What this is
A plain-English table of how long we keep different kinds of information about you, why we keep it for that long, and what your options are.
The retention table
| What | How long | Why |
|---|---|---|
| Drawn loan records (application, signed agreement, payments, statements) | 7 years from final settlement | FCA / HMRC regulatory minimum (6 years) + 1-year safety margin for complaints |
| Declined applications | 12 months from decline | Audit + fairness review window; sufficient for re-application analysis |
| Director identity documents (passport / licence images) | 5 years from end of customer relationship | Money Laundering Regulations 2017 |
| Open Banking transaction read | 30 days from the read, then aggregates only | Minimisation; we retain only the signals derived for scoring |
| Behavioural telemetry (opted-in) | 30-day rolling window for aggregates; 12 hours for anonymous traces | UK GDPR minimisation; consent-revocation deletes the lot |
| Audit log (every login, message, sign, payment, staff impersonation) | 7 years from event | Regulatory + governance evidence |
| Marketing data (email + preferences) | Until you withdraw consent, or 24 months of inactivity, whichever is sooner | PECR + GDPR Article 21 |
| Support / complaint tickets | 6 years from resolution | Limitation Act period for related contractual disputes |
| AI scan results — ID authenticity signal, confidence score, and extracted document fields (name, date of birth, document number, expiry) | 5 years from end of customer relationship | Tied to director identity document retention (Money Laundering Regulations 2017); fields used for AML audit trail |
| AI bank statement parse results — extracted income signals, affordability summary, and anomaly flags | 7 years from final settlement (or 12 months from decline for declined applications) | Affordability audit trail; aligns with loan record retention minimum |
| Anonymised analytics (success rate, p95 latency, etc.) | Indefinite | Aggregate only; no individual identification possible |
Your right to ask for deletion
UK GDPR Article 17 gives you a right to erasure ("the right to be forgotten") in defined circumstances. Where the law allows, we will delete the data we hold about you. Where the law requires retention (e.g. a drawn loan record), we will tell you so and explain the legal basis.
To ask for deletion, write to [email protected] or follow the steps in the subject access request guide.
ICO Registration No. ZC157682
Need help with your account? Visit our Help Centre or sign in at clients.credicorp.co.uk.