Log in Request staff
Data Protection

Data Retention Policy

How long MAP Health Care keeps personal data, the principles governing retention, and our procedures for secure deletion and anonymisation.

MAP Health Care LTD Company No. 09723243 Version 1.0 Effective 28 June 2026

1Introduction

MAP Health Care LTD ("we", "our", "us") is committed to ensuring that personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, in accordance with applicable data protection laws.

This Data Retention Policy explains how long we keep personal data, the principles governing retention, and the procedures for secure deletion or anonymisation.

This Policy applies to all personal data processed by MAP Health Care LTD, including data collected through:

  • the recruitment platform
  • the workforce management system
  • mobile applications (iOS and Android)
  • website interactions
  • communications with users
  • third-party integrations

This Policy should be read alongside:

  • Privacy Policy
  • GDPR & Your Rights
  • Cookie Policy
  • Acceptable Use Policy

2Legal Framework

MAP Health Care LTD processes and retains personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Employment law and healthcare regulations
  • Safeguarding requirements
  • Tax and financial legislation

We apply the principle of data minimisation and storage limitation, ensuring that data is not kept longer than necessary.

3Retention Principles

Our retention practices are based on the following principles:

3.1Purpose Limitation

Personal data is retained only for specified, explicit and legitimate purposes, including:

  • recruitment and placement
  • compliance verification
  • employment administration
  • safeguarding obligations
  • legal and regulatory compliance
  • Platform security and fraud prevention

3.2Storage Limitation

We do not retain personal data indefinitely. Data is retained only for as long as it is necessary to:

  • fulfil contractual obligations
  • comply with legal requirements
  • resolve disputes or claims
  • maintain operational integrity

3.3Data Minimisation

We retain only the minimum amount of personal data required for operational and legal purposes.

3.4Secure Disposal

When data is no longer required, it is securely:

  • deleted
  • anonymised
  • or archived in a restricted-access environment

4Categories of Data We Retain

MAP Health Care LTD processes and retains several categories of data, including:

  • Identity data (name, DOB, ID documents)
  • Contact information (email, phone, address)
  • Employment history and CV data
  • Compliance documentation (DBS, Right to Work, certifications)
  • Payroll and financial data
  • Communication records
  • Platform usage and activity logs
  • Security and audit logs
  • Device and technical data

5General Retention Rules

Retention periods vary depending on the nature of the data and the legal or operational requirement.

As a general framework:

  • Active user data is retained for the duration of account activity
  • Recruitment-related data is retained during active engagement plus a defined post-activity period
  • Compliance and safeguarding data may be retained for extended periods due to legal obligations
  • Financial records are retained in accordance with tax legislation
  • Security logs are retained for operational monitoring and fraud prevention

Specific retention periods are defined in Section 6.

6Core Retention Periods (Overview)

The following retention standards apply unless otherwise required by law:

6.1Account Data

Retained for the duration of the user’s active account and up to a defined period after account closure for audit and compliance purposes.

6.2Recruitment Data

Includes CVs, applications, interview records and placement history.

Retained for the duration of active engagement and a limited post-engagement period to support:

  • re-employment opportunities
  • dispute resolution
  • audit requirements

6.3Compliance Documentation

Includes:

  • DBS certificates
  • Right to Work documents
  • professional registrations
  • training certificates

Retained for as long as required to meet legal, safeguarding and regulatory obligations.

6.4Communication Records

Includes messages between users and platform administrators.

Retained for operational, safeguarding, dispute resolution and compliance purposes for a defined period.

6.5Technical and Security Logs

Includes system logs, authentication data and security monitoring records.

Retained for a limited period necessary for:

  • security monitoring
  • fraud prevention
  • incident investigation
  • system optimisation

6.6Financial and Payroll Data

Retained in accordance with UK tax and employment legislation requirements.

7Detailed Retention Schedule

The following table defines the standard retention periods applied by MAP Health Care LTD for key categories of personal data. Retention periods may vary where required by law, safeguarding obligations, or contractual necessity.

Data CategoryExamplesRetention PeriodBasis
Account DataUser profile, login credentials, contact detailsDuration of active account + up to 6 years after closureContract / Legitimate interests
Recruitment DataCVs, applications, interview records, placement historyUp to 3 years after last activityLegitimate interests
Compliance DocumentsDBS, Right to Work, ID, training certificates3–7 years depending on regulatory requirementLegal obligation / Safeguarding
Payroll & Finance DataTimesheets, invoices, payments6 years minimumUK tax law
Communication RecordsMessages, support ticketsUp to 3 yearsLegitimate interests
Security LogsAccess logs, authentication records12–24 monthsSecurity / Fraud prevention
Device & Technical DataIP logs, device identifiers12–18 monthsSecurity / Analytics
Marketing DataEmail consent, campaign interactionsUntil consent withdrawn + 2 yearsConsent

MAP Health Care LTD may extend retention where required for ongoing legal proceedings, audits or regulatory investigations.

8Data Deletion Procedures

When personal data is no longer required, MAP Health Care LTD applies secure deletion procedures designed to ensure that data cannot be recovered or reconstructed.

Deletion methods include:

  • permanent removal from production databases
  • secure overwriting of storage records
  • deletion of backups after defined retention cycles
  • revocation of authentication tokens
  • removal from third-party systems where applicable

Deletion requests from data subjects will be processed in accordance with UK GDPR, subject to legal retention obligations.

Where immediate deletion is not possible, data will be securely isolated and restricted until deletion is permitted.

9Data Anonymisation

In some cases, instead of deletion, personal data may be anonymised for analytical or operational purposes.

Anonymisation ensures that:

  • individuals cannot be identified
  • data cannot be reversed or re-identified
  • information may still be used for statistical analysis

Anonymised data is no longer considered personal data under UK GDPR.

10Archiving of Data

Certain data may be transferred to secure archival storage when it is no longer actively required but must be retained for legal or operational reasons.

Archived data is:

  • stored in restricted-access environments
  • encrypted and protected
  • accessible only to authorised personnel
  • retained only for the legally required duration

Archiving does not extend retention beyond legal requirements.

11Legal Holds and Exceptions

In certain circumstances, MAP Health Care LTD may suspend normal retention and deletion procedures.

This may occur where:

  • litigation is pending or anticipated
  • regulatory investigation is ongoing
  • safeguarding concerns are being reviewed
  • fraud or criminal activity is suspected
  • legal requests from authorities are received

In such cases, data will be retained until the matter is resolved and lawful deletion is permitted.

12Third-Party Data Retention

MAP Health Care LTD uses trusted third-party providers who may store or process data on our behalf, including:

  • Supabase (database and document storage)
  • Google Firebase (messaging and analytics)
  • Apple services (iOS infrastructure)
  • Google services (Android infrastructure)

These providers retain data only in accordance with contractual agreements and applicable data protection laws.

We ensure that third-party retention practices align with our internal retention standards and UK GDPR requirements.

13Data Subject Deletion Requests

Individuals may request deletion of their personal data at any time.

Upon receiving such a request, MAP Health Care LTD will:

  • verify the identity of the requester
  • assess whether data can be deleted under UK GDPR
  • determine if legal or regulatory retention obligations apply
  • delete or anonymise data where legally permitted
  • confirm outcome of the request

Where deletion is not possible, we will provide a clear explanation of the legal basis for retention.

14Security of Stored Data

All retained data is protected using appropriate technical and organisational measures, including:

  • encryption at rest and in transit
  • role-based access controls
  • multi-factor authentication
  • audit logging and monitoring
  • secure cloud infrastructure
  • regular security reviews and penetration testing
  • strict internal access policies

Only authorised personnel with a legitimate business need may access retained data.

15Policy Enforcement

Compliance with this Data Retention Policy is mandatory for all MAP Health Care LTD systems and personnel.

Failure to comply may result in:

  • disciplinary action
  • system access restrictions
  • termination of contracts or employment
  • legal or regulatory reporting where appropriate

Regular audits may be conducted to ensure compliance with retention requirements.

16Changes to This Policy

MAP Health Care LTD reserves the right to update or modify this Policy at any time in response to:

  • legal or regulatory changes
  • operational requirements
  • technological developments
  • changes in data processing activities

The latest version will always be available on our Platform.

The “Last Updated” date indicates the most recent revision.

17Contact Information

For questions regarding this Data Retention Policy or to exercise your data protection rights, please contact:

MAP HEALTH CARE LTD

Company Number: 09723243

Registered Office:

Unit 36, Kingswood House, South Road, Kingswood, Bristol, BS15 8JF, United Kingdom

Email: info@maphealthcare.co.uk

Data Protection Contact: Marius Popescu

18Final Statement

MAP Health Care LTD is committed to responsible data stewardship and ensures that all personal data is retained only for as long as necessary, in accordance with UK GDPR principles and healthcare sector obligations.

We continuously review our retention practices to maintain compliance, improve data security and protect the rights of individuals whose data we process.

By using the MAP Health Care Platform, you acknowledge and understand the practices described in this Data Retention Policy.