Legal Policies

Navigate through our legal documents and policies

Last updated: 12 June 2025

Data Retention Policy

This policy establishes guidelines for the retention and secure disposal of data within ThinkDeck. Our comprehensive approach ensures compliance with legal requirements while minimizing risks and maintaining necessary data for business operations.

Purpose

The purpose of this Data Retention Policy is to establish guidelines for the retention and secure disposal of data within ThinkDeck. This policy aims to ensure compliance with applicable legal and regulatory requirements, minimize risks associated with holding excessive data, and ensure that necessary data is available for business operations when required.

Scope

This policy applies to all data created, received, processed, and stored by ThinkDeck, regardless of format (electronic or physical) or location. This includes data held on ThinkDeck's systems, third-party services used by ThinkDeck, and employee devices where applicable.

Definitions

Data

Any information or records, in any format, that are created, received, or maintained by ThinkDeck in the course of its operations.

Personal Data

Any information relating to an identified or identifiable natural person.

Retention Period

The defined length of time that specific categories of data must be stored before they are eligible for secure destruction.

Destruction

The process of permanently deleting or destroying data in a manner that makes it irrecoverable.

Data Classifications

Confidential Data

Data that requires the highest level of protection from unauthorized access and disclosure (e.g., sensitive personal data, internal financial records).

Internal Data

Data intended for use within ThinkDeck and not generally made public, but less sensitive than Confidential Data.

Public Data

Can be freely disclosed without causing harm

Note: This classification is for internal management; handling of Personal Data must always comply with privacy laws regardless of this internal classification.

Retention Periods

ThinkDeck retains data only for as long as necessary to fulfil the purposes for which it was collected, meet legal or regulatory obligations, resolve disputes, and enforce agreements. Standard retention periods for various data categories include:

Financial Records

8 years

Minimum of 8 years after the end of the fiscal year to which the records relate.

Employee Records

10 years

Minimum of 10 years after the employee's termination date, or as required by local labour laws.

Customer/User Data

2 years

After end of active relationship or account closure, unless a longer period is required for legal or business purposes (e.g., transaction records). Usage data may be retained longer in an anonymized or aggregated form for analytics.

Contracts & Agreements

3 years

Minimum of 3 years after the expiration or termination of the agreement, or longer if required by the contract terms or legal counsel.

Email Correspondence

2 years

Generally retained for up to 2 years, unless the correspondence is part of a record requiring a longer retention period.

Marketing Data

Variable

Records of consent to marketing are retained for as long as the individual is subscribed and for a reasonable period thereafter to demonstrate compliance. Marketing analytics data (often anonymized) may be retained longer.

Note: Specific legal or regulatory requirements may mandate longer retention periods for certain types of data. These stated periods serve as general guidelines.

Data Storage

  • Secure storage per security policies to prevent unauthorized access, alteration, or destruction.
  • Access to data should be restricted based on the data classification.
  • Principle of least privilege (only accessible to those who need it).

Data Destruction

Once the defined retention period for a specific category of data expires and provided there are no legal holds or exceptions (see Section 8), the data must be securely destroyed. The methods of destruction must ensure that the data is permanently irrecoverable:

  • Electronic Data:

    Must be permanently deleted from all systems, backups, and storage media using industry-standard data-wiping software or methods that render the data unrecoverable. Simply deleting files is not sufficient.

  • Paper Records: Must be securely shredded or incinerated.

  • Documentation: A record of the destruction process should be maintained where appropriate.

Exceptions

Legal or regulatory requirements mandating a longer retention period.

Data subject to a legal hold, litigation, investigation, or audit.

Data required for ongoing business operations that is explicitly documented and approved.

Any exception to this policy must be documented and approved by the designated authority, Ayush Sharma (or equivalent role such as CTO or Legal Counsel).

Key Responsibilities

CTO/Designated Authority

Oversees the implementation, enforcement, and compliance of this policy. Approves exceptions.

Department Heads

Responsible for ensuring that data within their respective areas is managed according to this policy and that their teams are aware of their responsibilities.

All Employees

Responsible for managing data (creating, storing, accessing, and disposing) in compliance with this policy and ThinkDeck's security guidelines.

Compliance

Mandatory Compliance

Compliance with this Data Retention Policy is mandatory for all employees and contractors of ThinkDeck.

Consequences of Non-Compliance

  • Disciplinary action up to and including termination
  • Contract termination for contractors
  • Legal and regulatory penalties for ThinkDeck

Review and Update

Annual Review Schedule

This Data Retention Policy will be reviewed annually or more frequently as needed.

Update Triggers

Legal & regulatory changes
Business operations evolution
Technology updates
New data types

Responsibility

The CTO / Designated Authority oversees the review and update process.

Approved by: Ayush Sharma

Compliance is mandatory for all employees and contractors