Inspect·Ready

Data Retention & Deletion

Last updated: 2026-07-02

This policy explains how long InspectReady (Crocker Digital Ltd, company no. 17008789) keeps your data, and what happens when you delete it or close your account. It is referenced by our Privacy Policy and our Data Processing Agreement.

The short version

  • Your home's policies, audits, and evidence files are kept for the life of your subscription.
  • After you cancel, we keep everything through a 30-day grace period so you can reactivate or export. After that, a scheduled sweep deletes your evidence files and evidence records and anonymises the account holder's profile name. Your policies, audits, findings, readiness assessments, and generated evidence packs are retained as part of your compliance record and are removed on request.
  • You can request a data export (JSON) or account deletion by emailing our privacy team, which we action within one month.
  • Our audit log — a tamper-proof record of security- and compliance-relevant events — is kept as a compliance record. On deletion we remove or anonymise the personal data; we do not rewrite or destroy the immutable log itself.

Retention windows

Data Kept for Then
Evidence files and evidence records Life of the subscription Deleted after the 30-day post-cancellation grace window
Policies, audits, findings, readiness assessments Life of the subscription Retained as part of your compliance record; removed on request
Generated evidence packs (PDF/ZIP snapshots) Life of the subscription Retained for audit integrity; removed on request
Account profile (name, email, role) Life of the account Name anonymised after the grace window; profile removed on request
Billing records As required by law (tax/accounting) Retained by our payment processor per its own retention rules
Audit-log events (sign-in, evidence generation, share-link creation, deletion) Retained as a compliance record Personal identifiers anonymised on account deletion; events not destroyed
Cookieless analytics (GoatCounter) Aggregated, no personal data N/A

How deletion works

After the 30-day post-cancellation grace period, a scheduled sweep:

  1. Removes your evidence files from private storage and deletes your evidence records.
  2. Anonymises the account holder's profile name and revokes access.

Your policies, audits, findings, readiness assessments, and generated evidence packs are retained as part of your compliance record. You can ask us to remove them — and to fully erase your remaining profile data — at any time, and we action erasure requests within one month (see Requesting export or deletion below).

If you delete your account directly, we begin this process without waiting for the grace period.

Erasure and the immutable audit log

InspectReady keeps an append-only audit log of security- and compliance-relevant events. This log is immutable by design — database rules prevent it being edited or deleted, including by us — so that it can serve as a contemporaneous compliance record consistent with Regulation 17(2)(c) of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and so that a historical evidence pack can be tied to the framework version it was built under.

Because that ledger is immutable, an erasure request or account deletion is fulfilled by removing or anonymising the personal data associated with an individual (profile fields, evidence contents and metadata) and revoking access — not by destroying the log's historical events. Personal identifiers in the log are minimised or dissociated from the natural person so far as the immutable ledger allows. This reflects Article 17(3)(b) and (e) of the UK GDPR (retention for compliance with a legal obligation and for the establishment or defence of legal claims). It means we do not promise that every database row referencing you is physically destroyed where an immutable compliance record must be retained — erasure here is removal and anonymisation, consistent with audit-log retention.

Requesting export or deletion

  • From Settings: use Request a data export or Request account deletion — we action these within one month.
  • By email: contact privacy@inspectready.co.uk. We respond to data-subject requests without undue delay and within one month, as required by the UK GDPR.

If you are a resident, service user, member of staff, or other individual whose data a care home has uploaded to InspectReady, the care home is the controller of that data — please contact them directly, or contact us and we will forward your request to them.