Data Retention Policy

Last updated: 17 October 2025 (AEST)

1. Introduction#

New Horizon Code PTY LTD ("New Horizon Code", "we", "us", or "our") is committed to the secure and responsible management of all data under our care.

This Data Retention Policy outlines how we collect, retain, archive, and securely delete personal, business, and technical data across all of our platforms and services — including Diversity Sync'd, Carey, TobyHR, Syrup, and Profile Dock.

This policy works in conjunction with our Privacy Policy, Security Policy, and Terms of Service to ensure transparency, compliance, and protection of user privacy.

2. Scope and Application#

This policy applies to all data collected, processed, and stored by New Horizon Code across all systems, including:

User account information and authentication data
Business and application data generated across all platforms
Communication records such as emails, chats, and call logs
Technical and diagnostic data including logs, analytics, and performance metrics
Financial and billing information, including invoices and payment records

It applies to all customers, users, employees, and third-party service providers who process or have access to data under New Horizon Code's control.

3. Legal and Regulatory Framework#

Our data retention and deletion practices comply with the following laws, standards, and frameworks:

Australian Requirements

Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
Corporations Act 2001 (Cth)
Australian Accounting Standards

International Frameworks

EU General Data Protection Regulation (GDPR), where applicable
UK Data Protection Act 2018
California Consumer Privacy Act (CCPA), where applicable
ISO 27001-aligned internal data governance standards

We also comply with any additional industry-specific regulations or contractual obligations relevant to our clients' sectors.

4. Data Classification#

To determine appropriate retention and deletion practices, we classify data into four main categories:

Personal Data

Information that identifies or could reasonably identify an individual:

Names, emails, and contact details
Account information and user profiles
Authentication credentials and access logs

Business Data

Operational data created through the use of our platforms:

Files, documents, and reports
Collaboration and project records
Workflow configurations and integrations

Technical Data

System-generated data required for reliability and performance:

Server and API logs
System diagnostics and performance metrics
Security and audit trails

Financial Data

Data required for financial and legal compliance:

Invoices, payment records, and receipts
Tokenised payment method data
Tax documentation and accounting records

5. Data Retention Periods#

Retention periods are determined by legal obligations, operational necessity, and data sensitivity.

Data Type	Active Period	Archive Period	Total Retention
User Account Data	Duration of service	30 days post-termination	30 days after closure
Application Data	Duration of service	90 days post-termination	90 days after closure
Communication Records	3 years	4 years	7 years total
Voice Recordings	90 days	—	90 days
Financial Records	7 years	—	7 years (legal requirement)
System Logs	12 months	—	12 months
Security Logs	2 years	3 years	5 years total
Analytics Data	2 years	—	2 years

Retention periods may be extended in cases involving legal proceedings, regulatory investigations, or contractual obligations.

Data may also be deleted earlier upon verified user request where permitted by law.

6. Data Storage and Security#

All retained data is stored in secure, access-controlled environments that comply with industry-leading security standards.

Active Storage

Primary databases with role-based access
AES-256 encryption at rest
TLS 1.3 encryption in transit
Automated daily backups with redundancy

Archive Storage

Cold storage systems with restricted administrative access
Enhanced encryption and integrity verification
Immutable storage for legally protected data
Full audit trail of all data access and retrieval events

7. Automated Deletion Processes#

To ensure consistency and compliance, we use automated and auditable systems for data deletion.

Scheduled Deletion

Daily automated scans identify data exceeding its retention period
Expired data is archived or securely purged from active systems
Deletion uses multi-pass overwrite methods where required

Verification and Logging

All deletion activities are logged for audit purposes
Verification checks ensure complete removal from all live and backup systems
Periodic internal audits validate the accuracy and completeness of deletions

8. User Rights and Data Requests#

Users have the right to access, export, and request deletion of their data in accordance with privacy law and contractual obligations.

Request Type	Processing Time	Method
Account Deletion	Immediate	In-app self-service or verified email request
Specific Data Deletion	Within 30 days	Verified email request
Data Export	Within 30 days	Delivered in standard formats (CSV, JSON, PDF)
Legal Holds	Case-by-case	Handled by legal and compliance teams

All deletion and export requests require identity verification to prevent unauthorised access or removal of data.

9. Exceptions and Legal Holds#

Certain data may need to be retained beyond standard retention periods in specific circumstances, including:

Legal Proceedings: Information relevant to ongoing or anticipated litigation
Regulatory Investigations: Requests from government or compliance authorities
Security Incidents: Data related to internal or external investigations
Contractual Obligations: Retention requirements defined by client agreements
Backups: Data stored in encrypted backups retained for resilience purposes

Legal Hold Process

When a legal hold is implemented:

The affected data is excluded from automated deletion
Access is restricted and the data is archived separately
Users are notified where legally permissible
Standard deletion resumes once the hold is lifted

10. Monitoring and Compliance#

We conduct ongoing monitoring and reviews to ensure compliance with this policy.

Internal Oversight

Quarterly reviews of retention and deletion activities
Annual data mapping and classification reviews
Periodic validation of automation scripts and audit logs

External Compliance

Independent security and privacy audits
Third-party penetration testing
Compliance verification with applicable data protection authorities

11. Policy Updates#

This policy may be updated periodically to reflect:

Changes in legal or regulatory requirements
Evolving security practices
Operational or infrastructure improvements

We will:

Notify users of any material changes via email or in-app notification
Provide 30 days' notice prior to new retention periods taking effect
Maintain an archive of previous versions for reference

Continued use of our services after updates constitutes acceptance of the latest version.

12. Contact Information#

For questions, deletion requests, or compliance enquiries, contact:

Data Protection Officer

New Horizon Code PTY LTD

Suite 121, Level 14, 167 Eagle Street

Brisbane QLD 4000, Australia

Email: privacy@newhorizoncode.io

Phone: 1300 980 034