Data Retention Policy
Data Retention Policy
Retention, deletion, and privacy compliance process
Company: Cartmell & Cartmell Communications (Pty) Ltd.
Cartmell & Cartmell Communications (Pty) Ltd. maintains a structured data retention and deletion process aligned with relevant privacy regulations, including POPIA and GDPR principles.
Scope: Client data, personal data, website data, hosting data, billing records, support communications, and backup data handled through company systems.
1. Purpose
This policy defines how long personal, client, operational, and service-related data is retained, protected, reviewed, and securely deleted.
2. Data Retention Principles
Data is retained only where necessary to:
- Deliver contracted services
- Support website, hosting, email, and domain operations
- Meet legal, tax, accounting, and regulatory obligations
- Resolve disputes and enforce service agreements
- Maintain security, audit, and operational records
3. Data Categories
This policy applies to the following data categories:
- Client account and contact information
- Website and hosting configuration data
- Domain registration and DNS related records
- Billing, invoice, and payment records
- Support requests, emails, and service communications
- Security logs, access logs, and monitoring records
- Backup files and recovery data
4. Retention Periods
Data is retained based on its purpose and legal requirement:
- Client account data: Retained for the duration of the client relationship and for a reasonable period after termination where required for service history, legal, or operational purposes.
- Financial and billing records: Retained as required by applicable tax, accounting, and company law obligations.
- Website and hosting data: Retained while services are active and removed or archived after service termination, subject to contractual and legal requirements.
- Domain registration records: Retained while domain services are active and where required by registry, registrar, or legal obligations.
- Support communications: Retained for service continuity, issue history, and dispute resolution.
- Backup data: Retained for operational recovery purposes only and removed according to backup rotation schedules.
- Security logs: Retained for monitoring, investigation, and risk management purposes.
5. Data Deletion Process
Data is deleted, archived, or restricted when:
- It is no longer required for the purpose it was collected
- A service agreement ends and no legal or operational reason remains to retain it
- A valid deletion request is received and approved
- The applicable retention period has expired
Where immediate deletion is not possible, data may be restricted, secured, or retained only for lawful purposes.
6. Legal and Regulatory Compliance
Data may be retained for longer where required for:
- Legal obligations
- Tax and accounting requirements
- Regulatory compliance
- Security investigations
- Fraud prevention
- Dispute resolution
- Contract enforcement
7. Privacy Rights
Data subjects may request:
- Access to their personal data
- Correction of inaccurate personal data
- Deletion of personal data where legally permitted
- Restriction of processing
- Confirmation of how their data is handled
Requests can be submitted through the company’s official contact channels.
8. Security of Retained Data
Retained data is protected using appropriate technical and organisational controls, including:
- Access control and role based permissions
- Secure hosting environments
- Firewall and security monitoring controls
- Backup and recovery procedures
- Authentication and login protection
- Regular system updates and patching
9. Backup Retention
Backup data is retained for operational recovery and disaster recovery purposes. Backup data may remain available for a limited period after deletion from live systems, depending on backup rotation and recovery schedules.
10. Review and Governance
This policy is reviewed regularly and updated where required due to changes in business operations, client requirements, legal obligations, or privacy regulations.
Assessment Response
Cartmell & Cartmell Communications (Pty) Ltd. maintains a Data Retention Policy and process designed to meet relevant privacy regulations. The policy defines data retention principles, retention periods, deletion processes, privacy rights, backup handling, and security controls for retained data.
