Data Retention Policy
Last updated: 6 March 2026
We keep data only as long as it serves a clear purpose. When that purpose ends, we delete it. This policy defines specific retention periods for every category of data we handle.
Standards we follow
Our retention practices are aligned with the storage limitation principle across multiple regulatory frameworks:
- GDPR Article 5(1)(e) — personal data must be kept no longer than necessary for its stated purpose
- ISO 27001:2022 Annex A, Control A.8.10 — information deletion when no longer required
- POPIA Section 14 — records of personal information must not be retained longer than necessary
- UAE PDPL Article 5 — data must be adequate, relevant, and limited to what is necessary
- Seychelles Data Protection Act — data must be kept only as long as is necessary for the purpose
Retention schedule
Website data
| Data category | Retention period | Deletion method |
|---|---|---|
| Contact form submissions | 24 months from submission | Automated deletion from email and storage systems |
| Newsletter subscriber emails | Until unsubscribe + 30 days | Removed from mailing list and backup systems |
| Analytics data | 14 months (Google Analytics default) | Automatic expiry per Google retention settings |
| Server access logs | 30 days | Automatic rotation and deletion by hosting provider |
Client project data
| Data category | Retention period | Deletion method |
|---|---|---|
| Source code and deliverables | Duration of engagement + 12 months | Transferred to client, internal copies deleted from repositories and backups |
| Project communications | Duration of engagement + 24 months | Deleted from email, messaging platforms, and project management tools |
| Client credentials and access keys | Duration of engagement only | Revoked and purged from secrets management systems within 7 days of project close |
| Invoices and financial records | 7 years (statutory requirement) | Retained in encrypted accounting systems per tax and financial regulations |
| Security assessment reports | Duration of engagement + 6 months | Securely deleted; client retains original deliverables |
Early deletion requests
You may request deletion of your personal data at any time by emailing hello@sey.pro. We will process deletion requests within 30 days, subject to:
- Legal obligations — financial records required by tax law cannot be deleted before the statutory period
- Legitimate interests — data necessary for the establishment, exercise, or defence of legal claims may be retained
When we delete data, we delete it from primary systems, backups, and any sub-processor systems. We confirm deletion in writing upon request.
Backups
Backup copies of data follow the same retention schedule as the primary data. When primary data is deleted, corresponding backup copies are purged within 30 days at the next backup rotation cycle. Backups are encrypted at rest using AES-256.
Policy review
This policy is reviewed annually and updated when retention periods change, new data categories are introduced, or regulatory requirements evolve. The "Last updated" date at the top reflects the most recent review.
Contact
For questions about data retention or deletion requests:
hello@sey.pro
Seypro · Victoria, Mahé, Seychelles
See also: Privacy Policy · Terms of Service