Data Retention and Deletion Policy
We keep your data only as long as it is needed, and delete it when it is not. Here is exactly how that works.
Version 2.2.0Last Updated
Company: Y.O.D.O. Ltd (Company No. 15736034)
Registered Office: 42 Mayfair Gardens, Southampton, SO15 2TW, United Kingdom
ICO Registration: ZC015883 (Data Protection Lead: Mrs Theodosia Kouraki)
EU Representative under Article 27 EU GDPR: Christina-Eloiza Kouraki, Marasli 29, Athens 10676, Greece, email eloizakouraki@yahoo.gr.
Contact: info@yodo.ltd
Toggle changelog details. What changed in v2.1.0 (15 May 2026)
Version 2.1.0 · 15 May 2026
- EU Representative under Article 27 EU GDPR appointed: Christina-Eloiza Kouraki (Athens, Greece). EU/EEA queries now route to the appointed representative.
- Partner referral parameters: retention reduced from 6 months to 3 months (aligned to Terms Schedule F).
- §5.4 now documents auto-association of the Partner to the Special Delegate list at sign-up.
Earlier revisions
Version 1.8.1 · 27 April 2026
- Retention table: added Cookiebot consent records (12 months) and Partner referral parameters.
- New §5.4 explaining the lifecycle of Partner referral data.
This Data Retention and Deletion Policy explains, in plain language, how long we typically keep personal data when you use the Y.O.D.O. Service and what triggers deletion.
This policy must be read alongside:
- our Terms and Conditions (which set key feature rules and deletion clocks), and
- our Privacy Policy (which explains what we collect, why, lawful bases, and your rights).
If there is a conflict, the Terms and Conditions govern how the Service operates, and the Privacy Policy governs how we process personal data. This policy is a transparency summary of retention practice.
A note on terminology: In our legal documents, we use the word "delivery" and "delivered" to describe when a Message becomes accessible to a Recipient. On the website and in the Service, the same event may be described as a Message being "released". Both terms refer to the same process.
1. Key principles
1.1 We keep data only as long as needed to provide the Service, meet legal obligations, prevent fraud/misuse, and handle disputes.
1.2 Some data must be kept longer for audit, security, and legal compliance (for example, minimal verification event logs).
1.3 Deletion is not always instant. Data may persist briefly in backups and security logs, but will be removed from active systems and then overwritten from backups on a rolling basis.
1.4 We do not "keep everything forever". The Service is designed to minimise long-term storage where possible, particularly around verification documents.
2. Definitions used in this policy
2.1 T0 (Check-in due time): The scheduled due time of a Check-in. Certain deletion clocks run from T0.
2.2 Delegate action: A Delegate taking an action in the Service that changes the account state or indicates an outcome (for example, starting a Status Check or recording an outcome). Passive viewing of the Delegate dashboard does not constitute a Delegate action for the purposes of this policy.
2.3 Delivered Message: A Message that becomes accessible to a Recipient after Passing verification.
2.4 Undelivered Message: A Message stored in the Account Holder's account that has not been delivered to a Recipient (because Passing has not been verified, or delivery has not been triggered, or the Message is still a draft).
2.5 Account-operational data: Settings, preferences, contact lists (Delegates and Recipients), and operational records needed to run the Service (excluding stored Message content).
2.6 Inactive: No Active subscription (including no active Free Trial and not being within a payment-resolution window) and no Active Delegate relationship.
2.7 Active subscription: An active paid subscription, an active Free Trial, or being within a payment-resolution window (the period of up to 7 days following a failed renewal payment).
3. Retention overview
3.1 Delivered Messages (Recipient access window)
- Availability: Delivered Messages are available to Recipients for 12 months from the delivery trigger. Extensions to the access window may be available on request within the original 12-month period. See our Terms for details.
- Removal: If not accessed and downloaded within that window, they are deleted from our active systems, subject to limited retention in backups and logs as described in section 6.
3.2 Death certificates (Passing verification documents)
- Storage: The certificate is stored as a file (PDF, JPEG or PNG, up to 20 MB) in encrypted object storage (AWS S3), with metadata in our database (upload timestamp, uploader identity, verification status, resolution cause, who resolved it, and encrypted resolution notes). We do not compute or store a hash or checksum of the certificate.
- Live retention: The certificate file is held while the Account Holder's account is active. Recording the verification outcome does not delete the file; it changes a status field. There is no seven-year retention period and no 30-day timer on the certificate file.
- Removal: The file is removed from live storage when the account is deleted. Because the S3 bucket has object versioning enabled with a 365-day lifecycle on noncurrent versions, a removed certificate persists as a recoverable noncurrent version for up to 365 days after account deletion, then is permanently deleted.
- Verification log: The passing-report timeline / event-log entry (event type, actor, timestamp and an encrypted details payload) and the Persona identity-verification record (provider identifiers, encrypted extracted name, name-match result and score, status, encrypted provider session token, and the inquiry-attributes block returned by Persona webhooks) are kept while the account is live and are soft-deleted on account deletion: excluded from live queries but retained in encrypted form so we can answer a later dispute or regulator query. The raw identity-document image is held by Persona, not by Y.O.D.O.
- Metadata survivorship: Because the passing-report row is soft-deleted rather than destroyed, the fact that a certificate once existed (including who uploaded it and when) is preserved after the certificate file itself has been removed from live storage.
3.3 Non-response deletion (Account Holder silence with no Delegate action)
If a Check-in is missed and there is no Account Holder response and no Delegate action:
- Pre-deletion steps: We may begin pre-deletion steps after 30 days from T0.
- Deletion: We may delete undelivered Messages, media, and Account-operational data from our active systems after 60 days from T0.
- Pause: These timelines pause during a Care Pause. When a Care Pause ends, the deletion clock resumes from where it paused rather than restarting.
3.4 Trial ended with no payment details (non-subscribed state)
If the Free Trial ends and you do not add payment details:
- We do not charge you.
- Check-ins stop and Delegates are not contacted (as set out in the Terms).
- Retention and deletion then follow the rules for non-subscribed accounts, including the non-response and inactivity pathways described in the Terms.
3.5 Subscription ended and grace period passed (Inactive accounts)
If your subscription ends and any payment grace period has passed without resolution:
- Paid features stop and Check-ins stop (per the Terms).
- If you are not an active Delegate for anyone else, your account may become Inactive.
- We may schedule deletion of Account-operational data and undelivered Messages 30 days after the account becomes Inactive, subject to the exceptions in section 6.
3.6 Subscription status on deletion
If we delete your account under section 3.3 (T0-based deletion) or 3.5 (Inactive deletion), any paid subscription linked to that account will end at the time of deletion and we take reasonable steps to stop future renewals (including by cancelling the subscription record with our payment provider where applicable). If a renewal payment is taken after deletion due to timing or processing delays, contact Support and we will review and, where appropriate, refund that renewal payment.
4. Retention schedule
The timeframes below are typical. We may retain some data longer where necessary and proportionate for legal claims, fraud prevention, security, or compliance (see section 6).
| Data category | Typical retention period |
|---|---|
| Account and profile data | Deleted from active systems typically within 30 days of closure or deletion trigger, subject to section 6 |
| Email and phone verification records | Retained as long as needed for security and audit, then deleted/rotated |
| Delegates and Recipients contact data | Deleted in line with account deletion triggers, subject to section 6 |
| Check-in and escalation records | Deleted in line with account deletion triggers, subject to section 6 |
| Message content (undelivered) | Deleted on account deletion, or after 60 days from T0 where non-response deletion applies |
| Messages delivered to Recipients | Accessible for 12 months, then deleted from active systems (subject to section 6) |
| Passing verification documents (death certificate file) | Held in AWS S3 while the account is active; removed from live storage on account deletion. Up to 365 days as a recoverable noncurrent S3 version, then permanently deleted |
| Verification event log (passing-report timeline) | Encrypted at rest. Kept while the account is live; soft-deleted on account deletion (excluded from live queries, retained for audit and dispute handling) |
| Identity-verification record (Persona) | Kept while the account is live; soft-deleted on account deletion. Raw identity-document image held by Persona, not by Y.O.D.O. |
| Security and access logs | Typically retained around 12 months |
| Cookie consent records (Cookiebot) | Consent ID, timestamp, categories, and banner version retained for 12 months from collection, then refreshed at re-consent |
| Partner referral parameters (tracking tags and Partner code) | Kept on your account record for up to 3 months from when we first see them, so we can apply the 15% Partner discount within the Schedule F redemption window. Removed once the discount is used or the 3 months are up. We keep only a short note in our billing records showing that a Partner discount was applied, for accounting and audit |
| Backups | Database backups (Crunchy Bridge): rolling cycle of approximately 10 daily snapshots, no longer-term tier; database rows only, not certificate files. Object-storage files (S3): noncurrent versions retained up to 365 days, then permanently deleted |
5. Special cases
5.1 Delegate-only accounts
If you have a Delegate-only account and you have no active Delegate relationship:
- We may delete your account and associated account data after 30 consecutive days of being Inactive, as described in the Terms.
5.2 Disputes, restricted accounts, and legal holds
If an account is in dispute, under investigation, or subject to a legal request:
- We may retain relevant data for longer than the typical periods while the issue is active and for a reasonable period afterwards.
5.3 Passing reported shortly before deletion
If a Passing is reported shortly before deletion would otherwise occur:
- We may allow a limited period (up to 30 days, subject to any extensions permitted under the Terms) to complete verification, as described in the Terms.
5.4 Partner referral parameters and the 15% Partner discount
If you reach Y.O.D.O. through an approved Partner link, or you enter a Partner code when you sign up, we save a small set of details (the Partner code, plus tracking tags such as utm_source, utm_medium and utm_campaign). We use these only to apply the 15% Partner discount within the time limit set out in Schedule F of our Terms.
- How long we keep them: up to 3 months from when we first see them, matching the Schedule F redemption window.
- When the discount is used or the 3 months are up: we remove the referral details from our live systems. We keep only a short proof-of-discount note (which Partner you came from and that the discount was applied) in our billing records for accounting and refund handling.
- Auto-association at sign-up: signing up with a Partner code automatically adds that Partner to your Special Delegate list. You can remove the Partner from your Special Delegate list at any time in account settings before any verification event.
- Changing your mind: you can email info@yodo.ltd at any time to ask us to remove unused Partner referral details from your account. If you do this before the discount is applied, you will not be able to use that offer afterwards.
- Cookies: how cookies and consent work for these details is explained in Cookies Policy §6.
6. What we may keep even after "deletion"
"Deleted from our active systems" means removed from our live databases and no longer accessible in Y.O.D.O. Limited retention in backups and logs may apply as described below.
Even after an account is deleted from active systems, we may retain limited data where necessary and proportionate for:
- Compliance with legal obligations
- Fraud prevention and security
- Dispute handling and chargebacks
- Audit and accountability (for example minimal verification event logs)
We restrict access to retained data and keep it only for as long as needed for those purposes.
7. Your choices and rights
You can request access to your personal data and exercise your rights under data protection law by contacting info@yodo.ltd. We will respond within one month of receiving your verified request. In complex cases we may extend this by a further two months and will notify you if we do.
Some deletion requests may be limited where we must retain data for legal, security, or fraud-prevention reasons (for example where a payment dispute is ongoing or we must retain audit logs).
8. Changes to this policy
We may update this policy from time to time. We will update the "Last Updated" date and may provide additional notice where changes are material.