Legal
Data Retention Policy
Last updated: May 2026
Plain-language summary
This policy explains how long we keep different types of data, what triggers deletion, and what stays in our system after deletion.
The pattern:
- While your account is active, we keep your data so the service works as you would expect.
- When you delete data (a recording, a tool run, your whole account), we remove the personal-identifying parts within 30 days from active systems and 90 days from backups.
- For some data (recordings, transcripts), we keep an anonymised version in our aggregate corpus indefinitely. Once anonymised, the data is no longer personal data under UK GDPR, we can use it for research, AI training, and aggregate insights without restriction.
- For some data (billing records), we keep it for a fixed period because tax law requires it.
1. Retention by data category
The tables below are the canonical reference. Each row covers one category of data, the retention period, and what happens when retention ends.
1.1 Account information
| Data | Retention | What happens at end |
|---|---|---|
| Email, password (hashed), name, university | While account is active | On account deletion: removed within 30 days active / 90 days backups |
| Phone number (when SMS verification is enabled) | While account is active | Same as above. Hashed retention for fraud-prevention may continue. |
| Marketing preferences | While active + 12 months after deletion | Erased after 12 months unless the user re-engages |
| Onboarding metadata | While account is active | Removed on account deletion. Anonymised version may be retained. |
| Account audit log | 24 months | Anonymised after 24 months |
1.2 User-provided content
| Data | Retention | What happens at end |
|---|---|---|
| CV uploads (file + parsed features) | While account is active | On user deletion request: 30/90 day deletion. Anonymised parsed-features may be retained. |
| Pasted JDs and programme descriptions | Session lifecycle + 12 months | Anonymised after 12 months for aggregate corpus. |
| Cover letters, application drafts, outreach drafts, LinkedIn audits, firm research, JD predictions | While account is active | On deletion request: 30/90 day deletion. Anonymised aggregate retention applies. |
| Coaching messages with Vyo | While account is active | Same as above. Used for coaching-quality training under broad licence. |
| Pipeline tracking entries | While active + 24 months after | Anonymised after 24 months. Outcome data is the highest-value training data. |
1.3 Recordings and biometric data
Treated separately because of Article 9 / BIPA / state biometric law.
| Data | Retention | What happens at end |
|---|---|---|
| HireVue practice recordings (audio + video) | Indefinite while account is active, or until you request deletion | On deletion: personal-identifier-stripped recording is anonymised and retained indefinitely; biometric identifiers destroyed within 30 days |
| Live mock interview recordings | Same as above | Same as above |
| Assessment Centre simulation recordings | Same as above | Same as above |
| Per-recording transcripts (text) | Same as above | Transcripts continue under broad licence after recording deletion |
| Voiceprints / faceprints | N/A | We do not produce or store voiceprints or faceprints for identification |
| Recording-consent audit rows | 7 years from creation (BIPA-compliant) | Audit rows retained for legal-defensibility window |
1.4 Behavioural and engagement data
| Data | Retention | What happens at end |
|---|---|---|
| Page views, click events, feature usage | 36 months | Aggregated and anonymised after 36 months |
| Session telemetry (pause/resume, tab switches) | 24 months | Aggregated after 24 months |
| Hashed device fingerprints | While active + 24 months | Removed after 24 months from last sign-in |
| IP address per session | 12 months | Anonymised (last octet truncated) after 12 months |
1.5 Payment and billing data
| Data | Retention | What happens at end |
|---|---|---|
| Subscription status, plan history | While active + 7 years (HMRC requirement) | Removed 7 years after account deletion |
| Stripe customer ID, last 4 digits of card | Same | Same |
| Invoices, receipts | 7 years from issue (HMRC) | Anonymised after 7 years |
| Stripe webhooks log | 24 months | Removed after 24 months |
1.6 Demographic survey (Article 9 explicit consent)
| Data | Retention | What happens at end |
|---|---|---|
| Ethnicity, gender identity, sexual orientation, religion, disability status, neurodiversity, socioeconomic background, household income | While account is active | Removed within 30 days of consent withdrawal or account deletion. Anonymised aggregate may be retained for diversity-insight datasets. |
1.7 Communications
| Data | Retention | What happens at end |
|---|---|---|
| Support tickets and emails | 36 months | Anonymised after 36 months |
| Marketing email send/open/click events | 24 months | Anonymised aggregates retained beyond 24 months for analytics |
1.8 Referral programme
| Data | Retention | What happens at end |
|---|---|---|
| Referral codes, referrals made | While active + 24 months | Anonymised aggregates retained for fraud-prevention beyond that |
| Bonus alert slots earned | While account is active | Forfeited on account deletion |
1.9 Logs and operational data
| Data | Retention | What happens at end |
|---|---|---|
| Application server logs | 90 days | Hard-deleted at 90 days |
| Database backups | 30 days rolling | Hard-deleted at 30 days |
| Object storage backups (R2) | 30 days rolling | Hard-deleted at 30 days |
| Security event logs | 24 months | Anonymised aggregates retained for fraud-prevention |
2. The post-Article-17 anonymisation pipeline
When you exercise the right to deletion under UK GDPR Article 17, we run a two-stage process:
Stage 1, personal-identifier removal (within 30 days)
We remove all of the following from active systems within 30 days of the deletion request:
- Direct identifiers: name, email, phone, IP address, device fingerprint, payment-card last-4
- Quasi-identifiers that singly or jointly could re-identify: precise birthdate, full postcode, full school name where the cohort is small, distinctive job-title strings, full LinkedIn URL
- For recordings: voice biometric markers and distinctive facial features (we do not retain faceprints)
This stage is a mandatory UK GDPR step. The data subject has the right to expect that their personal-identifying data is no longer associable with them after 30 days.
Stage 2, anonymisation and retention
After Stage 1, what remains is anonymised data:
- Recordings with stripped voice/facial identifiers: the audio + video is preserved at content level, but the biometric signals that could be matched to the original person are removed
- Transcripts with named entities replaced by placeholders ([USER_NAME] → "the candidate", university names normalised)
- Behavioural / engagement data with no remaining quasi-identifiers
- CV parsed-features with role / employer / education abstracted into categories rather than specifics
Anonymised data is retained indefinitely in our aggregate corpus. It is no longer personal data under UK GDPR Article 4(1) and is therefore outside the scope of erasure rights.
Stage 3, backups (within 90 days)
Backups created before the deletion request continue to exist on disaster-recovery snapshots until the standard 30-day backup-rotation window expires. Within 90 days of the deletion request, the personal-identifying data is gone from all backups. We do not promise instantaneous backup deletion, that would require breaking our disaster-recovery posture, which is itself a security obligation.
3. Re-identification testing
We commit to running re-identification testing on our anonymised corpus at minimum annually, and after any material change to:
- The anonymisation pipeline
- The data we collect (new fields)
- External datasets that could be combined with ours to re-identify
If re-identification becomes possible due to a new data combination, we re-anonymise the affected portion of the corpus before any further use, sharing, or licensing.
4. Account closure vs deletion, different things
It is important to distinguish:
- Account closure, you stop using Intervyo. Your account is deactivated, you can no longer log in, your subscription cancels at the end of the billing period. Closure does NOT automatically delete your content. The broad licence in our Terms of Service §6 continues to apply to content you have already created.
- Deletion request (Article 17), you ask us to delete specific content or all of your data. We run the 30/90-day deletion + anonymisation pipeline above.
You can close your account without requesting deletion, and you can request deletion without closing your account. To delete everything: close the account AND request full deletion. Both options are available in account settings.
5. Legal hold
If we are required by court order, regulatory request, or legal process to retain specific data beyond the periods stated above, we will retain that data for the duration of the legal hold. We do not retain on speculative legal grounds; only on actual legal compulsion.
6. Vendor-side retention
Subprocessors retain data per their own retention policies and the DPAs we have with them. We require subprocessors to:
- Delete personal data within reasonable periods after we instruct them to (typically 30-90 days)
- Maintain backup-rotation policies consistent with industry standards (max 90 days)
- Notify us of any retention period that exceeds what we offer to users
The Subprocessor List documents per-vendor retention where it differs from the table above.
7. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes (changes to retention periods or the deletion pipeline that materially affect your rights), we will notify you by email; continued use after the change takes effect constitutes acceptance.
8. Contact
For deletion requests, retention queries, or to object to processing, contact admin@intervyo.co.uk.