1. Purpose
This policy explains the principles DocRide applies when retaining and deleting personal data and customer tenant data. It supports UK GDPR storage limitation requirements.
2. Key principle
Customer OHS records are generally retained for as long as the customer keeps them in the platform, subject to legal, regulatory, audit, backup and contractual limits. Customers control the retention of most tenant records.
3. Retention schedule
| Record type | Default retention approach |
|---|---|
| Customer tenant data | Retained while the customer keeps the workspace active or until deleted/exported by the customer, subject to exceptions below. |
| Risk assessments, RAMS, method statements and safety plans | Customer-controlled; retained as long as the creator/customer keeps them or as required for safety, audit or legal evidence. |
| Incident, investigation and corrective action records | Customer-controlled; customers should retain according to legal, insurance and health and safety limitation periods. |
| Training, competence, qualification and certification records | Customer-controlled; retained while needed to evidence competence and compliance. |
| Consultant/auditor sign-off records | May be retained after submission as part of the customer safety, compliance and audit trail. A consultant cannot delete a sign-off given for a business document. |
| Account and subscription records | Retained during the account and for a reasonable period after closure for administration, dispute, security and legal purposes. |
| Billing and tax records | Normally retained for at least 6 years to meet UK tax and accounting requirements. |
| Support and correspondence records | Normally retained for up to 6 years where needed for contract, dispute, quality and audit purposes. |
| Security, access and audit logs | Retained for a period appropriate to security monitoring, investigation and compliance; longer where needed for incidents or disputes. |
| Backups | Retained for limited backup cycles and overwritten/deleted according to backup schedules, except where preservation is required. |
| Marketing records | Retained until opt-out, plus suppression records to ensure marketing is not sent again. |
4. Deletion requests and exceptions
Deletion may be refused, delayed or restricted where continued retention is necessary for legal obligations, legal claims, regulatory compliance, health and safety records, audit trails, security, fraud prevention, contractual enforcement, professional accountability, insurance, dispute resolution or the rights and freedoms of others.
5. Account termination
On termination, customers should export any required records before access ends. DocRide may delete, archive or retain customer data in accordance with the User Agreement, DPA, backup processes and this policy.