Data Retention Policy

Last updated: 15 March 2026

1. Purpose

This policy outlines how AquaCompliance Ltd retains and manages personal data and confidential business information in accordance with UK GDPR and applicable regulatory obligations.

2. Scope

This policy applies to all data processed in connection with consultancy services, including:

  • client and contact data
  • technical and regulatory documentation
  • certification and testing-related information
  • commercial and contractual records

3. Data Categories & Retention Periods

Client & Contact Data

Includes names, email addresses, company details and communications.

Retention: Up to 6 years following the end of the business relationship.

Purpose:

  • contractual obligations
  • legal compliance
  • ongoing client support

Project & Technical Documentation

Includes:

  • product formulations and specifications
  • test reports and laboratory data
  • certification documentation
  • regulatory strategies and compliance records

Retention: 6 to 10 years, depending on project type and regulatory relevance.

Purpose:

  • regulatory traceability
  • client support
  • defence of potential claims

Financial Records

Includes invoices, payment records and accounting documentation.

Retention: 6 years in accordance with HMRC requirements.

Email Communications

Includes correspondence with clients, partners and prospects.

Retention: Up to 6 years, unless earlier deletion is requested and permitted.

4. Confidential Information

In line with AquaCompliance’s contractual obligations, including Mutual Non-Disclosure Agreements, confidential information is:

  • retained only as necessary for the agreed purpose
  • protected against unauthorised disclosure
  • securely deleted when no longer required, unless retention is legally required

5. Data Storage & Security

Data is stored securely using:

  • Microsoft 365 (Outlook, OneDrive, SharePoint)
  • restricted access controls
  • password-protected systems

Access is limited to authorised individuals only.

6. Data Deletion

Data will be securely deleted when:

  • retention periods expire
  • it is no longer required for business or legal purposes
  • a valid data subject request is received

7. Individual Rights

Individuals have the right to:

  • access their personal data
  • request correction or deletion
  • object to processing where applicable

Requests can be submitted to: lyates@aquacomplianceglobal.com

8. Policy Review

This policy is reviewed periodically to ensure continued compliance with legal and regulatory requirements.