← Back to Trust Centre · Back to McKenzieCMS
Data Retention Policy
Current policy set: This page reflects the default active retention policies configured in Admin → Retention Policies for McKenzieCMS v62.5.
McKenzieCMS is designed to avoid keeping personal data indefinitely. Case, client, financial, audit and account data should be retained only for as long as needed for case management, legal support, accounting, security, dispute handling and UK GDPR accountability purposes.
Active retention policy summary
| Record type | Retention period | Action on expiry | Policy note |
|---|---|---|---|
| Case Files | 6 years after case closure | Review | Retain closed case files for 6 years, then review for deletion, archive or legal hold. |
| Client Evidence Documents | 6 years after case closure | Review | Retain client evidence and uploaded documents subject to legal hold and user deletion rights. |
| Financial Records | 6 years | Retain | Retain invoices, billing, expenses and financial records for business, accounting and audit purposes. |
| Tax Records | 5 years after the 31 January filing deadline | Retain | Retain self-employed tax records for HMRC purposes. Review if company, VAT or MTD rules require longer retention. |
| Audit Logs | 6 years | Retain | Retain accountability logs to support dispute handling, compliance evidence and security review. |
| Security Logs | 24 months | Delete | Retain technical and security logs for 24 months unless needed for investigation, legal hold or incident response. |
| Marketing Enquiries | 12 months | Delete | Retain non-converted enquiries for 12 months, then delete where there has been no further engagement or consent. |
| Inactive User Accounts | 24 months inactive | Review | Review inactive accounts and delete, anonymise or retain only where legal, case or accounting obligations apply. |
| Data Breach Records | 6 years | Retain | Retain incident records as evidence of accountability, assessment and remedial action. |
| Consent Records | Life of consent plus 6 years | Retain | Keep consent records while processing continues, then retain for 6 years as compliance evidence before review. |
Deletion, review and legal hold
Where a retention period expires, data should be reviewed before deletion. Some data may need to be retained longer where there is an ongoing case, complaint, legal obligation, accounting requirement, security investigation or legal hold.
Users may request export or deletion of their data through the Privacy & GDPR controls, but deletion may be restricted where retention is necessary for legal, regulatory, fraud-prevention, accounting, backup or dispute-resolution purposes.
Backups
Deleted records may remain temporarily in encrypted backup or platform recovery systems until normal backup rotation completes.
Last updated for McKenzieCMS v62.5. Review before publication and insert business details, contact details and ICO registration number where required.