Last updated: 14.07.2025
OVERWIEW
This Intellias Data Retention Policy (“Retention Policy”) supplements Intellias Privacy Policy, Recruitment Privacy Notice, Employee and Contractor Privacy Notice, Cookie Policy, as well as other documents relating to Intellias privacy practices.
The Retention Policy outlines our approach to retaining and deleting personal data and information collected during our business operations, including through our websites, recruitment processes, client engagements, and internal corporate activities. It ensures compliance with applicable data protection laws and regulations, including the EU GDPR, UK GDPR, California and Ukrainian privacy laws, India’s Digital Personal Data Protection Act 2023, and others.
GENERAL RETENTION PRINCIPLES
Intellias retains personal data only for as long as necessary to:
- Fulfil the purposes for which the data was collected.
- Meet legal, regulatory, tax, accounting, or reporting requirements.
- Establish, exercise, or defend legal claims.
- Ensure operational integrity, including for auditing and information security.
The length of the retention period will, therefore, depend on the purpose of the processing in question.
This obligation is directly related to the principle of storage limitation, and shall be implemented by default, i.e., the controller should have systematic procedures for data deletion or anonymisation embedded in the processing
When the relevant retention period expires, data will be securely deleted, anonymised, returned, or archived in compliance with legal standards and internal protocols.
SPECIFIC RETENTION PERIODS
When establishing or reviewing retention periods, the following shall be considered:
- The objectives and requirements of Intellias.
- Type of personal data in question.
- The purposes for which the data in question is collected, held, and processed.
- The category or categories of data subjects to whom the data relates.
- The legal basis for collecting and processing that data.
If a specific retention period cannot be determined for a particular category of data, clear criteria shall be established to govern the duration of its retention. These criteria shall enable regular review of both the data and its continued retention, ensuring ongoing compliance with applicable data protection principles.
The information below specifies how long we can retain your data and explains the related details:
| Purpose | Type of Data | Typical Retention Period | Legal Basis |
|---|---|---|---|
| Recruitment | This involves any data relating to the hiring process within the Intellias group, particularly background check data, identity data, such as full name, contact details, any CV-related information, including information about professional development and qualification.
|
The recruitment data is kept for up to 2 years, and up to 4 years for candidates based in Ukraine, from the date of last interaction, unless otherwise required by applicable law or explicitly consented to. For example, certain jurisdictions may require data controllers to retain your data for a shorter period (such as 6 months or similar) unless you provide explicit consent for a longer retention period. Conversely, if applicable laws mandate a longer retention period, we will ensure compliance with those requirements. | Legitimate interest or consent |
| Employment | This covers any information necessary for implementation of employment and similar relationship within the Intellias group and involves identity data, including full name, gender, personal photo, date of birth, and passport-related data, personal tax number, financial information, information about citizenship or residence permits, contact details, health information, including sick leave data, and other employment-related data. | This data is retained for the duration of your employment plus the statutory retention period following the end of your employment. Typically, this is 4-10 years, depending on the applicable jurisdiction and the data concerned. | Legal obligation or performance of contract |
| Administration and security (CCTV)
|
This involves any data captured via CCTV and video surveillance within the Intellias premises.
|
CCTV and video surveillance data is typically retained for a period up to 30 days. However, this standard retention period may vary depending on the jurisdictional legal requirements or specific operational needs, such as ongoing investigations. In some jurisdictions, shorter retention periods may be mandated. Where such local obligations exist, we ensure compliance with the applicable laws and adjust our retention practices accordingly. Therefore, the actual retention duration may deviate from the standard 30-day period in line with legal or regulatory requirements. | Legitimate interest or legal obligation |
| Administration and security (access and visitors) | This covers any information used for staff administration and guest management during their visits to Intellias offices or use of any Intellias office equipment, facilities, parking areas, and work infrastructure. This may include access cards, badges, vehicle registration number, IP address, login information, and other relevant data. | Generally, our personnel’s data is retained for the duration of their employment within the Intellias group or for the term of another contractual relationship with it. The data of guests and other visitors is stored for the duration of their stay within the Intellias premises, plus an additional 30 days, unless a longer retention period is required by local law, information security requirements, or based on your explicit consent. Additionally, in cases where a paper-based (hard copy) visitor log is used, the data may be retained until the log is fully filled and replaced with a new one. | Legitimate interest or legal obligation |
| Information security | Typically includes logs and records related to user authentication, login sessions, access attempts, password changes, security alerts, IP addresses, device identifiers, and forensic data used to protect digital infrastructure. | Security-related data is typically retained for a period of 1 to 2 years, depending on its purpose, sensitivity, and operational relevance. In certain cases, such data may be retained for a longer duration to comply with contractual obligations, applicable legal requirements, or industry-specific regulations. Logs and records necessary for incident investigation, maintaining audit trails, or demonstrating compliance with security frameworks (such as ISO/IEC 27001 or others) may be stored for up to 7 years. Where required by law—particularly in regulated sectors such as finance or critical infrastructure—longer retention periods may apply. Upon expiry of the applicable retention term, all security-related data is either securely deleted or anonymised in accordance with internal data disposal procedures. | Legal obligation or legitimate interest |
| Marketing | This includes information used for outreach, engagement, analysis of campaigns, and other marketing activities, such as name, email, other contact details, interaction history, preferences, device identifiers, and other data collected through web forms or social media platforms. | This data is retained for as long as it is necessary for marketing purposes or until you opt out (if processing is based on legitimate interest) or withdraw your consent (if processing is based on consent). You have the right to object at any time to the use of your data for direct marketing, in which case we will cease such processing without undue delay. Typically, we do not retain or use your data for marketing purposes for longer than 5 years without renewed interaction or valid consent, unless required to retain certain information (e.g., suppression lists) to comply with your opt-out request. | Legitimate interest or consent |
| Support of Website and Other Online Platforms | Includes user account data, login credentials, support interactions, usage logs, performance data, and error or crash reports generated using company-operated web portals, platforms, hosted services, and other related information. | Typically retained for 1-2 years, depending on relevance and legal requirements. Diagnostic and performance data may be retained longer to support platform stability, contractual obligations, or audit needs. | Legitimate interest or legal obligation |
| Cookies and Analytics | Includes session and persistent cookies, device identifiers, user preferences, browsing history, interaction data, and consent settings. Covers both first-party and third-party cookies used for website functionality, analytics, performance, and personalisation. | Session cookies are deleted automatically when you close your browser. Persistent cookies remain on your device for a defined period—typically between 12 and 24 months—depending on their specific function (e.g., personalisation, advertising tracking) and the settings applied by the third party that sets them. You can disable non-essential cookies or withdraw your consent to their use at any time through your browser settings or cookie preferences. Once consent is withdrawn, these cookies will no longer be used and will be deleted where technically feasible. | Consent or legitimate interest |
| Consent Records | Logs of user consent obtained through cookie banners or CMPs, including timestamp, consent options chosen, anonymised user ID, and version of policy accepted. Stored internally by Intellias or its consent management provider. | Consent records (e.g., from consent banners or CMPs) are generally retained for up to 10 years, or for a longer period where necessary to demonstrate compliance with data protection laws, respond to regulatory inquiries, or fulfil audit and legal obligations. | Legal obligation or legitimate interest |
| Reporting | Data generated during internal operations and business processes, including financial information, information used for management reporting, performance tracking, human resources, risk oversight, and compliance purposes. This may include personal data where necessary for operational or regulatory reasons. | Retained for a period of 5 to 10 years, depending on the applicable jurisdiction, and may be retained longer where required by local legislation, financial regulations, or statutory audit obligations. | Legal obligation or legitimate interest |
| Security and Audits | Any data that pertains to complying with internal and external audit requirements, conducting Anti-Money Laundering (AML) and Know Your Customer (KYC) procedures, maintaining audit trails, ensuring cybersecurity, and fulfilling obligations under applicable laws, industry standards, or contractual frameworks. | Typically retained for a period of 5 to 10 years, depending on the applicable legal, regulatory, and contractual requirements. In regulated sectors or where special (e.g., fraud or crime prevention) obligations apply, data may be retained for longer in accordance with applicable timelines. | Legal obligation or legitimate interest |
| Events Management | Any data obtained in relation to corporate events held by Intellias, including seminars, workshops, webinars, trainings, social events, and similar activities. This may include full name, email, other contact information, event registration details, feedback submissions, photos, video and audio recordings (including online meetings), and participation records. | Typically retained for up to 7 years following the event, unless a longer retention period is necessary to document participation, preserve media content, or comply with legal obligations. In cases where consent was obtained (e.g., for publication of media content), data may be retained until consent is withdrawn. | Legitimate interest, consent, or legal obligation |
| Handling requests | This includes data used for addressing your inquiries and requests, including those related to the exercise of your rights under applicable laws and regulations. Typically, this covers your name, contact details, or other information necessary to identify you. | Retained for up to 10 years from the date of request resolution, unless a longer period is required to establish, exercise, or defend legal claims, or comply with regulatory obligations. | Legal obligation |
| Communication | This refers to information necessary to communicate with you across various platforms and means, including our website, social media platforms, networks, email, or telephone. Typically, this includes your name, email address, telephone number, and other communication metadata (e.g., timestamps, message content, or delivery status). | Retained for up to 5 years from the last interaction, unless a longer retention period is required for contractual or legal purposes or has been explicitly consented to. Communication records related to legal claims, disputes, or regulatory matters may be retained for a longer duration in line with applicable regulations. | Legitimate interest, or performance of contract, or consent |
| Compliance with Laws | This covers various categories of personal data processed to ensure compliance with statutory obligations in areas such as employment, social security, taxation, corporate governance, anti-corruption, labour law, and other applicable regulatory frameworks. This may include employee data, payroll records, benefit data, and documentation required for legal reporting and audit. | Retained for a period of 5 to 10 years, or longer if required by national legislation, financial or labour regulations, or applicable statutory limitation periods. Retention is based on specific legal obligations depending on jurisdiction and regulatory area. | Legal obligation |
DATA MINIMISATION AND REVIEW
We periodically review the personal data we hold to ensure it is:
- Accurate and up to date.
- Retained no longer than necessary.
- Properly anonymised, returned, or securely deleted where appropriate.
INTERNATIONAL CONSIDERATIONS
Retention practices apply across all jurisdictions where Intellias operates. When the data is transferred internationally, it remains subject to this Retention Policy and applicable local law.
CONTACT US
Should you have any questions about our retention practices, would like to request the deletion of your data from our databases, or discuss any other matter, please feel free to contact us using any of the contact methods listed in the Intellias Privacy Policy.