1. Purpose & Scope
This policy sets out how Receeva complies with the UK GDPR and the Data Protection Act 2018, and how long we retain different categories of personal data. It applies to all personal data processed by Receeva in connection with our SaaS platform and business operations.
2. Roles & Responsibilities
- Receeva (Rivello Ltd) acts as Data Controller for account, billing, marketing and HR data, and as Data Processor for customer content uploaded to the platform, per customer contract.
- Senior leadership is accountable for GDPR compliance (Accountability principle).
- A Data Protection Officer (DPO) will be appointed if required by law; otherwise, a designated privacy lead will oversee compliance. Contact: carl@rivello.co.
3. Data Protection Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
4. Lawful Bases for Processing
Receeva relies on one or more lawful bases depending on the activity: performance of a contract (e.g., delivering the the service), legitimate interests (e.g., security monitoring, product improvement with minimal impact), consent (e.g., marketing where required), and legal obligation (e.g., tax records).
5. Privacy Information (Articles 13/14)
We provide clear, timely privacy information at the point of data collection (Article 13) and, where we obtain data from other sources, within the required timeframes (Article 14). Our Privacy Notice explains purposes, lawful bases, retention periods, rights, and international transfers.
6. Data Subject Rights
Individuals can exercise their rights to access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. Receeva will respond without undue delay and within statutory timelines (normally one calendar month), with possible extensions for complex cases. Requests should be sent to support@receeva.com.
7. Security Measures
Receeva implements appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, network security, logging and monitoring, secure development practices, staff training, vendor due diligence, and business continuity and disaster recovery (BC/DR).
8. Data Protection Impact Assessments (DPIAs)
We conduct DPIAs before initiating processing that is likely to result in a high risk to individuals (e.g., large-scale processing of special category data, systematic monitoring, or the use of new technologies). DPIAs are embedded into project and change management.
9. International Data Transfers
Where personal data is transferred outside the UK, Receeva uses permitted transfer mechanisms (e.g., UK adequacy regulations, the International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs) and conducts transfer risk assessments (TRAs) where required.
10. Processors & Subprocessors
Receeva engages subprocessors under written Data Processing Agreements that include GDPR-required terms. We maintain a current list of subprocessors and notify customers of material changes per contract.
11. Personal Data Breaches
Receeva maintains incident response procedures and a breach register. Where a personal data breach creates a risk to individuals, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware. If the breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay.
12. Records of Processing (Article 30)
Receeva maintains Records of Processing Activities (RoPA) that include purposes, categories of data, recipients, international transfers, retention schedules, and security measures. Processors we appoint also maintain appropriate records.
13. Data Retention & Deletion
We retain personal data only for as long as necessary for the purposes for which it was collected, in line with the storage limitation principle. Where possible, data is anonymised or pseudonymised. When data is no longer needed, it is securely erased or irreversibly anonymised. Backups follow defined cycles and are overwritten on rotation. A legal hold supersedes scheduled deletion.
13.1 Retention Schedule (Summary)
| Data Category | Examples | Lawful Basis | Retention Period | Rationale |
|---|---|---|---|---|
| Customer account & contract data | Name, business contact, login, agreements | Contract; Legitimate interests | Contract term + 6 years | Defend/establish legal claims under Limitation Act; resolve disputes |
| Billing & financial records | Invoices, payments, VAT records | Legal obligation | 6 years from end of financial year | HMRC record-keeping requirements |
| Customer content (files shared via Receeva) | Uploaded files, share metadata | Contract; Processor role under DPA | Configurable by customer; default 30 days for a share link to be accessed, default 1 day once a file has been downloaded | Provide service then delete; minimise storage |
| Support tickets & communications | Emails, chat, ticket history | Legitimate interests; Contract | 3 years after ticket closure (extend under legal hold) | Customer service history; defend claims |
| Marketing contacts | Prospects, newsletter subscribers | Consent; Legitimate interests (B2B) | Until consent withdrawn or 24 months of inactivity | Respect rights; regular re-permissioning |
| Platform logs & audit trails | Access logs, activity logs | Legitimate interests; Legal obligations (security) | 12 months active logs; aggregate/anonymise thereafter | Security investigations; performance tuning with minimal risk |
| Security/incident & breach records | Incident timelines, notifications | Legal obligation; Legitimate interests | 6 years | Demonstrate compliance and accountability |
| RoPA, DPAs and privacy notices | Records of processing, processor contracts | Legal obligation | Life of contract + 6 years | Accountability and audit support |
| HR and recruitment data | Employee files, CVs, interview notes | Contract; Legal obligation | Employees: 6 years after termination; Applicants: 12 months | Defend employment claims; statutory requirements |
14. Deletion, Anonymisation & Backups
- Deletion: Data is securely erased from production systems within standard operational SLAs.
- Anonymisation: Where ongoing analytics are required, data is aggregated and anonymised using techniques designed to prevent re-identification.
- Backups: Backups are encrypted and retained on rolling cycles. Deletion from backups follows restoration/expiry processes.
15. Legal Hold
If Receeva receives notice of (or reasonably anticipates) a claim, investigation, or audit, we will apply a legal hold to suspend deletion for relevant records until the hold is released.
16. Training, Audits & Review
All staff handling personal data receive regular GDPR training. Compliance is monitored via periodic audits. This policy and the retention schedule are reviewed at least annually or upon material changes to processing or law.
17. Contact
Questions about this policy or requests to exercise data protection rights can be directed to: support@receeva.com.
Appendix A - References (non-exhaustive)
- ICO - Storage limitation principle (UK GDPR Article 5(1)(e)).
- ICO - Personal data breaches: notify within 72 hours where feasible; document all breaches.
- ICO - Individual rights (access, rectification, erasure, restriction, portability, objection; automated decisions).
- ICO - Time limits for responding to rights requests (one calendar month; possible extension).
- ICO - International transfers (adequacy, IDTA/UK Addendum, TRAs).
- ICO - Records of Processing (Article 30) and documentation guidance.
- ICO - DPIA: when required for high-risk processing.
- HMRC - VAT/business record retention (generally 6 years).
- Limitation Act (contract claims typically 6 years; deeds 12 years).