Effective from: 1st January 2026

This Data Retention and Deletion Policy explains how AIMAI Ltd retains, reviews, deletes, and securely disposes of personal data and related information processed through its website, PRISM platform, AI assistants, threads, knowledge features, approvals, audit records, integrations, and related support services.

1. Who we are

AIMAI Ltd, Office 18, The Globe Innovation Centre, Slaithwaite, HD7 5JN, is responsible for managing retention and deletion practices in line with applicable data protection law. Depending on the service and context, AIMAI Ltd may act as a data controller or a data processor.

2. Scope

This policy applies to personal data and related records processed by AIMAI Ltd, including:

• account and access data
• identity and contact details
• communications and support records
• workspace content, prompts, outputs, uploads, and client knowledge records
• technical logs, usage data, audit records, and security monitoring data
• transactional and billing records where applicable

3. Retention principles

AIMAI Ltd retains data only for as long as necessary to:

• provide and support services
• maintain security, access control, and auditability
• comply with legal, regulatory, contractual, and accounting obligations
• resolve disputes, enforce agreements, and investigate incidents

Data is not kept indefinitely by default. Retention is based on business need, contractual requirements, legal obligations, and risk.

4. Standard retention periods

• Account and profile data: retained for the duration of the account and normally deleted or anonymised within 24 months of account closure, unless retention is required for security, legal, or contractual reasons.
• Client workspace data, uploads, prompts, outputs, and knowledge records: retained for the duration of the client relationship and normally deleted within 12 months of contract end, unless a different period is agreed in writing or required by law.
• Threads, approvals, and audit records: retained for the duration of service use and normally for up to 24 months after contract end where needed for governance, traceability, dispute resolution, or security review.
• Support and service communications: normally retained for up to 24 months after closure of the relevant matter.
• Technical logs and security monitoring data: retained only for as long as reasonably necessary to maintain system security, investigate incidents, and evidence platform activity.
• Marketing data: retained until consent is withdrawn, the individual unsubscribes, or AIMAI Ltd determines the data is no longer relevant.
• Financial and transaction records: retained for the period required by applicable tax, accounting, and legal obligations.

5. Deletion and disposal

When retention is no longer justified, AIMAI Ltd will securely delete, anonymise, or permanently dispose of the relevant data. Deletion may include removal from active systems, workspaces, support tools, and internal operational records, subject to backup cycles and legal obligations.

Where complete immediate deletion is not technically possible, AIMAI Ltd will isolate the data from active use and delete it as part of the next appropriate system cycle.

6. Backups and residual copies

Data may remain in encrypted backups for a limited period after deletion from live systems. Backup data is retained only for resilience, disaster recovery, and security purposes and is not restored into active use except where operationally necessary.

7. Client instructions and processor role

Where AIMAI Ltd processes personal data on behalf of a client, retention and deletion may be governed by the client contract, written instructions, or applicable data processing terms. In those cases, AIMAI Ltd will act in line with the client’s lawful instructions, except where retention is required by law or to establish, exercise, or defend legal claims.

8. Legal holds and exceptions

AIMAI Ltd may retain data for longer than the standard periods where necessary to:

• comply with legal or regulatory obligations
• respond to complaints, claims, or disputes
• investigate misuse, fraud, or security incidents
• protect the rights, property, and safety of AIMAI Ltd, its clients, users, or third parties

9. Third-party providers and sub-processors

AIMAI Ltd uses infrastructure and service providers to deliver its services, including AWS for hosting and storage, OpenAI and Anthropic for general LLM processing, Google for image generation, Deepgram for transcription and speech processing, GitHub for source code hosting and deployment, Fasthosts for DNS management, and Let’s Encrypt for SSL certificate issuance. Stripe may be used for payment processing where introduced. Client-specific connectors, such as Sage 50, CRM systems, or accounting platforms, are disclosed as applicable per engagement.

Where data is deleted from AIMAI Ltd systems, corresponding deletion through relevant providers will be managed in accordance with contractual controls, technical architecture, and applicable provider processes.

10. International transfers

Where personal data is transferred outside the UK, AIMAI Ltd uses appropriate safeguards, including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, where applicable.

11. Individual rights

Individuals may request access, correction, deletion, restriction, objection, or portability where those rights apply. AIMAI Ltd will assess each request in line with applicable law and its role as controller or processor. Where AIMAI Ltd acts as a processor, requests may be referred to the relevant client organisation.

12. Policy review

This policy is a living document and may be updated from time to time to reflect changes in law, technology, services, suppliers, or business operations.

13. Contact

For questions about this policy or to make a data protection request, contact AIMAI Ltd at info@aimai.co.uk or 01484 767892, or write to AIMAI Ltd, Office 18, The Globe Innovation Centre, Slaithwaite, HD7 5JN.