Data Retention Policy
Last updated: 13 June 2026
1. Purpose
This policy sets out how long Frederic James retains personal data and transaction records. It supports our obligations under the UK GDPR, EU GDPR, the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs"), and the commercial requirements of a private brokerage handling high-value vehicle transactions.
2. Principles
We retain personal data only for as long as is necessary for the purpose for which it was collected, or to satisfy a legal, regulatory, accounting or reporting obligation. Where data is no longer required, it is deleted or irreversibly anonymised. Retention periods are reviewed at least annually.
3. Retention schedule
| Category | Retention period | Lawful basis / rationale |
|---|---|---|
| User accounts (inactive, no transaction) | 24 months from last sign-in | Legitimate interest in maintaining a usable platform; account dormant |
| User accounts (with completed transaction) | 7 years from final transaction | MLR record-keeping; tax and accounting obligations |
| Bidder approvals — approved | 5 years from auction close | MLR record-keeping; auction audit trail |
| Bidder approvals — rejected / withdrawn | 12 months from decision | Audit of approval decisions; legitimate interest |
| Bidder identification documents (KYC) | 5 years from end of business relationship | MLR 2017 Regulation 40 |
| Invitations — accepted | 12 months from acceptance | Audit of access provisioning |
| Invitations — expired / unaccepted | 90 days from issue | Operational; data minimisation |
| Deal Room documents (contracts, inspections, transfer) | 7 years from completion | Statutory limitation (6 years) plus one year buffer; tax and accounting |
| Deal Room messages and activity log | 7 years from completion of transaction | Evidence of dealings; contractual records |
| Transaction records (financial) | 7 years from completion | HMRC record-keeping; UK Companies Act |
| Security and authentication logs | 24 months | Security monitoring; incident investigation |
| Enquiries that do not progress | 24 months from last contact | Legitimate interest in following up qualified prospects |
| Marketing consent records | Duration of consent + 24 months | Demonstration of consent under UK GDPR Article 7 |
| Cookies and analytics | See Cookie Policy (max 24 months) | PECR; user consent |
4. AML-bound documentation
Documents required to evidence customer due diligence, source of funds and source of wealth are retained for a minimum of five years from the end of the business relationship in line with Regulation 40 of the MLRs. Where litigation, regulatory enquiry or law-enforcement request is anticipated, retention is extended until the matter is fully concluded.
5. Deletion and anonymisation
At the end of the applicable retention period, personal data is deleted from production systems and from routine backups within the standard backup rotation cycle. Where complete deletion is not technically feasible (for example, immutable audit logs), data is anonymised so that it can no longer be associated with an identifiable individual.
6. Review
This policy is reviewed at least annually and whenever there is a material change to our services, processors or applicable law. Questions about retention may be sent to privacy@frederic-james.com.
7. Related policies
Privacy Policy · Cookie Policy · Data Subject Access Requests
