Data Deletion Policy

1. INTRODUCTION

This Data Deletion Policy ("Policy") describes how Uonyx permanently removes personal data and business data from its systems when that data is no longer required. It sets out the processes, methods, and safeguards applied to data deletion, including deletions triggered by customer requests, account terminations, the expiration of retention periods, and the exercise of data subject rights.

This Policy should be read in conjunction with the Uonyx Data Retention Policy, Privacy Policy (https://uonyx.com/legal/privacy), and the applicable Data Processing Agreement, which together govern the full lifecycle of data processed by Uonyx.

2. SCOPE

This Policy applies to:

• All personal data and business data held in Uonyx production systems, databases, and storage environments
• All data held in backup and disaster recovery systems operated by Uonyx or its authorized service providers
• Data held by sub-processors and service providers acting on Uonyx's behalf
• All Uonyx personnel and contractors involved in data management activities

Data held by customers in the Uonyx platform in their capacity as data controllers remains subject to the customer's own deletion responsibilities. Uonyx's deletion obligations as data processor are governed by the applicable Data Processing Agreement.

3. TYPES OF DATA SUBJECT TO DELETION

The following categories of data are subject to deletion under this Policy:

• Platform Data: Account profiles, billing contact details, marketing preferences, website analytics, and other data for which Uonyx acts as data controller.
• Customer Data: Business records, employee data, customer relationship data, financial records, and other data uploaded by customers into the ERP platform. Deletion of Customer Data is governed primarily by the Data Processing Agreement.
• Security and Access Logs: Authentication records, access logs, and API activity logs that have reached the end of their retention period.
• Support Communications: Resolved support tickets, chat transcripts, and correspondence where the retention period has expired.
• Backup Data: Copies of data maintained in automated backup systems, subject to the backup purge schedule.

4. CUSTOMER-INITIATED DELETION REQUESTS

Customers acting in their capacity as data controllers may request deletion of Customer Data at any time by:

• Using the self-service data deletion tools available within the Uonyx platform, where supported
• Submitting a written deletion request to privacy@uonyx.com with sufficient information to identify the data to be deleted and the relevant account

Upon receipt of a valid deletion request, Uonyx will:

• Acknowledge receipt of the request within five (5) business days
• Process the deletion from live production systems within thirty (30) calendar days of acknowledgement
• Complete removal from backup systems within ninety (90) days of the initial deletion from production systems, in accordance with the backup purge schedule
• Provide a written confirmation of deletion upon request

Where Uonyx cannot fulfil a deletion request in full — for example, because legal retention obligations require continued storage of certain data — Uonyx will notify the customer of the scope of the partial retention and its legal basis.

5. ACCOUNT TERMINATION AND DATA REMOVAL

When a customer account is terminated, cancelled, or otherwise deactivated, Uonyx will apply the following process:

• Customer Data will remain accessible to the customer for a transitional period of up to thirty (30) days following termination, to allow data export
• Following the transitional period, Customer Data will be scheduled for deletion from production systems
• Deletion from production systems will be completed within ninety (90) days of the effective date of account termination, unless a different period is specified in the Data Processing Agreement
• Deletion from backup systems will be completed within the subsequent backup purge cycle, typically within a further thirty (30) to sixty (60) days
• Billing and financial records may be retained for up to seven (7) years following account termination as required by applicable tax and accounting law

Where a customer requests early deletion ahead of the standard schedule, Uonyx will use commercially reasonable efforts to accommodate the request, subject to operational and legal constraints.

6. BACKUP AND REPLICATION SYSTEMS

Uonyx maintains automated backup systems to support disaster recovery and business continuity. Data deleted from production systems may temporarily persist in backups until the backup purge schedule takes effect.

Uonyx's backup purge schedule operates on a rolling cycle, with the maximum backup retention period not exceeding ninety (90) days unless a longer period is required for legal or operational reasons. During the period that deleted production data persists in backups, that data is not actively accessed or used for any operational purpose other than disaster recovery.

Where a deletion request requires immediate removal from all systems including backups — for example, in response to a valid legal notice — Uonyx will assess feasibility and confirm the approach with the requesting party.

7. SECURE DATA DESTRUCTION METHODS

Uonyx applies the following data destruction methods depending on the medium and context:

• Logical deletion: Data is deleted from active databases and storage systems using secure deletion protocols that prevent recovery through standard file recovery tools.
• Cryptographic erasure: Where data is stored in encrypted form, the encryption keys are permanently destroyed, rendering the encrypted data irrecoverable. This method is applied where overwriting or physical destruction is not feasible.
• Physical destruction: Physical storage media that has reached end-of-life is destroyed using certified degaussing, shredding, or incineration, carried out by authorized service providers in compliance with applicable standards.
• Cloud storage deletion: Data stored in cloud environments is deleted using the cloud provider's secure deletion APIs, in accordance with the provider's documented deletion procedures and any applicable certifications.

The deletion method applied in each case is selected to ensure that the deleted data cannot reasonably be recovered or reconstructed.

8. VERIFICATION OF DELETION

Where a customer or data subject requests confirmation that data has been deleted, Uonyx will:

• Provide written confirmation that the relevant data has been deleted from production systems and, upon completion of the backup purge, from backup systems
• Include in the confirmation the scope of any data retained due to legal exceptions and the legal basis for that retention
• Retain internal records of deletion activities, including the date, scope, and method of deletion, for audit and compliance purposes

9. LEGAL EXCEPTIONS TO DELETION

Uonyx may retain data beyond the end of its standard retention period, or decline to delete data in response to a deletion request, in the following circumstances:

• Where retention is required by applicable law, including tax, accounting, employment, or regulatory obligations
• Where retention is necessary for the establishment, exercise, or defence of legal claims
• Where a competent government authority, court, or regulator has issued an order requiring retention
• Where deletion is not technically feasible for a limited period (for example, data in active backups awaiting scheduled purge), in which case the data is isolated and not actively accessed

Where legal exceptions apply, Uonyx will notify the requesting party of the scope and legal basis of any retained data, and will delete the data promptly once the legal basis for retention ceases to apply.

10. DELETION BY SUB-PROCESSORS

Uonyx engages sub-processors and service providers who may hold Customer Data or Platform Data as part of their provision of services to Uonyx. All sub-processors are contractually required to:

• Delete or return data upon Uonyx's request in accordance with Uonyx's instructions
• Apply secure deletion methods equivalent to those described in Section 7 of this Policy
• Confirm deletion within agreed timescales
• Comply with the sub-processor obligations set out in the applicable Data Processing Agreement

A current list of Uonyx's sub-processors is available at https://uonyx.com/legal/subprocessors.

11. DATA SUBJECT RIGHTS REQUESTS

Individuals who have the right to request erasure of their personal data under applicable data protection law (including the GDPR right to erasure under Article 17 and equivalent rights under the CCPA/CPRA and other applicable legislation) may submit a request to Uonyx at privacy@uonyx.com.

Uonyx will evaluate each request against the applicable legal framework and respond within the timeframe required by law. Where Uonyx acts as a data processor, it may refer the request to the relevant data controller (the customer). Where Uonyx acts as data controller, it will process the request directly.

Further information about data subject rights is available in the Uonyx Privacy Policy at https://uonyx.com/legal/privacy.

For questions about this policy or to submit a request, please contact Uonyx using the details below.