Version 1.1 | 05 March 2026
This Data Retention Schedule sets out how long StoreNova Ltd ("StoreNova") retains personal data relating to Customers, Vendors, Couriers and Platform operations.
Retention periods are set in accordance with:
• UK GDPR
• Data Protection Act 2018
• HMRC tax record- keeping requirements (6 years)
• Companies Act 2006
• Limitation Act 1980 (contract claims up to 6 years)
• Food safety enforcement requirements
• Operational and fraud- prevention best practice
StoreNova deletes or anonymises data at the end of each retention period unless a legal obligation requires longer retention (e.g., litigation hold).
| Data Category | Description | Retention Period | Legal Basis / Reason |
|---|---|---|---|
| Customer Account Data | Name, email, contact details, login information, order history | 6 years from last activity | Companies Act 2006, HMRC retention rules, Limitation Act (contractual claims) |
| Vendor Account Data | Business information, contact details, compliance records | 6 years from account closure | HMRC records, contractual limitation period |
| Identity Documents (Vendor) | Passport, driving licence, KYC documentation | 6 years | Anti-fraud and AML verification, audit trail |
| Stripe Biometric Data | Face-matching templates used during ID verification | Not stored by StoreNova; deleted by Stripe | Stripe is the independent Data Controller |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Customer Order Data | Order contents, delivery info, timestamps | 6 years | HMRC and audit requirements |
| Vendor Transaction Records | Payout logs, fees, commissions, earnings | 6 years | Financial compliance |
| Payment Metadata (Stripe) | Transaction IDs, card last4, auth tokens | 6 years | Chargebacks, fraud prevention, accounting |
| Refunds & Chargebacks | Refund reasoning, evidence, dispute logs | 6 years | Financial dispute obligations |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Courier GPS Logs | Route details, timestamps | 90 days | Delivery investigations |
| Customer GPS Data | Real-time delivery tracking (permissioned) | 90 days | Fraud prevention, operational accuracy |
| Proof of Delivery Photos | couriers | 180 days | Dispute resolution |
| Delivery Contact Details | Phone number shared with courier | 24 hours post-delivery | Data minimisation |
Customer Name & Address (shared with Vendor): Required for order fulfilment - Vendor must delete within 24 hours of successful delivery - Strict minimisation under UK GDPR and Vendor Terms
Vendors are prohibited from retaining, storing, exporting, or re- using customer data.
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Customer Support Tickets | Chat logs, email requests | 6 years | Legal defence, audit |
| Vendor Support Tickets | Compliance communications | 6 years | Regulatory need |
| Dispute Evidence | Photos, screenshots, courier logs | Resolution + up to 24 months | Audit and fraud prevention |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Soft Opt-In Marketing Data | Purchase + marketing flags | Until customer unsubscribes | PECR Regulation 22 |
| Email Marketing Logs | Delivery logs, unsubscribe logs | 24 months | PECR compliance |
| Explicit Consent Records | Third-party marketing consent | Until withdrawn + 24 months | ICO consent evidence |
| Suppression List Data | "Do not contact" list | Indefinitely | Required to prevent marketing after opt-out |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Device Data | Device IDs, OS, model | 12 months | Debugging, optimisation |
| Crash/Error Logs | Server logs, crash dumps | 12 months | Engineering and security |
| Session Logs | Login attempts, session tokens | 12 months | Fraud monitoring |
| Aggregated/Anonymised Analytics | Non-personal usage statistics | Indefinitely | Not personal data |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| Fraud Flags | Suspicious activity indicators | 5 years | Fraud prevention |
| Blocked Vendor Accounts | Banned accounts, reasons | 6 years | Repeat-fraud prevention |
| Device Fingerprinting | Risk-scoring data | 2 years | Prevent evasion |
| Data Category | Description | Retention Period | Reason |
|---|---|---|---|
| KYC/AML Logs | ID verification metadata (non-biometric) | 6 years | AML laws, financial record-keeping |
| Complaint Logs | ICO/legal/customer complaints | 6 years | Regulatory expectations |
| Vendor Compliance Notes | Account warnings, strikes | 6 years | Platform integrity |
| Internal Billing & Ledger Data | Financial summaries | 6 years | Companies Act & HMRC |
Vendor and customer data may be accessed outside the UK. All international transfers are protected using:
• UK International Data Transfer Agreement (IDTA)
• UK Addendum to the EU Standard Contractual Clauses (SCCs)
StoreNova ensures all onward transfers provide equivalent UK GDPR protection.
At the end of the retention period:
Personal data is securely deleted, or Irreversibly anonymised so it is no longer personal data.
Data subject deletion requests are honoured unless a legal retention requirement applies (e.g., HMRC 6- year rules).
This Retention Schedule is reviewed every 12 months, or sooner if regulatory or operational changes require it.
Version Control: Version 1.1 | Date: 05 March 2026