Data Retention Policy | Luura

Luura Finance Ltd

Data Retention Policy

Version
1.0
Effective date
10 June 2026
Owner
Kiesha Okeowo, Director
Review frequency
Annually, or following material changes to the business, regulatory requirements, or data processing activities

1Purpose

This Data Retention Policy defines how Luura Finance Ltd retains, reviews, and securely deletes personal and business data. The policy ensures compliance with UK GDPR, the Data Protection Act 2018, and applicable Open Banking requirements.

Luura follows a data minimisation approach and retains personal data only for as long as necessary to provide its services, meet legal obligations, resolve disputes, maintain security, and fulfil legitimate business purposes.

2Scope

This policy applies to all personal data processed by Luura Finance Ltd, including:

  • User account information
  • Open Banking account and transaction data
  • In-app user content, including mood entries, notes, and settings
  • Usage and activity data
  • Marketing and waitlist data
  • Customer support communications
  • Security and audit logs
  • Business and operational records

3Retention principles

Luura will:

  • Collect only data necessary to provide its services
  • Retain data only for as long as required
  • Periodically review retained data
  • Securely delete data when no longer required
  • Restrict access to retained data on a least-privilege basis

4Data retention periods

Data type Retention period
User account information Duration of account plus up to 30 days following an account deletion request
Open Banking account and transaction data Duration of active user consent. Following consent withdrawal, expiry, or account deletion, Open Banking data is deleted or anonymised within 30 days unless retention is required under Section 8.
In-app user content (mood entries, notes, settings) Duration of account plus up to 30 days following a deletion request
Marketing and waitlist data (name, email, preferences) Until the individual unsubscribes or withdraws consent, or 24 months after last engagement, whichever is sooner
Customer support enquiries Up to 24 months after closure of the enquiry
Security and audit logs Up to 12 months
Incident and security investigation records Up to 6 years
Insurance, legal and regulatory records Up to 6 years
Financial and accounting records 6 years, or longer where legally required

5Account deletion

When a user requests account deletion:

  • Access to the account will be revoked.
  • Open Banking connections and associated consents will be terminated where applicable.
  • Personal data will be scheduled for deletion from production systems.
  • Data will generally be deleted or anonymised within 30 days unless retention is required for legal, regulatory, fraud prevention, security investigation, or dispute resolution purposes.

6Secure deletion

Data that is no longer required will be securely deleted using the deletion mechanisms provided by Luura's platform and service providers.

Where data exists within backups, it will be removed in accordance with the backup retention schedules operated by the relevant service provider.

Data that has been irreversibly anonymised is no longer personal data and may be retained for analytical purposes.

7Access controls

Access to retained data is restricted to authorised personnel only and solely for operational, support, security, legal, or regulatory purposes.

Access permissions are reviewed periodically and removed when no longer required.

8Exceptions

Data may be retained beyond the periods stated in this policy where:

  • Required by law or regulatory obligation
  • Required for ongoing investigations
  • Required for the establishment, exercise, or defence of legal claims
  • Necessary for fraud prevention or security purposes

9Policy review

This policy will be reviewed at least annually and updated whenever there are significant changes to Luura's services, technology, legal obligations, or data processing activities.

Approved by

Kiesha Okeowo
Director
Luura Finance Ltd