Data Retention Policy

Last update:
November 6, 2025

WAVEE – DATA RETENTION POLICY

Effective Date: 1 March 2025

This Data Retention Policy explains how Wave Ai Ltd (“Wavee”, “we”, “us”, “our”) stores, manages, retains, anonymises, and deletes personal data collected through:

  • The Wavee Resident App
  • The Wavee Concierge & Building Portal
  • The Wavee Business Portal
  • The Wavee Pets App
  • Associated websites, systems, and communications
    (together, the “Platform”)

Wavee complies with:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018
  • ICO guidance on storage limitation and retention

This Policy must be read together with our:

  • Privacy Policy
  • Data Protection & Security Policy
  • Terms of Service
  • Business Portal Terms
  • End User Licence Agreement (EULA)

1. Purpose of This Policy

This Policy ensures that:

  • Personal data is retained only for lawful and necessary purposes
  • Data is not kept for longer than required
  • Secure deletion and anonymisation processes are applied
  • Legal, regulatory, and audit obligations are satisfied
  • User rights under data protection law are respected

2. Core Retention Principles

Wavee applies the following legally required principles:

  1. Data Minimisation
    Only data necessary for defined Platform purposes is collected and stored.
  2. Purpose Limitation
    Data is used only for the purpose for which it was collected.
  3. Storage Limitation
    Data is retained only for the time periods defined in this Policy.
  4. Accuracy & Integrity
    Reasonable steps are taken to keep data accurate and up to date.
  5. Security & Confidentiality
    Data is protected with encryption, access controls, and audit logging.
  6. Right to Erasure
    Users may request deletion unless legal exemption applies.

3. Categories of Data & Retention Periods

A. Resident Account Data

Includes: name, email, phone number, building reference, profile photo, preferences.

Retention:

  • Retained for the duration of the active account
  • Deleted or anonymised within 12 months of verified account closure
  • Core identity records may be retained up to 6 years where required for fraud prevention or legal disputes

B. Concierge & Building Staff Accounts

Includes: staff name, role, login credentials, access logs, audit trails.

Retention:

  • Retained for the duration of the building’s use of the Platform
  • Deleted within 12 months after building contract termination
  • Security audit logs retained up to 3 years

C. Business Portal Accounts

Includes: business name, address, contact details, listings, staff logins, promotions.

Retention:

  • Retained during the active business relationship
  • Deleted or anonymised within 12 months after account termination
  • Financial records retained under statutory requirements (see Section G)

D. Communication & Messaging Data

Includes: resident chats, concierge announcements, business messages, service requests.

Retention:

  • Retained for up to 12 months from last activity
  • May be retained longer where:
    • Required for dispute resolution
    • Required for fraud investigations
    • Required by law

E. Parcel & Visitor Logs (Concierge Data)

Includes: parcel arrival records, collection timestamps, visitor check-ins.

Retention:

  • Retained for 12 months from the event date
  • May be anonymised and retained longer for security analytics

F. App Usage & Technical Analytics

Includes: IP address, device identifiers, usage logs, crash reports, cookies.

Retention:

  • Retained for up to 24 months
  • Anonymised analytics may be retained indefinitely

G. Payments & Transaction Records

Includes: receipts, invoices, transaction references, subscription history.
Wavee does not store raw card numbers.

Retention:

  • Retained for 6 years (UK tax, accounting, and anti-fraud obligations)

H. Customer Support Records

Includes: emails, support tickets, call logs, system investigations.

Retention:

  • Retained for 3 years after ticket closure
  • Retained up to 6 years where linked to disputes or legal matters

I. Legal, Compliance & Audit Records

Includes: regulatory correspondence, dispute evidence, enforcement records.

Retention:

  • Retained for up to 6 years in line with statutory limitation periods

J. Marketing & Notification Preferences

Includes: marketing opt-ins, opt-outs, suppression lists.

Retention:

  • Retained indefinitely to comply with marketing suppression and consent records
  • Deleted upon verified data erasure request where legally permitted

K. Wavee Pets – Pet Profiles & Community Content

Includes: pet names, photos, diary posts, interactions, service bookings.

Retention:

  • Retained while the user account remains active
  • Deleted within 12 months of user account closure unless earlier deletion is requested

L. Uploaded Media (Photos, Videos, Documents)

Includes: resident uploads, business images, pet photos, concierge uploads.

Retention:

  • Retained until deletion by the user
  • Deleted within 12 months after account closure

4. Data Retained for Legal & Regulatory Reasons

Certain categories of data may be retained longer where:

  • Required by tax or financial law
  • Required for fraud prevention
  • Required for dispute resolution
  • Required for court, regulatory, or law enforcement proceedings
  • Anonymised for analytics and security research

Access to such retained data is strictly restricted.

5. Secure Deletion, Anonymisation & Data Portability

Deletion Requests

Users may request deletion by contacting:

privacy@wavee.ai

Wavee will respond within 30 days unless:

  • Retention is required by law
  • A dispute or investigation is ongoing
  • A contractual or regulatory obligation applies

Anonymisation

Where possible, data is anonymised instead of deleted so it:

  • Cannot be linked to an individual
  • May be used for analytics without privacy risk

Data Portability

Users may request a portable copy of their personal data in a structured electronic format.

6. Backup Retention

Wavee operates encrypted system backups:

  • Backup data is retained for up to 90 days
  • Backups expire automatically and cannot be selectively edited
  • Deleted data may persist in backups until backup expiry
  • Backup data is not used for operational processing

7. Lawful Basis for Retention

Wavee retains data under one or more of:

  • Contractual necessity
  • Legal obligation
  • Legitimate interests (security, analytics, service improvement)
  • User consent (marketing, tracking)

Where consent is withdrawn, affected data is deleted or anonymised unless another lawful basis applies.

8. International Data Storage & Transfers

Where data is processed outside the UK:

  • Approved safeguards apply (including Standard Contractual Clauses)
  • Equivalent security and privacy protections are required
  • Transfer risk assessments are conducted

9. Review of This Policy

This Policy is reviewed periodically to ensure alignment with:

  • Legal developments
  • ICO guidance
  • Platform feature changes
  • Operational requirements

The “Last Updated” date reflects the current version.

10. Contact

For data retention enquiries or deletion requests:

privacy@wavee.ai