Data Retention Policy
Effective date: 1 April 2025 · Last updated: 26 April 2026
1. Our Approach to Data Retention
CertVault retains personal information only for as long as it is necessary for the purpose for which it was collected, or as required by law. We regularly review the data we hold and securely delete or de-identify information that is no longer needed.
We apply the following principles:
- Data minimisation — we collect and store only what is necessary.
- Purpose limitation — data is not retained beyond its original purpose.
- Security — data is securely destroyed when no longer required.
- Legal compliance — retention periods respect applicable Australian law.
2. Retention Periods by Data Category
The table below summarises how long we retain different types of data:
| Data category | Retention period | Legal basis |
|---|---|---|
| Worker account profile (name, email, location, industries) | Removed immediately on account closure | Service delivery |
| Employer account profile (name, email, company) | Removed immediately on account closure (active Stripe subscription is also cancelled at this point) | Service delivery |
| Uploaded documents (files in storage) — single document deletion | Removed immediately when deleted by the worker; no recovery window | Service delivery |
| Uploaded documents (files in storage) — on account closure | Removed immediately on account closure | Service delivery |
| Document metadata (name, expiry, issuer) | Removed immediately when the document is deleted, or on account closure | Service delivery |
| Authentication logs | 12 months | Security / fraud prevention |
| Platform usage / activity logs | 12 months | Security / product improvement |
| Invite records (worker_invites) | Up to 12 months after acceptance or expiry, and removed earlier if either the inviting Employer or the invited Worker closes their CertVault account | Audit trail; symmetric erasure on either party’s account closure |
| Operational deletion-failure queue (deletion_failures) | Retained until resolved by an administrator; rows are hard-deleted on successful retry of the failed cleanup | Operational integrity — ensures orphaned auth records flagged after the user’s data is wiped can be cleaned up manually |
| Email delivery records | 6 months | Transactional record |
| Virus scan results | Retained with document record until document is deleted | Security |
| Consent records (terms_agreed_at, sensitive_data_consented_at, consent_version) | Deleted with the account on closure | Once the underlying data is gone, the consent record loses its purpose |
| Billing records (held by Stripe, not by CertVault) | 7 years | Retained independently by Stripe to satisfy tax-law obligations; CertVault stores no payment card data and no local billing copy beyond active subscription state |
3. Active Accounts
While your account is active, we retain all data associated with it to provide you with the platform's services. Workers may delete individual documents at any time from their dashboard. When you delete an individual document, both the file in storage and the document record are removed immediately — there is no 90-day grace period or recovery window. Whole-account closure (§ 4) is also handled immediately on request.
4. Account Closure and Deletion
4.1 Worker Account Deletion
When a Worker closes their account:
- All uploaded document files are removed from storage immediately.
- Profile information (name, email, industries, etc.) is removed from the database immediately.
- Any employer access to that Worker's documents is immediately revoked.
- Consent records associated with the account are deleted at the same time — once the underlying data is gone, the consent record loses its purpose.
- Two-sided relationship records (hire/contact/saved-list/invite rows) are removed from both sides — neither the Worker nor any Employer retains a CertVault record of the prior relationship.
- Aggregated, de-identified data may be retained indefinitely for platform analytics. This is limited to non-attributable counts and statistics — for example: total number of certificates uploaded per industry, distribution of work-type categories, total active accounts per region. No fields capable of identifying any individual (name, email, document filename, etc.) are retained in this aggregated data.
4.2 Employer Account Deletion
When an Employer closes their account:
- The employer profile is removed from the database immediately.
- Any active Stripe subscription is automatically cancelled at the same time, so no further charges are made.
- Access to all Worker profiles and documents is immediately revoked.
- Two-sided relationship records (hires, saved workers, contact requests, invites) are removed from both sides — Workers retain no CertVault record of the prior relationship.
- Consent records associated with the employer account are deleted at the same time.
- Stripe retains billing records (invoices, payment history) independently for the period required by tax law (typically 7 years). CertVault does not store payment card data at any point.
Note: An Employer's own primary HR / payroll / bookkeeping system is independent of CertVault. Records the Employer is required to keep under employment, tax, or labour law (e.g., payroll registers under the Australian Fair Work Act) live in those systems and are not affected by CertVault account closure.
4.3 Requesting Deletion
You may request deletion of your account and all associated data at any time by using the in-app "Delete account" option, or by emailing legal@certvaultapp.com. Self-service deletions take effect immediately. Email-requested deletions are actioned without undue delay, and in any event within one month of receipt (extendable by a further two months for complex requests, with notice to you, in line with GDPR Article 12(3) and equivalent provisions under the UK GDPR and Australian Privacy Act). Urgent erasure requests will be actioned as quickly as reasonably practicable, subject to the limited carve-outs mentioned in § 2 above (notably Stripe's independent billing-record retention for tax-law compliance).
5. Legal and Regulatory Hold
Notwithstanding the periods above, we may retain data for longer where:
- We are required to do so by law, court order, or regulatory direction.
- The data is reasonably required for litigation, investigation, or dispute resolution.
- An active legal hold is in place over the relevant records.
We will inform you of any such hold where we are legally permitted to do so.
6. Security of Data at Deletion
When data reaches the end of its retention period, it is securely deleted from our live systems and backups. Document files are removed from Supabase Storage. Database records are hard-deleted or de-identified so that the data cannot be attributed to any individual.
7. Changes to This Policy
We may update this policy from time to time. Material changes will be notified by email at least 14 days before they take effect.
8. Contact Us
CertVault (Australian sole trader)
ABN: 51 371 573 935
2 Tandang Sora Street
Labason, Zamboanga Del Norte
Philippines 7117
Email: legal@certvaultapp.com