Retention
Personal data is kept for as long as required by the processing purpose and statutory limitation periods, then erased, destroyed, or anonymised.
Separate retention rules apply to contact and application records as defined in our internal policies.
Security
Appropriate security measures guard against unauthorised access, disclosure, alteration, or destruction; access is limited on a role basis.
Incident management and continuity plans align with business continuity requirements.
Destruction and oversight
Data whose retention has expired is removed using secure destruction procedures; records are kept in an auditable manner.
Policies and practices are reviewed annually and updated where needed.