Data Retention Policy
Last Updated: March 2025
1. INTRODUCTION
This Data Retention Policy ("Policy") sets out the principles and schedules governing how long Uonyx retains different categories of data, the basis on which retention periods are determined, and the procedures applied when data reaches the end of its retention period.
This Policy applies to all personal data and business data processed by Uonyx, whether in Uonyx's role as a data controller of its own platform data or as a data processor acting on behalf of its customers. It complements the Uonyx Privacy Policy (https://uonyx.com/legal/privacy) and the Data Processing Agreement, and should be read in conjunction with both.
2. SCOPE
This Policy applies to:
- All data systems, databases, storage environments, and backup infrastructure operated by Uonyx or on its behalf by authorized service providers
- All categories of personal data and business data processed by Uonyx, whether classified as Platform Data or Customer Data
- All Uonyx personnel, contractors, and third-party service providers who access or process data on Uonyx's behalf
This Policy does not override the terms of any Data Processing Agreement between Uonyx and a customer. Where a DPA specifies retention periods or deletion obligations for Customer Data, those terms prevail.
3. CATEGORIES OF DATA COVERED
3.1 Platform Data
Platform Data is data for which Uonyx acts as an independent data controller. This includes account registration information, billing and subscription records, website analytics, system logs, marketing communications data, support interactions, and contractual documentation. Uonyx determines the purposes and means of processing Platform Data.
3.2 Customer Data
Customer Data is data uploaded by customers into the Uonyx ERP platform — for example, employee records, customer relationship information, financial records, procurement data, and project documentation. When processing Customer Data, Uonyx acts as a data processor under the applicable Data Processing Agreement. Retention of Customer Data is governed primarily by the customer's instructions, except where Uonyx has independent legal obligations.
3.3 Security and Operational Logs
Uonyx generates and retains security event logs, authentication records, API access logs, and system performance data for the purposes of security monitoring, incident investigation, fraud prevention, and platform stability. These logs are retained for the periods specified in Section 5.
3.4 Support Communications
Records of customer support interactions, including tickets, email correspondence, chat transcripts, and call recordings where applicable, are retained to enable service continuity, dispute resolution, and quality assurance.
3.5 Billing and Financial Records
Financial records, including invoices, payment histories, subscription records, and tax documentation, are retained in accordance with applicable financial and tax laws.
3.6 Backup Data
Automated system backups may temporarily retain copies of all data categories listed above. Backup retention is governed by a rolling schedule and is subject to secure purging in accordance with this Policy.
4. RETENTION PRINCIPLES
Uonyx applies the following principles to all data retention decisions:
- Purpose limitation: Data is retained only for as long as necessary to fulfil the purpose for which it was collected, or for a directly compatible secondary purpose.
- Data minimization: We do not retain data in excess of what is required, and we periodically review whether retained data continues to be necessary.
- Legal compliance: Retention periods reflect applicable legal, regulatory, and contractual obligations, including tax law, employment law, and data protection legislation.
- Security during retention: All data retained within Uonyx systems is protected by the technical and organizational security measures described in the Uonyx Security Policy (https://uonyx.com/legal/security).
- Regular review: Retention schedules are reviewed at least annually to ensure they remain appropriate and compliant with evolving legal requirements.
- Automated enforcement: Where operationally feasible, retention periods are enforced through automated data lifecycle management tools to minimize human error.
5. RETENTION SCHEDULE
The following table provides indicative retention periods for key data categories. Specific periods may vary depending on applicable law, contractual obligations, or active legal proceedings.
| Data Category | Examples | Retention Period | Basis |
|---|---|---|---|
| Account and Profile Data | User accounts, contact details, company info, admin settings | Duration of account + 12 months post-closure | Contractual necessity; legitimate interests |
| Billing and Payment Records | Invoices, subscription history, payment method metadata | 7 years | Legal obligation (tax and accounting law) |
| Customer Data (ERP Content) | Business records, employee data, CRM data, inventory, projects | Per DPA terms; deleted on request or account closure | Customer instruction (processor role) |
| Security and Access Logs | Authentication logs, access events, API activity | 12 months (24 months for enterprise) | Legitimate interests; legal obligation |
| Support Communications | Support tickets, chat transcripts, email correspondence | 3 years from case closure | Legitimate interests; contractual necessity |
| Marketing and Analytics Data | Website session data, campaign analytics, lead data | 2 years; anonymized data may be retained longer | Consent; legitimate interests |
| Contractual Documentation | Executed agreements, order forms, DPAs | Duration of contract + 7 years | Legal obligation; legitimate interests |
| Incident and Audit Records | Security incident reports, audit logs, compliance records | 5 years | Legal obligation; legitimate interests |
| Backup Data | Automated system backups containing all categories above | 30–90 days (rolling); purged per schedule | Operational necessity |
Retention periods shown are indicative. Uonyx may retain data for longer periods where required by applicable law, regulatory obligation, or active legal proceedings, and may retain anonymized or aggregated data indefinitely. Shorter periods may apply where a customer or individual exercises a valid deletion right.
6. CUSTOMER-CONTROLLED DATA RETENTION
Customers who use Uonyx as a data processor retain control over their Customer Data and may configure retention periods within the platform where that functionality is available. Customers may also request deletion of their Customer Data at any time in accordance with the applicable Data Processing Agreement.
Where a customer account is terminated or a subscription is cancelled, Customer Data will be deleted or returned to the customer in accordance with the Data Processing Agreement, typically within ninety (90) days of the effective date of termination unless a longer retention period is required by applicable law.
Customers bear responsibility for ensuring that their own data retention practices comply with applicable privacy and employment laws in their jurisdiction.
7. LEGAL AND REGULATORY REQUIREMENTS
Uonyx retains certain categories of data beyond its standard operational retention periods where required by applicable law, regulation, or government authority. Examples include:
- Financial and accounting records retained in compliance with applicable tax legislation (typically 7 years or the period required by law in the relevant jurisdiction)
- Employment-related records retained in compliance with applicable employment and labor law
- Contractual documentation and records retained in connection with potential limitation periods for legal claims
- Incident and audit records retained to support regulatory investigations or enforcement proceedings
Where data is retained solely for legal compliance purposes, access to that data is restricted to authorized personnel with a documented need, and the data is not used for any other purpose.
8. DATA MINIMIZATION
Uonyx is committed to the principle of data minimization. We collect and retain only the data necessary for legitimate and specified purposes. Our practices include:
- Collecting only data fields that are genuinely required for the stated purpose
- Applying anonymization or pseudonymization techniques where practical to reduce retention risk
- Configuring system-generated data collection to avoid unnecessary capture of personal information
- Conducting periodic data audits to identify and remove data that is no longer required
9. SECURE STORAGE DURING RETENTION
All data retained within Uonyx systems is subject to the security controls described in the Uonyx Security Policy, including encryption at rest, encryption in transit, access controls, and audit logging. Data retained in backup systems is subject to equivalent security protections.
Access to retained personal data is restricted to authorized personnel on a need-to-know basis. Access rights are reviewed regularly and revoked promptly upon changes in role or employment status.
10. POLICY REVIEW
This Policy is reviewed at least annually by Uonyx's privacy and compliance function, or sooner if required by changes in applicable law, regulatory guidance, or significant changes to Uonyx's data processing activities. Updates to this Policy will be published at https://uonyx.com/legal/retention with a revised effective date.
For questions about this policy or to submit a request, please contact Uonyx using the details below.
| Contact | Details |
|---|---|
| Privacy Enquiries | privacy@uonyx.com |
| Privacy Policy | https://uonyx.com/legal/privacy |
| Security Policy | https://uonyx.com/legal/security |
| Sub-Processors | https://uonyx.com/legal/subprocessors |
| Postal Address | Uonyx, 7421 Edinger Ave, Huntington Beach, CA 92647, United States |