LEGAL

DATA RETENTION & DELETION POLICY

Last updated: 21 June 2026  ·  rocketFLOW Studios Ltd  ·  England & Wales

Company: rocketFLOW Studios Ltd

Company number: 17221052

Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

ICO registration: ZC159820

Data protection contact: information@rocketflowstudios.com

Version: 1.1  |  Effective: 21 June 2026  |  Next review: June 2027

1. Purpose

This policy defines how long rocketFLOW Studios Ltd keeps personal and business records, why they are retained, who is responsible for review, and how they are deleted or anonymised when no longer required.

2. Principles

  • Personal data will not be kept for longer than necessary for the purpose for which it was collected.
  • Retention periods will be proportionate to operational, legal, accounting and security needs.
  • Data subject requests may require earlier deletion, unless a lawful reason requires continued retention.
  • Deletion must cover active systems and, where reasonably practicable, backups and duplicated records.
  • Records subject to a legal dispute, investigation, fraud concern or regulatory requirement may be placed on legal hold.

3. Systems Currently In Scope

  • Notion — primary talent and operational database — Naga full access; Raja limited operational access
  • Cloudinary — CV and resume file storage — authorised company access
  • Zoho email — company communications and form notifications — authorised account holders
  • CSV backups — internal continuity copies currently held on Naga's password-protected computer — Naga only
  • Railway — application hosting and system logs — Naga administrative access
  • Google Drive — planned interim company-controlled backup location — restricted access when implemented

4. Retention Schedule

Record category Retention period Purpose Main locations
Talent applications and applicant profiles 2 years from application date, or until a valid deletion request, whichever comes first Recruitment and talent coordination; consent or legitimate interests as applicable. A 2-year period reflects the typical production cycle for VFX projects, during which a previously unsuccessful applicant may become suitable as requirements evolve. Notion, email and related CSV records
CVs and resumes 2 years from application date, or earlier following valid deletion request Talent review and future project matching Cloudinary and any authorised copies
Rejected applicant records 2 years from application date unless earlier deletion is appropriate Audit trail, duplicate prevention and handling future enquiries Notion, email, CSV
Shortlisted applicant records 2 years from application date unless the person becomes an active contractor Progressive verification and project matching Notion, email, CV storage
Artist NDA and contractor agreements 6 years after the agreement ends Contract administration and legal claims Company-controlled contract storage
Client enquiries 24 months after last meaningful contact Responding to enquiries and business development Zoho email and CRM
Business-development CRM leads 24 months after last meaningful contact, then review or delete B2B relationship management CRM/Notion
Client contracts, statements of work and invoices 6 years after contract completion or as required by tax/accounting obligations Contract, tax and accounting records Company-controlled storage
Project and shot records 6 years after project completion, subject to client contract and confidentiality requirements Delivery evidence, dispute handling and operational history CineCoord/Notion or successor database
Voice recordings and call transcripts (CineCoord) 90 days after the operational purpose ends, unless needed for an active issue or contract CineCoord production coordination, artist callback verification and issue resolution. This applies specifically to voice callbacks and transcripts generated by the CineCoord coordination platform via Twilio Voice and Whisper transcription. Twilio/CineCoord operational database
Security and access logs 12 months, unless required for an incident investigation Security monitoring and incident response Railway and relevant service logs
Data breach records 6 years after closure Accountability and regulatory evidence Restricted compliance records
Data subject request records 6 years after closure Evidence of compliance and decisions Restricted compliance records
Website contact-form messages 24 months after last meaningful contact Responding to project or business enquiries Zoho email
Backups Aligned to the underlying record and overwritten/deleted through the backup cycle Continuity and recovery CSV / Google Drive / future company infrastructure

5. Retention Review Process

  • Naga will review the talent database at least quarterly and the wider retention schedule at least annually.
  • Records reaching the end of their retention period will be deleted, anonymised or retained under a documented exception.
  • Where deletion is requested, the company will search the relevant systems, verify identity where necessary and record the outcome.
  • Where data is retained despite a request, the reason and lawful basis will be documented and explained to the individual.

6. Deletion Methods

  • Notion — delete the relevant page/record and confirm removal from active databases and trash where available
  • Cloudinary — delete the CV/document asset and invalidate public or signed links where relevant
  • Zoho email — delete relevant messages and attachments from active mailboxes and trash, subject to legal hold
  • CSV files — remove the relevant record or securely delete the file; regenerate the backup without the deleted record where required
  • Railway / application database — delete or anonymise the record through the application or administrative process
  • Google Drive — delete the record, empty trash and confirm permissions/recovery settings as appropriate

7. Backups and Current Improvement Plan

CSV backups are currently held on Naga's password-protected personal computer. Full-disk encryption has not been confirmed. The company intends to move backups to restricted Google Drive storage as an interim measure and, after stable recurring revenue, may introduce company-controlled encrypted infrastructure.

Where immediate deletion from an immutable or cycling backup is not technically possible, the record will be prevented from being restored into active use and will expire through the normal backup cycle.

8. Exceptions and Legal Hold

Deletion may be suspended where records are reasonably required for legal claims, fraud prevention, regulatory cooperation, tax/accounting duties, contract enforcement or an active complaint. The reason, scope, owner and review date of the hold must be documented.

9. Responsibilities

  • Naga — Director / Data Lead — approves retention decisions, annual review, deletion exceptions and legal holds
  • Raja — Operations Partner — applies operational retention instructions within his limited access and escalates issues
  • All authorised users — avoid local duplication and report records that have reached end of life

10. Review and Approval

Owner: Naga, Founder & UK Director. Effective date: 21 June 2026. Next review: June 2027 or earlier if data systems, contracts or legal requirements change.

11. Reference Guidance

  • UK GDPR Article 5(1)(e) — storage limitation
  • Data Protection Act 2018
  • ICO: Principle (e) — Storage limitation
  • ICO records-management and retention guidance