This Policy sets out how long Bernardine Ltd keeps different categories of personal data, and how that data is securely destroyed once it is no longer needed.
1. Principle
We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, to meet legal obligations, or to defend legal claims. This Policy supports our Privacy Policy and the storage-limitation principle of the UK GDPR.
2. Retention Schedule
| Data category | Retention period | Reason |
|---|---|---|
| Enquiry / unsuccessful applicant data | 6 months | Follow-up, then deletion |
| Participant records & tracking sheets | Duration of Programme + 2 years | Support, references, certificates |
| Consent records | Duration + 2 years | Evidence of consent |
| Safeguarding records | Until participant turns 25 (if a minor), or longer per statutory guidance | Legal / safeguarding obligation |
| Financial & transaction records | 6 years | HMRC / Companies Act |
| Contracts & agreements | 6 years after expiry | Limitation Act 1980 |
| Marketing consent & data | Until consent withdrawn, reviewed every 2 years | Consent-based |
| Website analytics | 26 months | Standard analytics period |
| CCTV (if used) | 30 days | Security |
3. Safeguarding Records
Safeguarding records relating to under-18s are retained in line with statutory guidance — generally until the individual's 25th birthday, and longer where there is an ongoing concern or legal requirement. These records are stored securely with restricted access.
4. Secure Destruction
When data reaches the end of its retention period it is securely deleted or destroyed: electronic data is permanently erased; paper records are shredded. Processors are required to do the same under their data-processing agreements.
5. Review
Retention periods are reviewed at least annually and adjusted to reflect changes in law or guidance.