Data retention Policy

At Trabu, your privacy is our priority. This privacy policy outlines the types of information we collect, how we use it, and the steps we take to protect it.

Effective Date: 01.05.2024

Purpose of the Policy Trabu Technologies Ltd (“we”, “us”, “our”) is committed to complying with the UK GDPR and the Data Protection Act 2018. This Data Retention Policy outlines our approach to retaining and deleting personal data to ensure we meet our legal obligations and protect the privacy of our users.

Scope of the Policy This policy applies to all personal data processed by our employees, contractors, and third-party service providers. It encompasses all forms of data, including electronic and paper records.

Principles of Data Retention

  • Minimisation: We will only retain personal data that is necessary for the functioning of our services, such as user profiles, travel booking information, and data needed for handling disputes or legal claims.
  • Limitation: Personal data will not be kept longer than necessary for the purposes for which it was collected. We determine retention periods based on legal requirements (e.g., financial data retention for tax purposes typically for 6 years plus the current year), the purpose of data processing, and the need to resolve disputes or inquiries.

Retention Schedule

  • User Profiles and Data: Retained as long as the user’s account is active, with an annual review to determine if the data is still necessary. If the account is inactive for more than two years, the data will be reviewed for deletion or anonymization.
  • Transaction and Booking Data: Kept for seven years to comply with financial and legal obligations, after which it will be reviewed and either deleted or anonymized unless further retention is justified.
  • Marketing and Communications Data: Retained until the user opts out of such communications. Data will be deleted or anonymized within six months of opt-out to ensure data minimization.

Data Disposal and Anonymisation Upon reaching the end of its retention period, personal data will be securely deleted or anonymised. If data is anonymised, it will be processed in a way that the individual cannot be identified, thereby removing it from the scope of GDPR.

Review and Audit We will conduct regular reviews of the data we hold to ensure compliance with this policy. An audit will be performed annually to verify that all data is retained according to the defined schedules and disposed of when no longer needed.

Responsibilities

  • Data Protection Officer (DPO): Our DPO is responsible for overseeing the implementation of this policy and for managing compliance with GDPR.
  • Employees and Contractors: All our employees and contractors must understand and adhere to this policy. Training will be provided to ensure compliance with data handling and disposal procedures.

Changes to the Policy This policy may be updated to reflect changes in legal requirements or operational practices. Any changes will be communicated to all staff and relevant stakeholders.