Data retention and deletion
Data retention and deletion — RentersActReady
Last updated: 22 April 2026.
This page describes how long we keep your data and what happens when you delete your account. It mirrors the in-app Privacy Policy; if anything diverges, the in-app version is the canonical version.
Active accounts
We retain your data for as long as your account is active.
| Data type | Retention while account is active |
|---|---|
| Profile (name, email, ICP, portfolio size) | Until deletion |
| Properties, tenancy details, certificate dates | Until deletion (or per-property soft-delete) |
| Documents (gas cert, EICR, Written Statement, Form 4A, correspondence) | Until deletion |
| Readiness assessments (with answers + score history) | Until deletion (history preserved across re-runs) |
| Written Statement audits | Until deletion |
| Custom deadlines | Until deletion (or completed → still retained) |
| Audit log entries | Retained indefinitely as an append-only ledger (a database trigger blocks UPDATE and DELETE). Minimum floor: six years per Limitation Act 1980 s.5. On account hard-delete the actor_id reference is unlinked so the trail survives without your user reference. |
| KPI events (analytics) | 24 months, then aggregated |
| Stripe customer + subscription records | Held by Stripe per their retention policy |
Account deletion
You can delete your account from /dashboard/settings by typing DELETE to confirm.
| Step | What happens | Timing |
|---|---|---|
| 1. Confirm deletion in dashboard | Profile flagged subscription_status='pending_deletion'. Any active Stripe subscription is set to cancel_at_period_end=true (no further charges; you keep Core access until the period you've paid for ends). Properties, deadlines, documents, readiness assessments, and Written Statement audits soft-deleted (deleted_at set). Account signed out. |
Immediate |
| 2. Stripe period end | Stripe fires customer.subscription.deleted; webhook flips profile from pending_deletion → cancelled. From this point you no longer have Core access. |
At the end of your current billing period |
| 3. Soft-delete window | Data is invisible in the product but still recoverable. Email support@rentersactready.co.uk to restore your account (we respond within 1 working day). |
0–90 days from step 1 |
| 4. Hard-delete | Profile row deleted; readiness assessments, written statement audits, cancellation reasons, testimonials, and per-user tables purged; Supabase Storage objects under your user prefix removed (paginated); Stripe customer record retained per Stripe policy for refund + dispute purposes; audit-log rows that reference you have their actor_id set to null so the ledger survives without your identity. |
90 days from step 1 |
Why pending_deletion vs cancelled
We use a pending_deletion status during the period between you confirming deletion and your Stripe billing period ending. This preserves the access you've already paid for. Once Stripe fires the customer.subscription.deleted event, the webhook flips the status to cancelled, and the hard-delete sweep then waits the full 90 days (from step 1) before purging your data.
The hard-delete is implemented as a Netlify scheduled function that runs daily at 03:30 UTC. The audit-log entry written at step 1 (account.soft_delete action with a hard_delete_scheduled_for timestamp + stripe_cancellations_initiated count) is the canonical record of the promise; the sweep writes a paired account.hard_delete audit entry once your data is fully removed. Re-running the sweep is safe — completed deletions are skipped via an idempotency check on the audit table.
Soft-delete on individual records
Properties, deadlines, documents, readiness assessments, and Written Statement audits you delete from inside the dashboard are also soft-deleted (the row gains a deleted_at timestamp). They become invisible to the product but the underlying row is retained for 90 days in case you need a copy. After 90 days they are hard-deleted on the same admin sweep.
Document storage
Documents you upload sit in Supabase Storage under a path prefixed by your user id ({user_id}/{filename}). Row-level security ensures only you can read them. When you delete a document, the metadata row is soft-deleted and the storage object is retained for 90 days then removed by the admin sweep. Signed download URLs are issued with a 60-second expiry.
Subject access requests (UK GDPR Article 15)
Use the Download data (JSON) button at /dashboard/settings. The export includes profile, properties, readiness assessments, written statement audits, deadlines, document metadata (not the file contents — download those individually), audit log entries authored by you, and feedback you've submitted. The endpoint is GET /api/account/export.
If you need a Subject Access Request through email instead, write to privacy@rentersactready.co.uk. We will reply within 30 days as required by law.
Right to erasure (UK GDPR Article 17)
Use the Delete my account button at /dashboard/settings. The 90-day soft-delete window exists so you can change your mind — email support@rentersactready.co.uk to restore your account during that window. If you need a faster erasure instead, email privacy@rentersactready.co.uk referencing this page and we will execute the hard-delete within 7 working days.
We retain a minimal record of the fact that the deletion happened — the audit-log entry with actor_id nulled — for our own dispute and statutory record-keeping. This is processed under legitimate interest (UK GDPR Art 6(1)(f)).
Crocker Digital Ltd, Company No. 17008789. ICO registration ZC128626.