Retention and deletion
Data Retention and Deletion Standard
Default retention windows and deletion controls used by smartHMO.
Last updated: 5 March 2026
1. Retention principles
- Keep data no longer than necessary for defined purposes.
- Apply legal hold where disputes, investigations, or statutory obligations require.
- Minimise retained personal data after tenancy or account lifecycle ends.
2. Default retention schedule
| Data category | Default period | Rationale |
|---|---|---|
| User account profile and role records | Duration of active account + up to 24 months after closure | Operational continuity, disputes, and security review. |
| Session and security authentication records | Up to 12 months | Security monitoring, fraud prevention, and incident investigation. |
| Audit logs and administrative change history | Up to 24 months | Compliance evidence and accountability. |
| Maintenance requests, tasks, and message records | Up to 7 years from tenancy end where required by landlord policy | Contractual evidence, claims handling, and legal obligations. |
| Financial records and payment reconciliation metadata | Up to 7 years (or longer where law requires) | Accounting and tax compliance. |
| Password reset tokens and invite tokens | Short-lived, auto-expiring (minutes/hours) and single-use | Security by design and minimisation. |
3. Deletion workflow
- Time-based and event-based deletion triggers are applied.
- Where immediate deletion is not lawful, records are restricted and queued for deletion.
- Erasure requests are checked against legal hold and statutory retention obligations.
- Anonymisation may be used where full deletion is not feasible without breaking records integrity.
4. Customer controls
Landlords can use tenant GDPR controls in-platform for export and anonymisation workflows. For full account closure or additional deletion requests, contact support@smarthmo.co.uk.