Retention & Liability Policy (Draft)
Last updated: February 27, 2026
Operational draft for implementation. Final legal wording should be reviewed by counsel before external publication.
Retention and deletion matrix
| Data set | What is stored | Retention period | Deletion/minimisation action |
|---|---|---|---|
| Auth OTP/token logs | OTP metadata, success/failure, timestamp, IP/device | 90 days | Delete detailed events at day 90; keep aggregate metrics only |
| Profile core (customer/plumber) | Name, email, phone, region, role, status | While account active | On closure: remove direct identifiers in 30 days unless legal hold |
| Unconverted enquiries | Issue type, free text, region, timestamps | 90 days from last activity | Delete enquiry body at day 90; keep anonymised analytics |
| Unconverted enquiry photos/files | Uploaded photos and files | 14 days | Hard-delete at day 14 if no booking/dispute |
| Quotes not accepted | Quote amount/range, plumber id, timestamps | 12 months | Delete quote-level detail; keep aggregated conversion metrics |
| Accepted quote + booking evidence | Accepted quote, timestamps, status timeline, policy version ids | 6 years from job close/cancel | Delete at expiry unless legal hold applies |
| Job chat bodies + attachments | Message text and media | 30 days after job close/cancel | Delete body and files; keep minimal metadata row |
| Job chat metadata | job_id, sender_id, timestamp, hash/length, delivery state | 6 years from job close/cancel | Delete at expiry unless legal hold applies |
| Payment and payout ledger | Payment refs, transfer/payout refs, fees, refund/dispute status | 6 years from end of financial year | Retain minimal accounting evidence only |
| Raw webhook payloads | Full payment event payload JSON | 18 months | Purge raw payload; keep normalised accounting fields |
| Dispute evidence pack | Timeline, acceptance proof, key message snapshots, tx refs | Dispute close + 18 months | Delete unless legal claim/regulatory hold exists |
| Support tickets | Ticket body, contact metadata, status notes | 24 months from close | Delete body; keep anonymised service metrics |
| Security/audit logs | Auth events, admin actions, API access logs | 12 months (18 months if incident open) | Rotate and delete automatically |
| Backups | Encrypted DB/object snapshots | 35-day rolling window | No selective edit; deletions complete when snapshot expires |
| Deletion audit log | Dataset, record id, deleted_at, reason, actor/service | 6 years | Keep minimal compliance trail only |
Legal hold override
Deletion is paused immediately for related records when there is a chargeback, fraud investigation, complaint escalation, legal notice, or regulator request.
Hold release rule: after matter closure, retain legal evidence for claim-close + 6 years.
Liability position (operational model)
- Flux Service role: platform marketplace/introduction and workflow coordination.
- Plumber role: independent service provider responsible for on-site workmanship and execution quality.
- Payment role: platform may orchestrate deposit and payout flows via payment processor integrations.
- Non-excludable obligations remain with platform where required by law.
Physical copies only?
Paper-only retention is not a liability escape route. Structured paper records remain in scope for data protection duties and are usually harder to secure, search, and govern.