Data Retention Policy

This Data Retention Policy explains how long WriteTrack Ltd ("we", "us", "our") retains personal data collected through our AI-powered writing assessment platform for UK primary schools.

We are committed to retaining your data only for as long as necessary to provide our service, comply with legal obligations, and protect our legitimate interests. This policy complies with the UK General Data Protection Regulation (UK GDPR) Article 5(1)(e), which requires data to be kept for no longer than necessary.

This policy applies to all users: teachers, school administrators, pupils, and parents. It should be read alongside our Privacy Policy.

Our data retention practices are guided by the following principles:

Lawfulness and Fairness

We only retain data where we have a lawful basis (consent, contract, legal obligation, or legitimate interests).

Necessity and Proportionality

We retain data only for as long as required to fulfil the purpose for which it was collected, unless a longer retention period is required by law.

Storage Limitation

Personal data is securely deleted or anonymized when it is no longer needed, except where retention is required for legal, regulatory, or legitimate business purposes.

Transparency

Users are clearly informed about retention periods and can request deletion of their data at any time (subject to legal exceptions).

Data Minimization

We collect and retain only the minimum data necessary to provide our service effectively.

Active Accounts

Deleted Accounts

Financial Records

Backups

Email Communications

Technical and Security Data

We retain data based on the following lawful grounds under UK GDPR:

Contract Performance

We retain teacher accounts, pupil data, submissions, and feedback for the duration of your subscription to fulfill our contractual obligation to provide the WriteTrack service.

Legal Obligation

• Financial records retained for 7 years under UK tax law (HMRC requirement under Income Tax Act 2007 and VAT Act 1994)
• Audit logs retained for 3 years to demonstrate GDPR compliance (ICO guidance)
• Deletion request records retained as evidence of compliance with UK GDPR Article 17 (Right to Erasure)

Legitimate Interests

• Backups retained for 30 days for disaster recovery and business continuity (balanced against user deletion rights)
• Access logs retained for fraud prevention and security monitoring
• Support correspondence retained for quality assurance and dispute resolution

Consent

Handwriting samples (biometric data) are retained based on explicit consent and can be deleted at any time upon request.

We conduct Legitimate Interests Assessments (LIAs) to ensure our retention practices do not override your rights and freedoms. Children's data is never retained solely on the basis of legitimate interests.

We use secure deletion methods to ensure data cannot be recovered once deleted:

Hard Deletion (Not Soft Deletion)

• Personal data is permanently removed from our databases (not marked as deleted)
• Database records are physically deleted, not anonymized
• No recovery possible after deletion

Storage File Deletion

• Handwritten work images deleted from cloud storage (Supabase)
• Handwriting samples deleted from secure storage
• Files inaccessible immediately after deletion
• Physical deletion from storage within 30 days (backup cycle)

Third-Party Service Cleanup

• Stripe subscriptions cancelled immediately upon account deletion
• Google Gemini: No data stored (processing only, no retention)
• Resend: Email logs purged after 90 days

Cascade Deletion

When you delete your account, all associated data is automatically deleted through database cascade rules:

• Teacher deletion triggers deletion of all pupils, classes, tasks, submissions
• School admin deletion triggers deletion of entire school, all teachers, and all pupils
• No orphaned data left behind

You have the right to request deletion of your data at any time under UK GDPR Article 17 (Right to Erasure / "Right to be Forgotten").

Account Deletion Workflow

1. Log in to WriteTrack
2. Navigate to Settings → Danger Zone
3. Click "Delete Account"
4. Confirm deletion in dialog box
5. Receive confirmation email with secure link
6. Click email link to confirm final deletion
7. All data deleted within 30 days
8. Confirmation email sent upon completion

What Happens During Deletion

Timeline

• 0-24 hours: Deletion request received, confirmation email sent
• 24 hours: Email confirmation link expires (security measure)
• Upon confirmation: Data deleted from active databases immediately
• 30 days: Data purged from backups and fully deleted

Parents Requesting Deletion of Child Data

Parents can request deletion of their child's data by:

• Contacting the child's school/teacher directly
• Emailing us at privacy@writetrack.co.uk with child's name, year group, and school name
• We will process deletion requests within 30 days

Some data is automatically deleted without user action:

Subscription Cancellation

• When you cancel your subscription, your account enters a 30-day grace period
• During this period, you can reactivate your subscription and retain all data
• After 30 days without reactivation, all data is permanently deleted

Failed Payment Suspension

• If subscription payment fails, your account is suspended after 7 days
• Suspended accounts retain data for 30 days to allow payment update
• After 30 days without payment, all data is permanently deleted

Session Data

• Authentication cookies expire after 7 days of inactivity
• Session tokens automatically invalidated upon logout

Expired Tokens

• Password reset tokens expire after 1 hour
• Account deletion confirmation tokens expire after 24 hours
• Email verification tokens expire after 7 days

We maintain automated backups for disaster recovery and business continuity. Backups are subject to the following retention policy:

Backup Schedule

• Daily automated backups of all databases
• Backups retained for 30 days
• Backups stored in secure, encrypted storage
• Backups located in EU region (same as production data)

Deleted Data in Backups

• When you delete your account, data is immediately removed from active databases but may remain in backups for up to 30 days
• Backups are overwritten on a rolling 30-day cycle
• Deleted data in backups is inaccessible (not restored unless entire database recovery is required for disaster)
• After 30 days, deleted data is fully purged from all systems

Backup Restoration Policy

Backups are restored only in the event of catastrophic data loss or system failure. We do NOT restore individual user data after deletion. Deletion is permanent.

UK tax law requires businesses to retain financial records for extended periods. This is a legal obligation under UK GDPR Article 6(1)(c).

HMRC Requirements

• Income and expenses: 7 years (Income Tax Act 2007, Section 12B)
• VAT records: 6 years (VAT Act 1994, Section 31)
• PAYE records: 3 years (if applicable)

What We Retain

What We Do NOT Retain

• Full credit card numbers
• CVV codes
• Card expiry dates
• Banking details (handled by Stripe, PCI-DSS compliant)

Impact on Right to Erasure

When you delete your account, all personal data is removed except for financial records required by law. We will inform you of this exception during the deletion process. Financial records are securely stored, access-controlled, and deleted after 7 years.

We are committed to collecting and retaining only the minimum data necessary to provide our service effectively, in accordance with UK GDPR Article 5(1)(c).

What We Collect (Minimal)

• Pupil data: First name, last name, year group only (no addresses, dates of birth, or contact details)
• Teacher data: Name, email, school name only
• Usage data: Essential analytics only (anonymized where possible)

What We Do NOT Collect

• Home addresses
• Dates of birth
• Phone numbers (optional for account recovery)
• Social media profiles
• Behavioral tracking across websites
• Marketing preferences (no marketing emails sent)

Regular Data Reviews

We regularly review our data collection and retention practices to ensure we are not retaining unnecessary data. Any data found to be no longer needed is securely deleted.

We conduct regular reviews of our data retention practices to ensure ongoing compliance with UK GDPR and best practices.

Annual Policy Review

• Data Retention Policy reviewed annually (or when regulations change)
• Retention periods reassessed for necessity and proportionality
• Updates communicated to users via email and website notice

Quarterly Data Audits

• Audit of data retention practices every 3 months
• Identification of unnecessary data for deletion
• Review of backup and deletion procedures

Compliance Monitoring

• Ongoing monitoring of UK GDPR guidance from the ICO
• Updates to retention practices when laws or regulations change
• Training for staff on data retention and deletion procedures

Under UK GDPR, you have the following rights related to data retention:

Right to Access

Request a copy of all data we hold about you, including retention periods and categories.

Right to Rectification

Correct inaccurate or incomplete data. You can update your account details in Settings.

Right to Erasure

Request deletion of your data (subject to legal exceptions like financial records). Use the account deletion feature in Settings.

Right to Restrict Processing

Request we stop processing your data while verifying accuracy or assessing objections.

Right to Data Portability

Request a copy of your data in machine-readable format (JSON, CSV). Contact us to request data export.

Right to Object

Object to processing based on legitimate interests. Contact us to exercise this right.

How to Exercise Your Rights

• Account deletion: Settings → Danger Zone → "Delete Account"
• Other rights: Email privacy@writetrack.co.uk with your name, email, and the right you wish to exercise
• We will respond within 30 days

If you have any questions about our data retention practices or wish to exercise your rights, please contact us:

We aim to respond to all enquiries within 5 business days. For data subject rights requests, we will respond within 30 days as required by UK GDPR.

If you believe we have not handled your data in accordance with UK GDPR, you have the right to complain to the Information Commissioner's Office (ICO):