SpendGuard™ Data Retention Policy
Operated by: Constant Control Limited
Effective Date: 26 March 2026
Reviewed: 26 March 2026 | Next Review Due: April 2027
Contact: privacy@constantcontrol.co.nz
This Data Retention Policy describes how Constant Control Limited ("we", "us", "our") retains, archives, and deletes data within the SpendGuard™ platform. It supplements our Privacy Policy and applies to all organisations and users of the platform.
1. Principles
- Data is retained only as long as it serves a legitimate business, legal, or regulatory purpose.
- Personal data is minimised and anonymised where practical.
- Retention periods are aligned with New Zealand regulatory requirements, including the Privacy Act 2020, the Public Records Act 2005, and the Public Finance Act 1989.
- All retention periods are enforced consistently, regardless of how data was created (UI, API, or integration).
2. Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data (profiles, organisations, CSOs, projects, programmes, vendors, transactions) | Duration of subscription | Contractual obligation |
| Audit trail logs (all user actions, data changes, login events, API calls) | 7 years from date of creation | Public Records Act 2005; Public Finance Act 1989; ISO 27001 control A.8.15 |
| Authentication logs (login attempts, MFA events, session data) | 2 years from date of creation | Security monitoring; NZISM v3.8 Section 17.1 |
| API usage logs (endpoint calls, rate limit events, IP addresses) | 1 year from date of creation | Security monitoring; operational analytics |
| Support tickets and correspondence | 3 years from ticket closure | Customer service; dispute resolution |
| Email notification logs (delivery records, not content) | 1 year from date of send | Operational monitoring |
| Uploaded files (CSO documents, attachments) | Duration of subscription, then 30 days after account closure | Contractual obligation |
| Backup copies | 7 days (standard) / 30 days (enterprise) after source data deletion | Disaster recovery |
| Archived users (deactivated accounts within an active organisation) | Duration of the organisation's subscription | Audit trail integrity; ability to attribute historical actions |
3. Account Closure and Data Deletion
When an organisation's subscription is terminated:
- Within 30 days: All customer data (CSOs, projects, programmes, vendors, transactions, uploaded files) is permanently deleted from production systems.
- Backup purge: Backup copies are purged within the applicable backup retention window (7 days standard; 30 days enterprise) following production deletion.
- Audit logs: Retained for the remainder of the 7-year retention period, then permanently deleted. Audit logs are anonymised at the point of account closure — user names and email addresses are replaced with anonymised identifiers.
- Deletion certificate: Available on request following account closure, confirming the date and scope of data deletion.
4. Audit Log Retention — Detail
Audit logs are retained for 7 years to meet the requirements of New Zealand government agencies subject to the Public Records Act 2005 and the Public Finance Act 1989. This period covers:
- All create, update, and delete actions on contracts, budgets, and spend records
- User authentication events (login, logout, MFA)
- Role and permission changes
- Integration and API key events
- AI consent and configuration changes
- Data export and access events
Audit logs are immutable once written. They cannot be modified or deleted by any user, including administrators. After the 7-year retention period, logs are permanently deleted in automated batch processes.
5. Data Subject Requests
Under the Privacy Act 2020, individuals may request access to or correction of their personal data. Where a data subject requests deletion of their personal data:
- Profile data, preferences, and settings are deleted promptly.
- Audit log entries attributed to the user are anonymised (name and email replaced with an anonymised identifier) rather than deleted, to maintain the integrity of the audit trail.
- This approach is consistent with Information Privacy Principle 9 (IPP 9) and the legitimate interest in maintaining accurate financial records.
6. Data Minimisation
- AI requests are anonymised before transmission — no personally identifiable information is included.
- API usage logs record endpoint and IP address but do not store request or response bodies.
- Email notification logs record delivery status but do not store message content.
- Backup encryption ensures data at rest is protected throughout the retention period.
7. Review
This policy is reviewed annually. The next review is due April 2027. Material changes will be communicated to customers with at least 30 days' notice.
8. Contact
Privacy Officer: privacy@constantcontrol.co.nz
Constant Control Limited — Licensed for business in New Zealand. Servicing a global market for our clients.