Xertilox Data Retention Policy 

1. Introduction & Purpose 

Xertilox Ltd (“Xertilox”, “we”, “us”, “our”) is committed to protecting the personal data we process and ensuring compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Digital Identity and Attributes Trust Framework (DIATF). 
 
This policy defines how long personal data is retained when collected and processed through the Xertilox mobile application and associated systems. It ensures that: 
• Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected. 
• Retention periods are defined, documented, and adhered to in line with legal, regulatory, and business requirements. 
• Data is securely deleted or anonymised when no longer needed. 

2. Scope  

This policy applies to all personal data processed via the Xertilox mobile app and supporting systems, including: 
• Wallet holder data 
• Document verification data 
• Biometric data (e.g. facial recognition scans) 
• Device data and session logs 
• Transactional and audit trail data 
 
This policy covers all Xertilox staff, contractors, and authorised third-party processors who handle mobile app data. 

3. Legal and Regulatory Framework 

This policy has been designed to comply with: 
• UK GDPR (Articles 5, 13, 17, 30, 32) 
• Data Protection Act 2018 
• Digital Identity and Attributes Trust Framework (DIATF) 
• Other applicable UK regulatory and contractual obligations 
 
Key principles derived from these frameworks: 
• Lawfulness, fairness, and transparency – Data retention periods must be clearly communicated to users. 
• Purpose limitation – Data is retained only for the original purpose for which it was collected. 
• Storage limitation – Data is not kept longer than necessary. 
• Integrity and confidentiality – Data must be securely stored and disposed of. 

4. Data Categories and Retention Periods

4.1. Wallet holder personal data (name, email, phone, etc.) 

Purpose: Creation and maintenance of user identity. 
Retention period: Active account: retained for duration of wallet use.  Inactive/deleted account: retained for 12 months to meet regulatory obligations. 
Disposal method: Secure deletion from all systems. 

4.2. Document verification data (passport, driving licence, etc.)  

Purpose: Verify authenticity of identity.  
Retention period: Retained for 90 days post-verification, then securely deleted unless required for ongoing compliance investigations. 
Disposal method: Encrypted purge from verification system.  

4.3. Biometric data (facial recognition scans)  

Purpose: Liveness detection and identity matching. 
Retention period: Retained for 24 hours post-verification, then deleted. 
Disposal method: Secure deletion and cache clearance.  

4.4. Device and session data  

Purpose: Security monitoring and fraud prevention.  
Retention period: Retained for 12 months from collection. 
Disposal method: Automatic log expiry and secure deletion. 

4.5. Transactional data and audit logs  

Purpose: To evidence DIATF-compliant verification activities  
Retention period: Retained for 7 years as required by DIATF audit requirements. 
Disposal method: Encrypted archival; deletion after expiry. 

5. Secure Disposal 

At the end of its retention period, personal data collected via the Xertilox mobile app will be securely disposed of in accordance with guidance from the UK National Cyber Security Centre (NCSC) and NIST SP 800-88 Rev.1 standards. 
 
Depending on the storage medium, one or more of the following techniques will be used: 
• Cryptographic Erasure: Where data is encrypted, secure destruction of the encryption keys will render the data inaccessible. 
• Overwriting (“Clear”): Applying one or more passes of random data to securely overwrite information on storage media. 
• Secure Purge: For SSDs and flash storage, using manufacturer-supported purge commands compliant with NIST Purge standards. 
• Physical Destruction: Where digital deletion is not sufficient, storage devices will be shredded, degaussed, or destroyed to NCSC-recommended standards. 
• Factory Reset for Mobile Devices: Any data temporarily stored on mobile devices will be securely wiped using a full factory reset process. 
 
Where data is processed by authorised third-party processors, they must provide written confirmation that secure deletion has been completed in line with NCSC guidance and DIATF compliance requirements. 

6. User Rights  

Under the UK GDPR, users of the Xertilox mobile app have the following rights regarding data retention: 
• Right of access – Users can request confirmation of what data is stored and for how long. 
• Right to erasure – Users can request deletion of their data unless retention is required by law. 
• Right to object – Users can object to processing where lawful grounds allow. 

Requests should be submitted to privacy@xertilox.com.

7. Roles and Responsibilities 
• Data Protection Officer (DPO): Ensures compliance with this policy and relevant laws. 
• Engineering & Product Teams: Implement automated retention and deletion controls. 
• Third-Party Processors: Must comply with this policy and provide evidence of secure deletion. 

8. Review and Updates 

This policy will be reviewed annually or sooner if required by changes in: 
- Regulatory or legislative requirements (e.g. DIATF updates) 
- Business operations or mobile app architecture 
- Security threats or risk assessments

9. Related Policies 

• Xertilox Privacy Policy 
• Xertilox Information Security Policy 
• Xertilox Data Protection Policy 
• Xertilox Incident Response Plan