Introduction

This data retention policy sets out the obligations of Vicky Wu Marketing (“us/we/our”) and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control.

This policy applies to our entire organization including our officers, employees, agents and sub-contractors and sets out what the retention periods are and when any such data may be deleted.

Objectives

It is necessary to retain and process certain information to enable our business to operate. We may store data in the following places:

a) our own servers;

b) any third-party servers;

c) potential email accounts;

d) desktops;

e) employee-owned devices (BYOD);

f) potential backup storage; and/or

g) our paper files.

This policy applies equally to paper, electronic media and any other method used to store personal data. The period of retention only commences when the record is closed.

We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data.

“Personal data” is any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be:

1) processed lawfully, fairly, and in a transparent manner in relation to the data subject;

2) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

3) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

4) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;

5) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;

6) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Security and Storage

All data and records are stored securely to avoid misuse or loss. We will process all personal data we hold in accordance with our IT Security Policy.

We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement by them to comply with those procedures and policies, or if there are adequate measures in place.

Examples of our storage facilities are as follows:

CRM – Dubsado and Hubspot

Client data – Dropbox and Airtable

Emails – Outlook

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

a) Confidentiality means that only people who are authorised to use the data can access it.

b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

c) Availability means that authorized users should be able to access the data if they need it for authorized purposes. Personal data is not stored on individual PCs.

Retention Policy

Data retention is defined as the retention of data for a specific period of time and for back up purposes.

We shall not keep any personal data longer than necessary but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. As such, our general data retention period shall be for a period of 10 years.  Our specific data retention periods are set out below:

Type of dataType of data subjectType of processingPurpose of processingType of recipient to whom personal data is transferredRetention periodData accuracy and minimisation review date
ClientsName / email / phoneEmail / phoneService provision / new service updateEmail service provider / telemarketerFor as long as they remain a clientMonthly client review meetings
ProspectsName / email / phoneemailMarketing of our servicesEmail service provider / telemarketer
Archive clientsName / email / phoneEmail / phoneMarketing of our servicesEmail service provider / telemarketer
Suppliers / potential and ex suppliersName / email / phone / addressEmail / phoneService provisionEmail service provider
EmployeesName / email / phone / address / date of birthEmail / phone / HR systemsMaintain Employer / employee relationshipEmail service provider / 3rd party service providerFor as long as they remain an employeeUpdated by employees as required
Potential /           ex-employeesName / email / phone / address / date of birthEmail / phoneMaintain Employer / employee relationshipEmail service provider / 3rd party service provider5 years
Client’s dataName / email / phoneEmailService provision3rd party service provider1 month after service updatedFrom client updates

From time to time, it may be necessary to retain or access historic personal data under certain circumstances such as if we have contractually agreed to do so or if we have become involved in unforeseen events like litigation or business disaster recoveries.

Destruction and Disposal

Upon expiry of our retention periods, we shall delete confidential or sensitive records categorized as requiring high protection and very high protection, and we shall either delete or anonymize less important documents. 

The destruction of confidential, financial, and personnel-related records shall be securely destroyed electronically or by shredding if possible. Non-confidential records may be destroyed by recycling.

In many cases for our clients, we are granted access to some of their accounts, such as being added as a user on client social media accounts or website builder. We make every effort to remove our participation in these platforms, but it is not always fully possible for our end. Due to the nature of these systems and the client being the designated admin on the accounts, clients are expected to undertake the responsibility of removing any and all of our team access from these systems as soon as an associated projects end.

This website uses cookies to ensure you get the best experience on our website. By continuing to use the website, you agree to our use of cookies. We do not share or sell your information. More info

New Release!

Pivot to Success:

Transforming Marketing Missteps into Milestones