Cure Link

Data Retention Policy

Cure Link Ltd

Data Retention Policy

Personal Data Retention Schedule and Disposal Procedures

Version: 1.0
Date: 17 February 2026
Reference: CL-DRP-001

1. Purpose

This policy sets out how long Cure Link Ltd retains different categories of personal data and the processes for securely disposing of data once retention periods have expired. Retaining data for longer than necessary is a breach of UK GDPR (Article 5(1)(e) — storage limitation principle). This policy ensures compliance and minimises risk.

2. Scope

This policy applies to all personal data held by Cure Link Ltd in any format — digital or physical — including data held by third-party processors on our behalf.

3. Principles

  • Data shall not be kept for longer than necessary for the purposes for which it was collected.
  • Retention periods are set based on business need, legal obligation, and regulatory guidance.
  • When data is no longer needed, it shall be securely deleted or anonymised.
  • Special category health data is subject to stricter controls and shorter retention periods where possible.
  • Retention periods shall be reviewed annually.

4. Retention Schedule

The table below summarises our standard retention periods:

  • User account data (name, email, login credentials): Account lifetime + 2 years – legitimate interests / contractual.
  • Health & eligibility data (medical conditions, screening responses): Active matching + 3 years – explicit consent / public interest.
  • Trial referral records (which trials a user was matched to or referred for): 6 years from referral – legal obligation / limitation periods.
  • Healthcare professional data (GMC number, employer, speciality): Registration duration + 2 years – contract / legitimate interests.
  • Communications (emails, support tickets, in-app messages): 6 years – legal obligation.
  • Consent records (records of consent given / withdrawn): 6 years from last interaction – legal obligation (demonstrating compliance).
  • Audit and access logs (system access, data access events): 7 years – legal / regulatory obligation.
  • Financial and billing records (invoices, payment records (B2B)): 7 years – HMRC / Companies Act requirement.
  • Anonymised / aggregated analytics (aggregate platform usage statistics): Indefinite – no longer personal data.

5. Clinical Trial Specific Considerations

In the context of clinical trials, data retention may be subject to additional requirements from:

  • MHRA regulations and ICH Good Clinical Practice (GCP) guidelines — typically require trial-related data to be retained for at least 15 years after trial completion.
  • Sponsor or CRO requirements set out in applicable Data Processing Agreements.
  • EMA and HRA requirements for post-market surveillance data.

Where Cure Link Ltd holds trial-related data as a Processor on behalf of a trial sponsor, retention periods will be governed by the relevant DPA and sponsor requirements, which may supersede the periods set out above.

6. Special Category (Health) Data

Health data is subject to enhanced retention controls:

  • Minimum collection principle: only health data strictly necessary for matching purposes is collected.
  • Purpose limitation: health data collected for matching will not be retained beyond the matching purpose.
  • Enhanced access controls apply throughout the retention period.
  • Subject Access Requests for deletion of health data will be acted upon promptly, subject to any overriding legal obligation.

7. Data Disposal Procedures

7.1 Digital Data

  • Electronic files are deleted using secure overwrite or cryptographic erasure.
  • Cloud storage: provider-certified deletion with confirmation obtained in writing.
  • Backups: purged from backup systems within 30 days of primary deletion.

7.2 Physical Data

  • Paper documents are cross-shredded using a DIN 66399 Level P-4 shredder or higher.
  • Physical media (hard drives, USB) are destroyed using certified data destruction services.

7.3 Third-Party Processors

  • Retention and deletion requirements are set out in all DPAs.
  • Written confirmation of data deletion must be obtained from all processors upon expiry of retention periods.

8. Retention Review and Audit

  • Annual review of this policy and the retention schedule by the DPO.
  • Automated system flags where data is approaching its retention expiry.
  • Quarterly audit of data held against the retention schedule.
  • Records of disposal are maintained for audit purposes.

9. Roles and Responsibilities

  • Data Protection Officer: Oversight of this policy, annual review, and escalation.
  • IT / Engineering: Implementation of technical controls for automated deletion.
  • Operations: Day-to-day compliance with disposal procedures.
  • All staff: Responsibility for reporting data that may have exceeded its retention period.

10. Policy Review

This policy was last reviewed on 17 February 2026 and is due for review on 17 February 2027 or earlier if required by regulatory changes.