Legal
Data Retention Policy
Last updated: 24 April 2026
Noctara Red
Effective date: 24 April 2026 | Version: 1.0
This policy sets out how Noctara Security Ltd (Company No. 17122134) retains and deletes personal data and other data processed through the Noctara Red platform at www.noctara.tech.
This policy should be read alongside our Terms of Service, Data Processing Agreement, and Subprocessor List.
1. Principles
Noctara Security Ltd retains personal data only for as long as necessary to fulfil the purpose for which it was collected, to perform our contractual obligations, or to comply with applicable legal requirements.
- data is not kept for longer than necessary for the purpose it was collected;
- retention periods are defined in advance and reviewed periodically;
- data that has reached the end of its retention period is deleted securely or anonymised;
- where we are required by law to retain data for a minimum period, we comply and delete it as soon as the obligation ends.
2. Data We Control (Account and Operational Data)
| Data category | Examples | Retention period | Reason |
|---|---|---|---|
| Account registration data | Name, email address, company name, job title | Duration of the subscription plus 2 years | Account management, support, and audit |
| Billing and payment records | Invoice history, payment records, VAT records | 7 years from the date of the transaction | Legal obligation under HMRC requirements |
| Subscription and contract records | Order Forms, subscription tier, pricing agreed | Duration of the subscription plus 6 years | Contractual limitation period under the Limitation Act 1980 |
| Support and correspondence records | Emails, support tickets, chat logs | 3 years from the date of the last interaction | Legitimate interest in resolving disputes |
| Security and access logs | Login events, IP addresses, session data | 12 months | Security monitoring and incident investigation |
| Product usage and analytics data | Feature usage and platform performance data in anonymised or aggregated form | 3 years in anonymised or aggregated form | Product improvement and business analytics |
| Marketing contact data | Email addresses of prospective customers who have consented to marketing | Until consent is withdrawn or 2 years of inactivity, whichever is earlier | Consent-based marketing |
3. Customer Data (Data We Process on Behalf of Customers)
| Data category | Examples | Retention period | Notes |
|---|---|---|---|
| Engagement and report content | Scan outputs, vulnerability findings, report drafts, evidence files | Duration of the Subscription Period plus 30 days | Customer may export at any time during this window |
| AI-processed content | Report narratives, enriched findings, remediation guidance generated using AI inference | Duration of the Subscription Period plus 30 days | Deleted alongside source Customer Data |
| Personal data within engagement scope | Credentials, email addresses, usernames, IP addresses captured during testing | Duration of the Subscription Period plus 30 days | Customer is the data controller for this category |
At the end of the 30-day post-termination window, all Customer Data is securely deleted or irreversibly anonymised unless we are required by law to retain it.
Customers who require a shorter retention period may request this in writing at info@noctara.tech.
4. Special Category Data
Noctara Security Ltd does not intentionally collect or process Special Category Data in connection with the Platform. Customers must not upload Special Category Data without prior written agreement with us.
5. Deletion and Anonymisation
When a retention period expires, data is disposed of by one of the following methods:
- secure deletion from live systems and databases;
- secure deletion from backup systems within the next scheduled backup cycle, and in any event within 90 days of deletion from live systems;
- irreversible anonymisation where deletion is not technically feasible and the resulting data no longer constitutes personal data.
6. Legal Holds
Where personal data is subject to a legal hold, the normal retention period is suspended for the duration of that hold and access will be restricted to those with a legitimate need.
7. Data Subject Rights
Data subjects may have the right to request deletion of their personal data in certain circumstances under UK GDPR. Requests should be sent to info@noctara.tech.
Where personal data is contained within Customer Data, deletion requests from individuals whose data appears in engagement content should usually be directed to the relevant Customer, who acts as the data controller for that data.
8. Retention of This Policy
We review this policy at least annually and update it where our processing activities or legal obligations change.
9. Contact
Noctara Security Ltd
Company No. 17122134
ICO Registration Number: [To be added on registration]
Version History
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | 24 April 2026 | Initial policy published. |