Data Retention and Deletion

Version: 8 June 2026. Final retention periods require approval following the business data inventory and professional legal review.

Current principles

Records must be kept only for a documented purpose and no longer than necessary. Account deactivation restricts access but does not automatically erase records. Permanent deletion is reviewed separately and may be delayed where records are needed for accounting, disputes, fraud prevention, safeguarding, or legal obligations.

Record categories

Enquiries and unsuccessful applications should be reviewed for deletion after their operational purpose ends. Active student and customer records are retained while services are delivered. Financial and contractual records may require longer statutory retention. Security and audit records are retained only for proportionate investigation and accountability needs.

Deletion process

Requests are logged, identity is verified, systems and service providers are searched, legal holds are checked, and the outcome is recorded. Approved deletion should include primary databases, uploaded files, and operational copies where technically and legally possible. Backups expire through their normal protected rotation.

We use essential security and session cookies, plus limited first-party visit analytics. Read the cookie notice.