Data Retention Schedule

Summary of how long we aim to keep major data categories on systems we operate. Automated deletion cron jobs are not yet enabled — periods guide staff review and future automation.

This documentation describes our implementation towards compliance with UK GDPR and related privacy law. It is not legal advice and does not certify full regulatory compliance.

How to read this schedule

Maximum retention days are upper bounds for operational planning. Minimum days, where set, indicate we do not delete before that window. Manual review means a human must approve end-of-life action. Restrict means data may be kept in limited form for legal or security reasons.

Website (jmsrp.co.uk)

Authentication sessions — up to 30 days — delete at end of life.
Consent audit events — 365–1095 days — restrict; no IP/user-agent stored.
Consent preferences — up to 3650 days while account active — restrict until erasure completes.
Contact form messages — 30–365 days — anonymise; manual review (may contain third-party names in free text).
Queue history — 7–90 days — delete.
Staff audit records — 365–2555 days — restrict; manual review (DSAR and disciplinary evidence).
Privacy request records — 365–2555 days — restrict; manual review (regulatory evidence).

Overseer (support & moderation)

Ticket transcripts — 90–365 days — delete when not under hold.
Moderation cases — 1825–3650 days — restrict; manual review (appeals and investigations).
Security logs — 90–730 days — restrict.

Infrastructure

Backup erasure tombstones — 365–3650 days — restrict; manual review. Tombstones prevent erased subjects reappearing from backup restore. Backup media itself is not purged instantly; rotation is governed by infrastructure SOPs.

Third-party systems

Discord messages, forum posts, Tebex receipts, and payment processor records follow those providers' retention and your relationship with them. Our erasure process on systems we control does not remove copies we cannot access or delete.

Last updated: May 2026