Data Retention Policy
Last updated: 24 April 2026 — Draft pending solicitor review
This Data Retention Policy describes how long Rubo Ltd (“Rubo”) retains the categories of data we process. It supports our Privacy Policy and our DPA, and it is the reference our engineering and support teams use when responding to deletion requests.
Our principle is: keep data only as long as there is a lawful basis and operational need, and delete promptly after that period, subject to legal holds.
1. Retention schedule
| Category | Retention period | Rationale / basis |
|---|---|---|
| Broker account data (name, email, firm, role, audit trail) | 7 years after account closure | HMRC / UK Companies Act records-keeping; defence of legal claims |
| Billing records and invoices | 7 years | HMRC / VAT |
| Uploaded lease PDFs (default) | 2 years from upload | Operational usefulness; can be overridden per-tenant by the broker firm |
| Uploaded lease PDFs after deletion request | Deleted within 30 days | UK GDPR right to erasure |
| Chat messages (broker ↔ Rubo assistant) | 12 months rolling | Operational usefulness; short-term reference |
| Voice notes (WhatsApp / in-app) | 90 days | Transcription window; reduced sensitivity horizon |
| Knowledge-base entries | Lifetime of account + 30 days | Core operational content for the workspace |
| Data Room files uploaded by Customer | As set by Customer; default 2 years | Customer-managed resource |
| Training-opted-in data (anonymised, via Lease Donation Programme) | Indefinite (for model improvement) | Explicit opt-in consent; anonymised at ingestion |
| Email and WhatsApp transactional logs | 12 months | Operational, abuse prevention |
| Sentry error traces | 90 days | Debugging; auto-scrubbed of PII |
| Audit logs (admin actions, access, security events) | 24 months | Security / incident investigation |
| Backups (all databases) | 90 days rolling | Disaster recovery |
| Cookie-consent records | 12 months | PECR |
| Marketing list entries (website prospects) | Until unsubscribe + 30 days | PECR soft opt-in / consent |
| DPIA and risk-assessment records | 5 years | Accountability principle |
Categories not listed default to the shortest period necessary for the processing purpose.
2. Customer override
Broker firms can, in their workspace settings, shorten default retention for uploaded PDFs, chat messages, and voice notes. The shortest retention period wins — Rubo does not extend beyond Customer configuration.
Customers can also initiate an immediate deletion request from the workspace. Live-system deletion occurs within 30 days. Backup deletion occurs through natural backup expiry within 90 days.
3. Legal holds
If Rubo becomes aware of a credible legal claim, regulatory investigation, or preservation order, the affected data may be placed on a legal hold that suspends deletion until the matter is resolved. Holds are recorded, time-limited, and reviewed at least annually.
4. Anonymisation vs deletion
Where data can be irreversibly anonymised, Rubo may retain the anonymised derivative beyond the retention period for statistical, research, evaluation, and model-improvement purposes. Anonymisation follows ICO guidance: removal of direct identifiers, k-anonymity/l-diversity checks where feasible, and separation of keys. Anonymised data is outside the scope of UK GDPR but is nonetheless governed by this Policy for internal transparency.
5. Deletion process
- Deletion request received (self-service or via privacy@askrubo.ai).
- Identity / authorisation verified within 5 business days.
- Live-system deletion executed within 30 days, with confirmation to requester.
- Backups containing the data age out within 90 days. We do not restore backups to re-delete individual records unless obliged by law; the records are overwritten/expired with the backup cycle.
- An entry is recorded in the internal deletion log for accountability (record of request, verification, actions, dates).
6. DPIA review schedule
Rubo carries out a Data Protection Impact Assessment on high-risk processing (including new uses of AI training data) and reviews all DPIAs annually, or sooner where:
- A new sub-processor is added.
- A new feature materially changes the nature, scope, context, or purpose of processing.
- A material legal or regulatory change occurs (e.g. ICO guidance update, LAFRA SI commencement).
7. Exceptions
Where law, contract, or regulator direction requires longer retention (e.g. AML/KYC records at 5 years, tax records at 7 years, litigation preservation), the longer period applies and is documented in our records of processing.
Contact
Questions? Email legal@askrubo.ai (or privacy@askrubo.ai for privacy-specific).
Draft pending solicitor review. Rubo is a software tool, not a law firm.