1. Purpose of This Policy UK GDPR requires that personal data is "kept in a form which permits identification of data subjects for no longer than is necessary" (Article 5(1)(e) — storage limitation principle). This policy documents UKBPM Limited's retention periods for each category of data we process, the legal basis for each period, and our disposal procedures. This policy is reviewed annually. Last reviewed: 23 April 2026. 2. Statutory Maintenance Records Statutory maintenance records are subject to specific legal minimum retention periods. We retain all statutory records for at minimum the legally required period, and often longer where prudent for insurance or legal proceedings purposes. Record TypeRetention PeriodLegal Basis Gas Safety Records (CP12)2 years minimumGas Safety (Installation and Use) Regulations 1998 — Reg 36(4) Asbestos management records (register, management plan, survey reports)Life of the buildingControl of Asbestos Regulations 2012 (CAR 2012) — Reg 4 Electrical Installation Condition Reports (EICR)5 years (until superseded by next EICR)Electricity at Work Regulations 1989 PAT Testing recordsUntil next test or 3 years minimumElectricity at Work Regulations 1989 Fire Risk AssessmentsUntil superseded + 3 yearsRegulatory Reform (Fire Safety) Order 2005 Fire alarm service records3 yearsBS 5839-1; RRO 2005 LOLER thorough examination reports (lifts)2 years (or until next examination)LOLER 1998 — Reg 11 Legionella risk assessments & L8 monitoring records5 yearsL8 ACOP; HSG274 — Para 2.98 Boiler service records3 yearsInsurance and manufacturer requirements Health & Safety accident / incident records3 years from date of incident (RIDDOR)RIDDOR 2013; Limitation Act 1980 3. Financial Records Record TypeRetention PeriodLegal Basis Invoices (issued and received)7 yearsHMRC requirement — Companies Act 2006; Finance Act; VAT Regulations Purchase orders and financial correspondence7 yearsHMRC; Companies Act 2006 Bank statements and accounts7 yearsHMRC requirement Expense records7 yearsHMRC requirement Payroll records7 yearsIncome Tax (PAYE) Regulations 2003 4. Contractor and Sub-contractor Records Record TypeRetention PeriodLegal Basis Contractor contact details (name, business address, email)6 years after relationship endsLegitimate interests; Limitation Act 1980 (contract claims) Contractor qualifications and insurance certificatesDuration of relationship + 6 yearsLegitimate interests; H&S legal obligations Contractor invoices7 yearsHMRC requirement Contractor performance recordsDuration of relationship + 3 yearsLegitimate interests Sub-contractor personal data (self-employed — name, home address where used)6 years after last payment / relationship endLegitimate interests; Limitation Act 1980 Contractors should refer to our Contractor Privacy Notice for full details of how their personal data is processed. 5. Client Records Record TypeRetention PeriodLegal Basis Business client contact data (company name, contact name, email, phone)6 years after last contact or contract endLegitimate interests; Limitation Act 1980 Individual client data (personal email, home address)6 years after last contactLegitimate interests; Limitation Act 1980 Service contracts and agreements7 years after contract endLimitation Act 1980; Companies Act 2006 Job records and work orders6 years (statutory maintenance records per Section 2 above)Limitation Act 1980; statutory obligations Email correspondence about service delivery6 years after relationship endLegitimate interests; Limitation Act 1980 6. Website Enquiries Record TypeRetention PeriodLegal Basis Website contact form submissions (not converted to a client)12 months from date of enquiryLegitimate interests — responding to enquiry Website contact form submissions (converted to a client)Becomes part of client record (see Section 5)Contract performance; Legitimate interests Marketing consent records (where opted in)Until consent is withdrawn, then immediately deletedConsent — UK GDPR Article 6(1)(a) 7. Email and WhatsApp Communications UKBPM uses Microsoft 365 for email and may use WhatsApp or other messaging platforms for operational communication with clients and contractors. We have a policy for managing these communications: Client job emails: Retained in Microsoft 365 for 6 years after the project or relationship ends, in line with our Limitation Act obligations. WhatsApp job threads: Resolved job threads containing personal data should be deleted once the applicable retention period expires. We recommend a practice of deleting resolved job threads after the relevant retention period (see Sections 2–5 above) unless a legal hold is in place. Routine operational messages: Messages not containing job-specific or personal data may be deleted after 12 months. We acknowledge that WhatsApp and similar platforms are not ideally suited to data retention management. We are in the process of reviewing our communication tools to better align with data minimisation obligations under UK GDPR. 8. Analytics Data Record TypeRetention PeriodLegal Basis Google Analytics 4 data (where consent given)14 months (GA4 default data retention setting)Consent — UK GDPR Article 6(1)(a) / PECR Cookie consent preference (localStorage)Persistent until cleared by user or reset via Cookie Policy pageNot personal data — preference only 9. Secure Disposal When data reaches the end of its retention period, it is disposed of securely: Digital data (Microsoft 365, OneDrive, email): Permanently deleted using the platform's secure deletion function. Microsoft 365 retains deleted items for up to 30 days in the recycle bin before permanent deletion. Physical documents: Shredded using a cross-cut shredder or disposed of via a confidential waste contractor. Backups: Backup copies are purged in accordance with the same retention schedules. 10. Your Rights You have the right to request deletion of your personal data before the end of its retention period if the data is no longer necessary for the purpose for which it was collected, or if you withdraw consent (where consent is the lawful basis). Note that we may be required to retain certain data despite a deletion request where a legal obligation requires us to do so (for example, HMRC financial records or statutory maintenance records). To exercise your data rights, email privacy@ukbpm.co.uk with "Data Request" in the subject line. See our Privacy Policy for the full list of your rights under UK GDPR.
