Data Retention & Deletion Policy
Last updated: 29 June 2026
Blackwellen Ltd (Company No. 16482166 · ICO Registration ZC160806) trading as Propvora
1.Purpose and Scope
This Data Retention & Deletion Policy explains how long Blackwellen Ltd (Company No. 16482166) trading as Propvora (“Propvora”, “we”, “us”, “our”) keeps the personal data we hold, and how and when we delete it. Our registered office is at 61 Bridge Street, Kington, England, HR5 3DJ, and we are registered with the Information Commissioner’s Office (ICO) under registration number ZC160806.
This policy applies to all personal data processed through the Propvora platform (the “Service”), whether we process it as a controller in our own right (for example, account and billing data) or as a processor on behalf of our business customers (for example, the tenant, landlord, and supplier data stored within a customer workspace).
This policy should be read together with our Privacy Policy, which describes what personal data we collect and why, and our Data Processing Agreement, which governs the controller and processor relationship for business customers. Where there is any inconsistency between this policy and a signed agreement with a business customer, the terms of the signed agreement prevail to the extent of that inconsistency.
2.Our Retention Principles
The UK General Data Protection Regulation (UK GDPR) sets out a “storage limitation” principle at Article 5(1)(e): personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. We take this principle seriously and apply the following standards across the Service:
- We keep personal data only for as long as it is reasonably necessary to fulfil the purposes for which it was collected, including providing the Service to our customers.
- Where the law requires us to retain certain records for a defined period (for example, tax, accounting, or anti-money-laundering obligations), we keep that data for the period required and no longer than necessary thereafter.
- We set defined retention periods for each category of personal data, as described in the retention schedule below, and we review these periods periodically.
- When a retention period ends, or when personal data is no longer needed, we delete it, anonymise it, or securely destroy it in accordance with this policy.
- We do not keep personal data “just in case” it might be useful in the future. Retention must always be justified by a current purpose or a legal obligation.
Retention periods are guidelines that reflect the maximum period for which we ordinarily hold each category of data. Where data is no longer needed before the stated period elapses, we may delete it sooner.
3.Retention Schedule
The table below sets out the categories of personal data we hold, how long we ordinarily retain each category, and the rationale for that retention period. Where a category is held within a customer workspace, the business customer (as controller) may set shorter retention practices through their own use of the Service.
| Data category | Retention period | Rationale |
|---|---|---|
| Active workspace data (properties, tenancies, contacts, documents) | For the life of the account | Needed to provide the Service to the customer for as long as their account is active |
| Account and profile data | Life of account + up to 30 days after closure | Supports a wind-down and data export window before permanent deletion |
| Billing and invoice records | 7 years | Required by UK tax and accounting law (HMRC record-keeping rules and the Companies Act 2006) |
| Support and complaint correspondence | Up to 3 years | Service quality, training, and the handling of disputes or complaints |
| Security and audit logs | 12 months (extendable while an investigation is active) | Security monitoring, abuse prevention, and the protection of legal rights |
| Marketing contacts and consent records | Until consent is withdrawn + 2 years proof of consent | Compliance with PECR and the UK GDPR accountability principle |
| AI usage and audit logs | Up to 24 months | Usage metering, billing accuracy, and abuse prevention |
| Backups | Rolling 30-day cycle | Disaster recovery; deleted data persists in backups until the cycle completes |
The periods above may be extended in specific circumstances where we are required to retain data to establish, exercise, or defend legal claims, to comply with a court order or a regulator’s request, or to fulfil a continuing legal obligation. Where this happens, we ring-fence the data so that it is used only for that purpose and is deleted once the purpose has been satisfied.
4.Account Closure and Deletion
When a customer closes their account, or when their subscription ends and is not renewed, we begin a structured wind-down of their workspace data:
- Export window: We provide a 30-day window from the date of closure during which the customer can log in to export their workspace data using the in-app export tools. We recommend customers export everything they wish to keep before this window closes.
- Permanent deletion: After the 30-day export window ends, we permanently delete the personal data held within the closed workspace from our live production systems.
- Backups: Copies of deleted data may persist in our encrypted backups until the rolling 30-day backup cycle completes, after which those copies are purged. Backups are never used to restore deleted accounts and are accessible only for disaster-recovery purposes.
- Sub-processors: We instruct our sub-processors (as listed in our Data Processing Agreement) to delete the relevant personal data in accordance with their own deletion timelines.
- Retained records: We retain billing and invoice records, and any data we are otherwise legally required to keep, for the periods set out in the retention schedule above, even after the workspace itself has been deleted.
Closing an account is an irreversible action once the export window has elapsed. We will confirm closure by email to the address held on the account.
5.Data Subject Deletion Requests and the Right to Erasure
Individuals have the right under the UK GDPR to request the erasure of their personal data in certain circumstances (the “right to be forgotten”). How such a request is handled depends on whether Propvora holds the data as a controller or as a processor on behalf of a business customer.
Where a business customer is the controller
For personal data stored inside a customer workspace (for example, a tenant’s contact details), the business customer is the data controller and is responsible for responding to erasure requests from the individuals whose data they hold. The Service provides in-app tools that allow customers to find, edit, redact, and delete records relating to a data subject so they can give effect to a valid erasure request. If an individual contacts us directly about workspace data, we will, where appropriate, forward the request to the relevant controller and assist them in responding.
Where Propvora is the controller
For personal data we hold as a controller in our own right (such as the account holder’s own profile and login data), an individual can ask us to erase their data by emailing legal@propvora.com. We will verify the identity of the requester before acting and will respond within one calendar month, as required by the UK GDPR (extendable by up to two further months for complex requests, in which case we will tell the requester within the first month).
When we may decline or limit an erasure request
The right to erasure is not absolute. We may retain personal data, in whole or in part, where we have a lawful basis or an overriding obligation to do so, including where the data is needed:
- to comply with a legal obligation, such as tax, accounting, or anti-money-laundering record-keeping;
- to establish, exercise, or defend legal claims;
- for reasons of public interest or for the exercise of official authority; or
- where deletion would prevent us from fulfilling a contract that is still in force.
Where we cannot fully erase data, we will explain why, and we will restrict our processing of that data to the permitted purpose only.
6.Anonymisation
In some cases we transform personal data into aggregated or anonymised data that no longer identifies any individual, whether directly or indirectly. Once data has been genuinely and irreversibly anonymised, it falls outside the scope of the UK GDPR because it is no longer personal data.
We may retain such aggregated and anonymised data indefinitely for purposes including statistical analysis, benchmarking, service performance monitoring, and product improvement. For example, we may keep anonymised metrics about how features of the Service are used. We will not attempt to re-identify individuals from anonymised datasets, and we apply appropriate techniques to ensure that re-identification is not reasonably possible.
7.Controller and Processor Responsibilities
For workspace data, the business customer is the data controller and determines the purposes and means of processing, including the practical retention of records through their day-to-day use of the Service. The customer sets retention in practice by choosing what to store, what to archive, and what to delete.
Propvora acts as the data processor for that workspace data. We retain and delete workspace data in accordance with the customer’s documented instructions (which include their use of the Service’s features) and the terms of this policy and our Data Processing Agreement. We will not retain workspace personal data for longer than the customer requires, except where we are legally obliged to do so or where the data persists temporarily in backups as described above.
Where Propvora processes personal data for its own purposes — such as managing accounts, processing payments, providing support, and securing the platform — we act as a controller and apply the retention periods set out in the schedule in section 3.
8.How Deletion Works Technically
Deletion within the Service is implemented in stages so that accidental loss can be prevented while still honouring our retention commitments:
- Soft delete: When a record is first deleted, it is typically marked as deleted and removed from the user’s view. During this stage the record can, where the feature allows, be restored by an authorised user. Soft-deleted data is no longer used for active processing.
- Hard delete: After the applicable grace or retention period, soft-deleted records are permanently removed from our live production databases and storage so that they can no longer be retrieved through the Service.
- Backup expiry: Copies of deleted data may remain in our encrypted, access-controlled backups until the rolling 30-day backup cycle completes, at which point those copies expire and are purged. Backups are isolated from live systems and are used only for disaster recovery.
- Sub-processor deletion: Where data is held by a sub-processor, we issue deletion instructions and rely on the sub-processor’s contractual deletion commitments to complete the removal.
- Certification of deletion: On reasonable written request, we can provide written confirmation that personal data has been deleted in accordance with this policy.
We apply appropriate technical and organisational measures to ensure that deletion is carried out securely and that deleted personal data cannot be reconstructed once the relevant periods have elapsed.
9.Contact
For questions about this policy, to make an erasure request, or to request certification of deletion, please contact our data team at legal@propvora.com. For general assistance, you can reach our support team at support@propvora.com.
Blackwellen Ltd trading as Propvora, 61 Bridge Street, Kington, England, HR5 3DJ. If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.