Get a quote

Data Retention Policy

Introduction

This data retention policy sets out the obligations of LTVplus, LLC (“LTVplus” or “us/we/our”)) and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control.

This policy applies to our entire organisation including our officers, employees, agents and sub-contractors and sets out what the retention periods are and when any such data may be deleted.

Objectives

It is necessary to retain and process certain information to enable our business to operate. We may store data in the following places:

  • our own servers;
  • any third party servers;
  • potential email accounts;
  • laptops;
  • employee-owned devices (BYOD);
  • potential backup storage; and/or
  • our paper files.

This policy applies equally to paper, electronic media and any other method used to store personal data. The period of retention only commences when the record is closed.

We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).

The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be:

a) processed lawfully, fairly, and in a transparent manner in relation to the data subject;

b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

The Fourth and Fifth Data Protection Principles require that any data should not be kept longer than necessary for the purpose for which it is processed and when it is no longer required, it shall be deleted and that the data should be adequate, relevant and limited for the purpose in which it is processed.

With this in mind, this policy should be read in conjunction with our other policies which are relevant such as our data protection policy and IT security policy.

Legal Basis for Processing

All personal data processed by LTVplus shall be done on one or more of the lawful bases defined under Article 6 of the GDPR:

  • Consent: When the data subject has given clear and explicit consent for their personal data to be processed for a specific purpose.
  • Contractual Necessity: When processing is necessary to fulfill a contract with the data subject or to take steps to enter into a contract.
  • Legal Obligation: When processing is necessary to comply with legal obligations (e.g. tax, employment laws)
  • Legitimate Interests: When processing is necessary for the legitimate interests pursued by LTVplus, LLC or a third party, provided these interests are not overridden by the rights and freedoms of the data subject.
  • Vital Interests: When processing is necessary to protect the vital interests of the data subject or another natural person.

The specific legal basis for each type of processing activity will be documented and maintained in our Data Processing Register.

Data Subject Rights

LTVplus is committed to ensuring that data subjects can exercise their rights under the GDPR.

Data subjects may exercise the following rights by contacting our Data Protection Officer.

Right to Access: Data subjects have the right to request a copy of the personal data we hold about them.

Right to Rectification: Data subjects have the right to request that we correct any inaccuracies or incomplete data.

Right to Erasure (“Right to be Forgotten”): Data subjects have the right to request that their personal data be deleted, subject to our legal obligations.

Right to Restrict Processing: Data subjects can request a restriction on the processing of their data under certain circumstances.

Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable
format.

Right to Object: Data subjects may object to processing based on legitimate interests or direct marketing purposes.

Right to Withdraw Consent: Where processing is based on consent, data subjects have the right to withdraw consent at any time.

All requests will be responded to within one month, in accordance with GDPR. Complex cases may require an extension of up to two additional months, in which case the data subject will be notified of the delay and reasons.

Security and Storage

All data and records are stored securely to avoid misuse or loss. We will process all personal data we hold in accordance with our IT Security Policy or take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement by them to comply with those procedures and policies, or if there are adequate measures in place.

Examples of our storage facilities are as follows:

  • Google
  • HighLevel
  • PeopleForce
  • Signwell
  • BetterProposals
  • TimeDoctor2
  • Stripe

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

(a) Confidentiality means that only people who are authorised to use the data can access it.

(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

(c) Availability means that authorized users should be able to access the data if they need it for authorized purposes.

Bring Your Own Device (BYOD) Security

To mitigate risks associated with personal devices used for work purposes, LTVplus enforces the following BYOD security protocols:

  • Remote Wiping: Devices must support remote wiping capabilities to ensure company data can be securely deleted in case of loss, theft, or employee departure.
  • Secure Network Access: Employees must only access company data over secure networks, such as VPNs or encrypted Wi-Fi connections, and avoid public or unsecured networks.
  • Device Authentication: Strong password or biometric authentication is required to access devices.
  • Data Separation: Company data must be stored separately from personal data on devices through secure containers or equivalent measures.
  • Policy Compliance: All BYOD users must agree to adhere to these protocols, and violations may result in restricted access to company systems.

Annual audits will be conducted to assess BYOD compliance and update protocols as necessary.

Data Transfers Outside the EU

Where LTVplus transfers personal data to countries outside the European Union or European Economic Area, such transfers will only occur under one of the following mechanisms, as required by GDPR:

  • The country has been deemed by the European Commission to provide an adequate level of data protection.
  • Standard Contractual Clauses (SCCs) have been implemented between LTVplus, LLC and the recipient to ensure an adequate level of data protection.
  • Binding Corporate Rules (BCRs) are in place where data is transferred within the same corporate group.
  • Other appropriate safeguards, as approved under GDPR, are in place.

We will ensure that all international data transfers are documented and conducted in accordance with Chapter V of GDPR.

Incident Management

In addition to managing personal data breaches, LTVplus will address all security incidents, including suspected or actual unauthorized access attempts. Our incident management process includes:

  • Detection and Reporting: Employees and contractors must report any suspicious activities, such as unauthorized access attempts, system vulnerabilities, or malware detections, to the IT Security Team immediately.
  • Investigation and Mitigation: The IT Security Team will promptly investigate all incidents, determine the scope and root cause, and implement measures to mitigate risks and prevent recurrence.
  • Documentation: All incidents, regardless of severity, will be logged in an incident management register, including details of the event, response actions, and lessons learned.
  • Notification: If an incident escalates into a breach involving personal data, notification procedures outlined in our Data Breach Policy will be followed.
  • Proactive Measures: Regular threat assessments and penetration testing will be conducted to identify and address vulnerabilities before they result in incidents.

This expanded scope ensures that non-breach events are treated with the same diligence as data breaches to protect our systems and data effectively.

Retention Policy

Data retention is defined as the retention of data for a specific period of time and for backup purposes.

We shall not keep any personal data longer than necessary, but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. As such, our general data retention period shall be for a period of 3 years. Our specific data retention periods are set out below.

Type of dataType of data subjectType of processingPurpose of processingType of recipient to whom personal data is transferredRetention periodData accuracy and minimisation review date
External Data such as name, gender, ethnicity, age and geographic data
Social Data such as job titles, work history, educational background, employment history, certifications, group memberships and professional connections
Tracking information such as email, physical address, telephone numbers, IP addresses and geographic information
Financial Information such as credit card numbers and bank accounts
Communication Information such as telephone recordings, voice mail and email		CustomersSales, MarketingEither as:
1) data processor on behalf of a data controller to fulfill a service request of the data controller or
2) data controller for human resources, general marketing, client acquisition or to fulfill a service request by the data subject		Data Controller, Sales & Marketing Team, Executive Management3 yearsOnce a year

External Data such as name, gender, ethnicity, age and geographic data
Social Data such as job titles, work history, educational background, employment history, certifications, group memberships and professional connections
Tracking information such as email, physical address, telephone numbers, IP addresses and geographic information
Financial Information such as credit card numbers and bank accounts
Communication Information such as telephone recordings, voice mail and email

Business contactsSales, MarketingEither as:
1) data processor on behalf of a data controller to fulfill a service request of the data controller or
2) data controller for human resources, general marketing, client acquisition or to fulfill a service request by the data subject		Data Controller, Sales & Marketing Team, Executive Management3 yearsOnce a year
External Data such as name, gender, ethnicity, age and geographic data
Social Data such as job titles, work history, educational background, employment history, certifications, group memberships and professional connections
Tracking information such as email, physical address, telephone numbers, IP addresses and geographic information
Financial Information such as credit card numbers and bank accounts
Communication Information such as telephone recordings, voice mail and email		EmployeesHR, PayrollEither as:
1) data processor on behalf of a data controller to fulfill a service request of the data controller or
2) data controller for human resources, general marketing, client acquisition or to fulfill a service request by the data subject		Operations Team, HR, Executive Management3 yearsOnce a year
External Data such as name, gender, ethnicity, age and geographic data
Social Data such as job titles, work history, educational background, employment history, certifications, group memberships and professional connections
Tracking information such as email, physical address, telephone numbers, IP addresses and geographic information
Financial Information such as credit card numbers and bank accounts
Communication Information such as telephone recordings, voice mail and email		ContractorsHR, PayrollEither as:
1) data processor on behalf of a data controller to fulfill a service request of the data controller or
2) data controller for human resources, general marketing, client acquisition or to fulfill a service request by the data subject		Operations Team, HR, Executive Management3 yearsOnce a year
External Data such as name, gender, ethnicity, age and geographic data
Social Data such as job titles, work history, educational background, employment history, certifications, group memberships and professional connections
Tracking information such as email, physical address, telephone numbers, IP addresses and geographic information
Financial Information such as credit card numbers and bank accounts
Communication Information such as telephone recordings, voice mail and email		Potential employeesTalent AcquisitionEither as:
1) data processor on behalf of a data controller to fulfill a service request of the data controller or
2) data controller for human resources, general marketing, client acquisition or to fulfill a service request by the data subject		Operations Team, HR, Executive Management1 yearOnce a year

Retention periods for personal data have been defined based on:

  • Regulatory Compliance: Certain records (e.g., financial records) are retained to comply with tax or employment laws.
  • Contractual Obligations: Data required for fulfilling contractual obligations (e.g.,employment or service agreements) is retained for the duration of the contract and an appropriate period thereafter.
  • Litigation and Risk Management: Data may be retained to address potential legal claims or disputes in accordance with applicable statutes of limitation.
  • Business Necessity: For operational purposes, data is retained for as long as required to meet business goals, provided that such retention aligns with GDPR principles of data minimization and storage limitation.

An annual review process will ensure that data retention schedules remain aligned with regulatory and operational requirements.

From time to time, it may be necessary to retain or access historic personal data under certain circumstances such as if we have contractually agreed to do so or if we have become involved in unforeseen events like litigation or business disaster recoveries.

Pseudonymization and Anonymization

To further safeguard personal data retained for archiving, historical, or statistical purposes, LTVplus will apply pseudonymization or anonymization techniques where feasible:

  • Pseudonymization: Personal data will be processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information, which is securely stored and protected by technical and organizational measures.
  • Anonymization: When data is no longer required to identify individuals, it will be anonymized to ensure the permanent removal of any identifiers, rendering it no longer personal data under the GDPR.

These techniques will be applied particularly to archived or historical data that must be retained beyond the primary retention period for legal, research, or operational reasons.

Destruction and Disposal

Upon expiry of our retention periods, we shall delete confidential or sensitive records categorised as requiring high protection and very high protection, and we shall either delete or anonymize less important documents.

Our General Manager is responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction. The destruction of confidential, financial, and personnel-related records shall be securely destroyed electronically or by shredding if possible. Non-confidential records may be destroyed by recycling.

Data Protection Impact Assessments (DPIAs)

LTVplus conducts Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in a high risk to the rights and freedoms of individuals, as required under Article 35 of the GDPR. Situations warranting a DPIA include, but are not limited to:

  • Systematic and extensive profiling or automated decision-making.
  • Large-scale processing of sensitive personal data.
  • Monitoring of publicly accessible areas, such as through CCTV.

The DPIA process involves:

  1. Identifying Risks: Assessing the potential impact of processing on data subjects’ privacy and security.
  2. Mitigation Measures: Implementing safeguards to address identified risks, such as encryption, access controls, or anonymization.
  3. Consultation with Authorities: Where residual risks remain high, the relevant supervisory authority (e.g., ICO) will be consulted before
    proceeding.

DPIAs will be documented and regularly reviewed to ensure continued compliance with GDPR requirements.

World-class customer service outsourcing for businesses of all sizes.

LTVplus is certified as a Great Place to Work in 2024-2025
LTVplus is a certified Gorgias partner
Solutions
Managed customer service
Remote staffing
Failed payments recovery
Shopping cart abandonment
Help desk setup
Roles we fulfill
Investment
Industry use cases
eCommerce
SaaS
Travel
Healthcare
Beauty & cosmetics
Online courses
Resources
Blog
eBooks & guides
Webinars
Case studies
Top live chat tools
The Let's Talk About CX podcast
Partnerships
Our partners
Partner program
Company​
About us
Careers
Contact us
LTVplus University
Our Brands
TaskDrive
Shortlist
upcoach
Managing Happiness
Love not Fear
Copyright © 2025 LTVplus, LLC
Terms of Service
Privacy Policy & Cookie Policy
Information Security Policy
Data Processing Agreement
Data Retention Policy
Do Not Sell Notice
Linkedin Facebook Twitter Instagram Tiktok Youtube