltd acts as a Data Processor on your behalf. This section outlines your GDPR obligations when using our Services.

Important: You are responsible for ensuring your use of our Services complies with GDPR and other applicable data protection laws. We provide the tools and infrastructure, but you control how customer data is collected, used, and managed.

Your GDPR Obligations as Data Controller

  • Lawful Basis for Processing: Ensure you have a lawful basis (consent, contract, legitimate interest, etc.) for collecting and processing your customers' personal data
  • Privacy Notices: Provide clear privacy notices to your customers explaining how their data will be used, including that it will be processed using LTC Software Ltd's CRM platform
  • Consent Management: Obtain and manage appropriate consents for marketing communications, data processing, and third-party sharing
  • Data Minimization: Only collect and store customer data that is necessary for your business purposes
  • Data Accuracy: Keep customer data accurate and up-to-date, and provide mechanisms for customers to update their information
  • Customer Rights: Honor your customers' GDPR rights including access, rectification, erasure, restriction, portability, and objection
  • Data Breach Notification: Notify affected customers and supervisory authorities within 72 hours of discovering a data breach
  • Data Protection Impact Assessments: Conduct DPIAs for high-risk processing activities

Tools We Provide for GDPR Compliance

LTC Software Ltd provides features and tools to help you meet your GDPR obligations:

  • Data Export: Export customer data in machine-readable formats (CSV, JSON) to fulfill data portability requests
  • Data Deletion: Delete individual customer records or entire datasets to honor erasure requests
  • Consent Tracking: Record and manage customer consents for marketing and data processing
  • Communication Logs: Maintain audit trails of customer communications for accountability
  • Unsubscribe Management: Automated unsubscribe handling for email campaigns
  • Data Encryption: All customer data is encrypted in transit and at rest
  • Access Controls: Role-based permissions to limit data access to authorized personnel only

Recommended GDPR Best Practices

Regular Data Audits

Periodically review the customer data you're storing and delete records that are no longer necessary for your business purposes.

Clear Privacy Policies

Maintain transparent privacy policies that clearly explain how you collect, use, and protect customer data.

Staff Training

Train your team on GDPR requirements and proper data handling procedures to minimize compliance risks.

Documented Processes

Document your data processing activities, retention policies, and procedures for handling customer rights requests.

4. Account Data Access Requests

You have the right to request a copy of your account data at any time. While standard data exports are available free of charge through your account settings, comprehensive data access requests that require manual processing and additional resources are subject to administrative fees.

Self-Service Data Export (Free)

You can export your data at any time through your account settings at no cost:

  • Customer Records: Export all customer contact information in CSV or Excel format
  • Communication Logs: Download email history and communication records
  • Email Templates: Export custom email templates and campaigns
  • Business Documents: Download uploaded files and attachments
  • Account Settings: Export configuration and preference data

How to Export: Navigate to Account Settings > Data Export and select the data categories you wish to download. Exports are typically generated within minutes for standard datasets.

Comprehensive Data Access Requests (Chargeable)

If you require a comprehensive data access request that goes beyond standard exports, we may charge an administrative fee to cover the costs of manual processing, data compilation, and delivery. This applies to requests that require:

  • Historical Data Retrieval: Accessing archived or backup data from previous periods
  • Custom Data Formats: Data delivery in specialized formats or structures not available through standard exports
  • Deleted Account Data: Retrieving data from recently deleted accounts (within backup retention period)
  • Forensic Analysis: Detailed audit trails, system logs, or technical metadata requiring manual extraction
  • Large-Scale Requests: Requests involving extensive data volumes requiring significant processing resources
  • Legal/Regulatory Requests: Data requests related to legal proceedings or regulatory investigations requiring certified copies

Data Access Request Pricing

Request Type Processing Time Fee
Standard Self-Service Export Immediate to 1 hour Free
Basic Comprehensive Request
Historical data, custom formats (up to 10GB)
5-10 business days £150
Advanced Comprehensive Request
Forensic analysis, system logs, large datasets (10GB+)
10-15 business days £350
Legal/Certified Request
Certified copies for legal proceedings
15-20 business days £500+
Note: Fees are charged to cover the actual costs of manual processing, staff time, and technical resources required to fulfill complex requests. We will provide a detailed quote before processing any chargeable request. Payment is required before data delivery.

How to Submit a Data Access Request

To submit a comprehensive data access request:

  1. Email Request: Send your request to data@ltcsoftware.co.uk
  2. Include Details: Specify the data categories, time periods, and format requirements
  3. Identity Verification: We will verify your identity and account ownership
  4. Quote Provision: We will assess the request and provide a detailed quote (if chargeable)
  5. Payment (if applicable): Pay the quoted fee via invoice
  6. Data Delivery: Receive your data via secure download link or encrypted email

Response Time: We will acknowledge your request within 2 business days and provide an estimated completion timeline. Standard GDPR access requests (free self-service exports) are fulfilled immediately. Comprehensive requests may take 5-20 business days depending on complexity.

5. Contact Information

For questions about data retention, account deletion, GDPR compliance, or data access requests, please contact us using the details below.

Response Times: We aim to respond to all data protection inquiries within 5 business days. Formal GDPR requests will be processed within the legally required timeframes (typically 30 days).

Questions about Data Retention or GDPR?

Our data protection team is here to help you understand your obligations and our policies.