Data Retention Policy
Effective date: April 3, 2023
Overview
The need to retain data varies widely with the type of data. Some data can be immediately deleted, and some must be retained until reasonable potential for future need no longer exists.
How long do we keep data for?
We will only keep your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in our Privacy Notice and in order to comply with our legal and regulatory obligations. Some data must however be retained in order to protect our legitimate business interests, preserve evidence or generally conform to good business practices. Some reasons for data retention include:
- Litigation
- Claims investigation
- Regulatory requirements
- Data security investigation
Retention Requirements:
The time period under which we retain your personal data will differ depending on the nature of the personal information and what we do with it. How long we keep personal data is primarily determined by our regulatory and legal obligations. We typically retain different categories of personal data, as follows:
- Quote inquiry information will be retained for 3 years.
- Policy and claims records will be held for 6 years from the end of our relationship with you.
- In cases of legal action we may be required to keep personal data for longer depending on the nature of the litigation and in accordance with the relevant Limitation period set down by Law.
- Critical data of whatever nature may be held for 6 years.
- Confidential data, including sensitive data will be retained for 7 years.
- Records of a Data Subject Access Request will be retained for no more than 6 years after the request.
Data Deletion:
In the absence of any legal requirement, personal data may only be retained for as long as necessary for the purpose of processing. This means data is to be deleted for example, when:
- The data subject has withdrawn consent to processing;
- A contract has been performed or cannot be performed any more, or;
- The data is no longer up to date.
Data destruction is a critical component of our data retention policy. When the retention period expires, we will actively destroy the data covered by the policy, including any duplicated data or data which has been encrypted.
We will not anonymise any retained data.