Legal

Data Retention Policy

Last updated: 13 June 2026

1. Purpose

This policy sets out how long Frederic James retains personal data and transaction records. It supports our obligations under the UK GDPR, EU GDPR, the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs"), and the commercial requirements of a private brokerage handling high-value vehicle transactions.

2. Principles

We retain personal data only for as long as is necessary for the purpose for which it was collected, or to satisfy a legal, regulatory, accounting or reporting obligation. Where data is no longer required, it is deleted or irreversibly anonymised. Retention periods are reviewed at least annually.

3. Retention schedule

CategoryRetention periodLawful basis / rationale
User accounts (inactive, no transaction)24 months from last sign-inLegitimate interest in maintaining a usable platform; account dormant
User accounts (with completed transaction)7 years from final transactionMLR record-keeping; tax and accounting obligations
Bidder approvals — approved5 years from auction closeMLR record-keeping; auction audit trail
Bidder approvals — rejected / withdrawn12 months from decisionAudit of approval decisions; legitimate interest
Bidder identification documents (KYC)5 years from end of business relationshipMLR 2017 Regulation 40
Invitations — accepted12 months from acceptanceAudit of access provisioning
Invitations — expired / unaccepted90 days from issueOperational; data minimisation
Deal Room documents (contracts, inspections, transfer)7 years from completionStatutory limitation (6 years) plus one year buffer; tax and accounting
Deal Room messages and activity log7 years from completion of transactionEvidence of dealings; contractual records
Transaction records (financial)7 years from completionHMRC record-keeping; UK Companies Act
Security and authentication logs24 monthsSecurity monitoring; incident investigation
Enquiries that do not progress24 months from last contactLegitimate interest in following up qualified prospects
Marketing consent recordsDuration of consent + 24 monthsDemonstration of consent under UK GDPR Article 7
Cookies and analyticsSee Cookie Policy (max 24 months)PECR; user consent

4. AML-bound documentation

Documents required to evidence customer due diligence, source of funds and source of wealth are retained for a minimum of five years from the end of the business relationship in line with Regulation 40 of the MLRs. Where litigation, regulatory enquiry or law-enforcement request is anticipated, retention is extended until the matter is fully concluded.

5. Deletion and anonymisation

At the end of the applicable retention period, personal data is deleted from production systems and from routine backups within the standard backup rotation cycle. Where complete deletion is not technically feasible (for example, immutable audit logs), data is anonymised so that it can no longer be associated with an identifiable individual.

6. Review

This policy is reviewed at least annually and whenever there is a material change to our services, processors or applicable law. Questions about retention may be sent to privacy@frederic-james.com.

7. Related policies

Privacy Policy · Cookie Policy · Data Subject Access Requests