EFFIVITY PDPL DATA RETENTION POLICY

Last revision: 28 April 2026

Contents

1. Purpose

2. Scope

3. Definitions

4. Retention principles

5. Roles and responsibilities

6. Retention schedule

7. Cookies and online identifiers

8. Storage and security during retention

9. Destruction and anonymization

10. Legal holds and exceptions

11. Data subject rights and retention

12. Cross-border data transfers

13. Vendors and processors

14. Records of processing and audit

15. Breach of this policy

16. Review and version control

1. Purpose

This Policy sets out how Effivity Technologies Pvt Ltd (“Effivity”, “we”) retains, archives and securely destroys personal data and other records that we hold as a controller or as a processor on behalf of our Clients.

It is designed to ensure that we:

Process personal data only for as long as is necessary to achieve the purpose for which it was collected;

Comply with our obligations under applicable data protection laws, including the Kingdom of Saudi Arabia’s Personal Data Protection Law (“PDPL”) and its Implementing Regulations, the EU/UK GDPR, and India’s Digital Personal Data Protection Act 2023;

Comply with our certification commitments under ISO/IEC 27001;

Reduce the risks associated with holding data that is no longer needed; and

Provide a transparent and auditable basis for retention decisions.

2. Scope

This Policy applies to:

All personal data processed by Effivity, in any format and on any medium (cloud-hosted production systems, internal IT systems, paper records, removable media, mobile devices, and back-up media);

All employees, contractors, interns and third parties who process personal data on behalf of Effivity; and

All Effivity products, services and websites, including www.effivity.com and the Effivity application suite (QMS, EHS, FSMS, ISMS and related modules).

Where Effivity acts as a Processor on behalf of a Client (the Controller), retention of Client personal data is primarily governed by the relevant Data Processing Agreement and the Client’s instructions. This Policy applies as a default where no specific instruction has been given by the Client.

3. Definitions

Personal Data - any information relating to an identified or identifiable natural person (a “Data Subject”), as defined under applicable law.

Sensitive Personal Data - personal data revealing racial or ethnic origin, religious or philosophical beliefs, security or criminal records, biometric or genetic data, health data, or data relating to credit position, as defined under PDPL Article 1 and equivalent definitions under GDPR.

Controller / Controlling Entity - the entity that determines the purposes and means of the processing of personal data.

Processor / Processing Entity - the entity that processes personal data on behalf of a Controller.

Retention Period - the maximum period during which personal data may be held in a form that allows identification of the Data Subject.

Destruction - the irreversible deletion of personal data, including from back-ups, in accordance with section 9 of this Policy.

Anonymisation - the process of irreversibly removing all elements that could allow identification of the Data Subject, such that the resulting data is no longer Personal Data.

4. Retention principles

Effivity applies the following principles to all retention decisions:

Purpose limitation. Personal data is retained only for the specific purpose(s) for which it was collected, as set out in our Privacy Policy and Records of Processing Activities (RoPA).

Storage limitation. Personal data is kept in a form that permits identification of Data Subjects for no longer than is necessary for those purposes.

Data minimisation. Where possible, we anonymise or pseudonymise personal data before the end of the active retention period.

Accountability. Each retention period is documented in the Retention Schedule (section 6) together with its legal, regulatory or business justification.

Lawful basis throughout. Personal data is only retained for as long as we have a valid lawful basis to do so.

Default destruction. When a retention period expires and no legal hold or contractual obligation prevents destruction, the data is destroyed or anonymised in accordance with section 9.

5. Roles and responsibilities

Data Protection Officer (DPO). Owns this Policy, maintains the Retention Schedule, advises business owners on retention questions, handles data subject requests, and is the contact point for the SDAIA and other supervisory authorities.

Information Security Officer. Ensures that storage, archival and destruction processes meet the security controls required by ISO/IEC 27001 and applicable law.

Process / Department Owners. Identify which records they hold, classify them against the Retention Schedule, and execute scheduled reviews and destruction.

All Personnel. Comply with this Policy and report any incident, exception or doubt to the DPO.

6. Retention schedule

The retention periods set out below apply unless

(i) a different period is required by applicable law,

(ii) a Client instruction (where Effivity acts as Processor) requires a different period, or

(iii) a legal hold has been issued under section 10.

Where personal data relates to individuals in the Kingdom of Saudi Arabia, the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL), its Implementing Regulations, any applicable SDAIA guidance, and any mandatory Saudi regulatory requirement shall prevail over any inconsistent retention period, deletion timeline, or processing requirement contained in this Policy.

Sensitive Personal Data shall be retained only for the minimum period necessary to fulfil the specific purpose for which it was collected and to comply with applicable legal, regulatory, contractual, or legitimate business requirements. Retention periods applicable to Sensitive Personal Data shall be approved by the Data Protection Officer as part of the Retention Schedule and reviewed at least annually to confirm their continued necessity, proportionality, and compliance with applicable law.

 

6.1 Customer and Subscriber data (Effivity acts as Controller)

Data category

Processing purpose

Retention period

Trigger / Destruction method

Account registration data (name, business email, role, company)

Account creation, authentication, contract performance, billing

Active for the duration of the Subscription, plus up to 7 years after termination where necessary for contract administration, audit, tax/accounting compliance, security, and legal claims. Data not required for these purposes will be deleted or anonymised earlier, including where required following a valid erasure request.

Termination of subscription. Destroyed by automated database purge with cryptographic erasure of back-ups within 90 days of expiry.

Billing and invoicing data

Issuing invoices, tax compliance, accounting

Minimum 8 years (India: Income-tax Act + Companies Act); aligned with KSA tax record obligations where applicable

End of financial year of last invoice. Anonymised in financial records after retention; destroyed in operational systems.

Support tickets and correspondence

Providing customer support, service quality, dispute defence

3 years from ticket closure

Ticket closure. Destroyed via help-desk archive purge job.

Marketing and CRM data (where consent given)

Direct marketing, lead nurturing, event invitations

Until consent is withdrawn, or 24 months of inactivity, whichever is earlier

Consent withdrawal or unsubscribe. Removed from CRM and suppressed.

Website analytics (Google Analytics, Hotjar)

Site improvement, statistical reporting

Maximum 26 months (Google Analytics property setting)

Automatic Google Analytics expiry; raw event logs purged on rolling 14-month basis.

Where Effivity processes digital personal data of Data Principals in India, personal data will be erased when the specified purpose is no longer served or where consent is withdrawn, unless continued retention is necessary for compliance with applicable law, contract administration, tax/accounting record-keeping, audit, dispute prevention, or the establishment, exercise or defence of legal claims.

For account registration data retained after subscription termination, Effivity will retain only the minimum account-level information reasonably required for contract history, billing reconciliation, audit trail, tax/accounting compliance, security, and legal-defence purposes. Such data will not be used for active service delivery or marketing after termination unless a separate lawful basis applies. Where a valid deletion request is received, Effivity will delete or anonymize all personal data not required for the above lawful retention purposes.

6.2 Client Records (Effivity acts as Processor on behalf of the Client)

Data category

Processing purpose

Retention period

Trigger / Destruction method

QMS, EHS, FSMS, ISMS records uploaded by the Client

Per the Client’s documented instructions in the Data Processing Agreement

Duration of the unless the Client instructs otherwise in Subscription, plus a return / deletion window of 30 days after termination, writing

Termination of subscription, or earlier Client instruction. Returned to Client and / or destroyed; deletion certificate issued on request.

Audit logs and access logs related to Client tenancy

Security monitoring, ISO/IEC 27001 compliance, incident investigation

12 months online, 24 additional months in cold archive

Rolling deletion. Cold archive destroyed by cryptographic erasure.

6.3 Employee and HR data

Data category

Processing purpose

Retention period

Trigger / Destruction method

Recruitment data (unsuccessful applicants)

Recruitment process, defence against discrimination claims

12 months from end of recruitment process, unless the candidate consents to longer retention in our talent pool

End of recruitment campaign. Deleted from ATS.

Employee personnel files

Employment contract performance, statutory record-keeping, payroll

Duration of employment + 7 years

End of employment. Archived securely; destroyed at end of retention.

Payroll and tax records

Tax compliance, social security, audit

8 years (India statutory minimum)

End of financial year. Destroyed after retention.

Training records (incl. PDPL / privacy training)

Demonstrating compliance with Article 32 PDPL Implementing Regulations and ISO/IEC 27001

Duration of employment + 5 years

End of employment. Archived in LMS, then destroyed.

6.4 Vendor and contract data

Data category

Processing purpose

Retention period

Trigger / Destruction method

Contracts and Data Processing Agreements with vendors

Contract performance, dispute defence, regulatory audits

Duration of contract + 7 years from termination

Contract end. Original retained in contract repository; destroyed at end of retention.

Vendor due diligence records (security, privacy, financial)

Vendor risk management, regulatory compliance

Duration of relationship + 3 years

End of relationship. Archived, then destroyed.

6.5 Security, audit and compliance records

Data category

Processing purpose

Retention period

Trigger / Destruction method

Security incident records (including personal data breaches)

Breach response, regulatory notification, lessons learned, evidence of compliance

10 years from incident closure

Incident closure. Stored in incident management system.

Internal audit reports (privacy, security, ISO 27001)

Demonstrating accountability, certification body audits

Minimum two completed audit cycles, typically 6 years

Completion of next two audit cycles.

Records of Processing Activities (RoPA)

PDPL Article 31, GDPR Article 30 compliance

Maintained for as long as the underlying processing exists, plus 5 years thereafter

Continuous; superseded versions archived.

Cookie consent logs

Demonstrating consent under PDPL and GDPR

Duration of the user’s relationship with the site, plus 24 months

Rolling expiry. Logs destroyed at end of retention.

7. Cookies and online identifiers

Specific retention periods for cookies are set out in the Effivity Cookie Policy. Cookie data is treated under this Policy as follows:

Strictly necessary cookies are retained for the duration shown in the Cookie Policy and not beyond what is required to operate Effivity.

Statistics and Marketing cookies are only set after consent and are retained for the period shown in the Cookie Policy or until consent is withdrawn, whichever is shorter.

Consent records (the cookie-perms cookie and the server-side consent log) are retained for 24 months after the user’s last interaction with Effivity, in line with our obligation to demonstrate consent under PDPL Article 11 and GDPR Article 7(1).

8. Storage and security during retention

Throughout the retention period, personal data is protected with technical and organisational controls aligned with ISO/IEC 27001 and the security requirements of Article 19 of the PDPL Implementing Regulations, including:

Role-based access control with least-privilege provisioning;

Encryption of data at rest and in transit using industry-standard algorithms;

Multi-factor authentication for administrative access;

Centralised logging and monitoring of access to personal data;

Segregation between Client tenants in our multi-tenant production environment; and

Regular vulnerability scanning, penetration testing and security training.

Data that has reached the end of its active retention period but is still within a permitted archival window is moved to restricted-access cold storage with reduced access privileges.

9. Destruction and anonymization

When a retention period expires and no exception under section 10 applies, personal data is destroyed or anonymized. The destruction method depends on the medium:

Production databases. Hard delete with referential cascade and cryptographic erasure of relevant encryption keys.

Back-ups. Back-ups are subject to a maximum 90-day rolling retention. Personal data destroyed in production is therefore eliminated from back-ups within 90 days at the latest.

Object / file storage. Permanent deletion with versioning purge.

Removable media. Cryptographic erasure or physical destruction using NIST SP 800-88 “purge” or “destroy” techniques.

Paper records. Cross-cut shredding and disposal through a contracted secure destruction provider.

A destruction record is generated for each scheduled destruction event and stored in our compliance archive for at least 5 years.

Where personal data is anonymized rather than destroyed, the DPO must verify that re-identification is not reasonably possible, and document the technique used.

10. Legal holds and exceptions

Personal data may be retained beyond the periods set out in section 6 only where one or more of the following applies:

There is an active or reasonably anticipated legal claim, regulatory investigation or audit;

Retention is required to comply with a court order, regulatory direction or other legal obligation;

The data is needed to establish, exercise or defend Effivity’s legal rights;

The Data Subject has consented to a longer retention period for a specific purpose; or

The data has been fully anonymised in accordance with section 9, in which case it is no longer Personal Data.

Any extension of a retention period must be documented in the Legal Hold Register, signed off by the DPO, and lifted as soon as the underlying reason ends.

11. Data subject rights and retention

Data Subjects may, in accordance with the law applicable to them, request access to, correction or deletion of their personal data. The retention periods in this Policy do not override these rights:

Where a valid deletion request is received and no exception applies, personal data is destroyed within 30 days, even if the standard retention period has not yet expired.

Where the Data Subject withdraws consent and consent was the only lawful basis for processing, retention also ends.

Where Effivity acts as Processor, deletion requests are routed to the relevant Client (Controller) and executed under the Client’s instructions.

Requests can be submitted to privacy@effivity.com. Data Subjects in the Kingdom of Saudi Arabia may also lodge a complaint with the SDAIA.

12. Data localisation and cross-border data transfers

Effivity shall maintain a documented record of the countries in which personal data is stored, hosted, backed up, remotely accessed, archived, or destroyed, including production systems, back-ups, support tools, analytics tools, cloud infrastructure, and sub-processors.

Where Effivity processes personal data relating to individuals in the Kingdom of Saudi Arabia, Effivity shall assess whether such data is required to be stored or processed within the Kingdom under the PDPL, its Implementing Regulations, the Regulation on Personal Data Transfer Outside the Kingdom, any SDAIA guidance, and any Client-specific contractual or regulatory requirements.

As a default position, Saudi personal data shall not be transferred, stored, accessed, backed up, archived, or processed outside the Kingdom unless:

(a) the transfer is permitted under the PDPL and the Regulation on Personal Data Transfer Outside the Kingdom;
(b) the transfer is necessary for a lawful and documented purpose, including service delivery, operational processing, contract performance, support, billing, security, or legal compliance;
(c) the transfer is limited to the minimum personal data necessary for that purpose;
(d) the transfer does not prejudice the national security or vital interests of the Kingdom;
(e) an appropriate transfer mechanism or safeguard is in place, such as an SDAIA-recognised adequate protection route, SDAIA-approved Standard Contractual Clauses, Binding Common Rules, approved certification, or another mechanism permitted by applicable Saudi law; and
(f) a transfer risk assessment is completed where required.

For Saudi personal data, Effivity shall document, at minimum:

(a) the categories of personal data transferred;
(b) the country or countries where the data will be stored, accessed, backed up, or processed;
(c) the purpose and legal basis for the transfer;
(d) whether the recipient country or recipient provides an adequate level of protection;
(e) the safeguards used for the transfer;
(f) whether sensitive personal data is involved;
(g) whether the transfer is continuous, large-scale, or recurring;
(h) the risks to Data Subjects; and
(i) the controls adopted to reduce or mitigate those risks.

Where Effivity acts as Processor for a Client, Effivity shall not transfer Client personal data outside the relevant country, including outside the Kingdom of Saudi Arabia where Saudi personal data is involved, unless authorised by the Client’s documented instructions, the Data Processing Agreement, or applicable law.

Any onward transfer by a vendor, cloud provider, support provider, or sub-processor must be subject to equivalent restrictions, contractual safeguards, and audit rights. The retention periods in section 6 apply to personal data wherever it is stored, but storage location and cross-border transfer requirements must be assessed separately before any transfer, remote access, back-up, archival, or destruction activity takes place outside the original country of collection .

13. Vendors and processors

Where Effivity engages a sub-processor or other vendor to process personal data on its behalf, the contract with that vendor must:

Require the vendor to retain the personal data only for the duration necessary to perform the agreed services;

Require destruction or return of the personal data at the end of the engagement, with a deletion certificate; and

Permit Effivity to audit the vendor’s compliance with these obligations.

14. Records of processing and audit

The DPO maintains a Records of Processing Activities (RoPA) register that includes, for each processing activity, the categories of personal data, processing purposes, lawful basis, retention period, and any cross-border transfers in line with Article 31 of the PDPL Implementing Regulations.

Compliance with this Policy is reviewed:

As part of our annual ISO/IEC 27001 internal audit;

As part of the annual privacy compliance audit performed by the DPO; and

Whenever a material privacy incident or regulatory enquiry occurs.

14.1A Data-location and transfer records

As part of the RoPA, the DPO shall maintain a data-location and transfer record identifying where personal data is hosted, backed up, accessed from, archived, transferred to, or destroyed. This record shall include the relevant hosting location, back-up location, remote access countries, sub-processors, transfer mechanism, transfer risk assessment status, and any Client-specific localisation requirement, including any requirement for Saudi personal data to remain stored or processed within the Kingdom of Saudi Arabia.

15. Breach of this policy

Any failure to comply with this Policy must be reported to the DPO without undue delay. Disciplinary action may be taken against employees who knowingly or repeatedly fail to comply, in line with our HR disciplinary procedure. Where a breach of this Policy also constitutes a personal data breach, the Effivity Personal Data Breach Response Procedure is triggered.

16. Review and version control

This Policy is reviewed at least annually by the DPO. The Retention Schedule in section 6 is reviewed at the same cadence and updated whenever a new processing activity is added to the RoPA, or when applicable law changes. All previous versions are archived for at least 5 years.