Luura Finance Ltd
Data Retention Policy
1Purpose
This Data Retention Policy defines how Luura Finance Ltd retains, reviews, and securely deletes personal and business data. The policy ensures compliance with UK GDPR, the Data Protection Act 2018, and applicable Open Banking requirements.
Luura follows a data minimisation approach and retains personal data only for as long as necessary to provide its services, meet legal obligations, resolve disputes, maintain security, and fulfil legitimate business purposes.
2Scope
This policy applies to all personal data processed by Luura Finance Ltd, including:
- User account information
- Open Banking account and transaction data
- In-app user content, including mood entries, notes, and settings
- Usage and activity data
- Marketing and waitlist data
- Customer support communications
- Security and audit logs
- Business and operational records
3Retention principles
Luura will:
- Collect only data necessary to provide its services
- Retain data only for as long as required
- Periodically review retained data
- Securely delete data when no longer required
- Restrict access to retained data on a least-privilege basis
4Data retention periods
| Data type | Retention period |
|---|---|
| User account information | Duration of account plus up to 30 days following an account deletion request |
| Open Banking account and transaction data | Duration of active user consent. Following consent withdrawal, expiry, or account deletion, Open Banking data is deleted or anonymised within 30 days unless retention is required under Section 8. |
| In-app user content (mood entries, notes, settings) | Duration of account plus up to 30 days following a deletion request |
| Marketing and waitlist data (name, email, preferences) | Until the individual unsubscribes or withdraws consent, or 24 months after last engagement, whichever is sooner |
| Customer support enquiries | Up to 24 months after closure of the enquiry |
| Security and audit logs | Up to 12 months |
| Incident and security investigation records | Up to 6 years |
| Insurance, legal and regulatory records | Up to 6 years |
| Financial and accounting records | 6 years, or longer where legally required |
5Account deletion
When a user requests account deletion:
- Access to the account will be revoked.
- Open Banking connections and associated consents will be terminated where applicable.
- Personal data will be scheduled for deletion from production systems.
- Data will generally be deleted or anonymised within 30 days unless retention is required for legal, regulatory, fraud prevention, security investigation, or dispute resolution purposes.
6Secure deletion
Data that is no longer required will be securely deleted using the deletion mechanisms provided by Luura's platform and service providers.
Where data exists within backups, it will be removed in accordance with the backup retention schedules operated by the relevant service provider.
Data that has been irreversibly anonymised is no longer personal data and may be retained for analytical purposes.
7Access controls
Access to retained data is restricted to authorised personnel only and solely for operational, support, security, legal, or regulatory purposes.
Access permissions are reviewed periodically and removed when no longer required.
8Exceptions
Data may be retained beyond the periods stated in this policy where:
- Required by law or regulatory obligation
- Required for ongoing investigations
- Required for the establishment, exercise, or defence of legal claims
- Necessary for fraud prevention or security purposes
9Policy review
This policy will be reviewed at least annually and updated whenever there are significant changes to Luura's services, technology, legal obligations, or data processing activities.
Approved by
Kiesha Okeowo
Director
Luura Finance Ltd