Data Retention Policy

Effective date: 1 April 2025 · Last updated: 1 April 2025

This policy explains how long CertVault retains different types of data, and the criteria we use to determine retention periods. It should be read alongside our Privacy Policy.

1. Our Approach to Data Retention

CertVault retains personal information only for as long as it is necessary for the purpose for which it was collected, or as required by law. We regularly review the data we hold and securely delete or de-identify information that is no longer needed.

We apply the following principles:

Data minimisation — we collect and store only what is necessary.
Purpose limitation — data is not retained beyond its original purpose.
Security — data is securely destroyed when no longer required.
Legal compliance — retention periods respect applicable Australian law.

2. Retention Periods by Data Category

The table below summarises how long we retain different types of data:

Data category	Retention period	Legal basis
Worker account profile (name, email, location, industries)	Until account deletion + 90 days	Service delivery
Employer account profile (name, email, company)	Until account deletion + 90 days	Service delivery
Uploaded documents (files in storage)	Until document is deleted by user or account is closed + 90 days	Service delivery
Document metadata (name, expiry, issuer)	Until document or account is deleted + 90 days	Service delivery
Authentication logs	12 months	Security / fraud prevention
Platform usage / activity logs	12 months	Security / product improvement
Invite records (worker_invites)	12 months after acceptance or expiry	Audit trail
Email delivery records	6 months	Transactional record
Virus scan results	Retained with document record until document is deleted	Security
Deleted account data (de-identified)	Up to 7 years	Legal / regulatory obligations

3. Active Accounts

While your account is active, we retain all data associated with it to provide you with the platform's services. Workers may delete individual documents at any time from their dashboard, which triggers deletion of the file from storage within 24 hours. Document metadata may be retained for up to 90 days after deletion.

4. Account Closure and Deletion

4.1 Worker Account Deletion

When a Worker closes their account:

All uploaded document files are deleted from storage within 90 days.
Profile information (name, email, industries, etc.) is deleted or de-identified within 90 days.
Any employer access to that Worker's documents is immediately revoked.
Aggregated, de-identified data (used only for platform analytics) may be retained indefinitely.

4.2 Employer Account Deletion

When an Employer closes their account:

The employer profile is deleted or de-identified within 90 days.
Access to all Worker profiles and documents is immediately revoked.
Invite records sent by that employer are retained for 12 months for audit purposes, then deleted.

4.3 Requesting Deletion

You may request deletion of your account and all associated data at any time by emailing legal@certvault.com.au. We will action deletion requests within 90 days, subject to any legal obligations that require us to retain certain records.

5. Legal and Regulatory Hold

Notwithstanding the periods above, we may retain data for longer where:

We are required to do so by law, court order, or regulatory direction.
The data is reasonably required for litigation, investigation, or dispute resolution.
An active legal hold is in place over the relevant records.

We will inform you of any such hold where we are legally permitted to do so.

6. Security of Data at Deletion

When data reaches the end of its retention period, it is securely deleted from our live systems and backups. Document files are removed from Supabase Storage. Database records are hard-deleted or de-identified so that the data cannot be attributed to any individual.

7. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email at least 14 days before they take effect.

8. Contact Us

CertVault Pty Ltd
Email: legal@certvault.com.au