TERMS OF SERVICE – SHOPFIT HUB

Icon Safety Systems Limited (company number 16449520, registered office: CSH Consulting, The Barn 8 Oakley Hay Lodge, Great Folds Road, Corby, Northamptonshire, United Kingdom, NN18 9AS) ("we", "us", "our", "ShopFitHub") is committed to complying with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and other applicable laws when handling personal data.


This Data Retention and Deletion Policy explains how long we keep different types of data in the ShopFit Hub platform (www.shopfithub.com) and our approach to deletion. It applies to all personal data we process as a data processor on behalf of our users (data controllers) and as a controller for our own account/operational data.


1. Our General Principles;


  • We keep personal data only for as long as necessary for the purposes for which it was collected (storage limitation principle, UK GDPR Article 5(1)(e)).


  • Project-specific data is deleted promptly after the paid access period ends to minimise risk and comply with data minimisation.


  • Registered user account data is retained longer where justified for legitimate interests (e.g., account reactivation, security, defending legal claims).


  • Deletion is permanent and secure (data made irrecoverable from live systems, backups overwritten in due course).


  • We may anonymise or aggregate data for platform improvements/statistics (no longer personal data).

 

Notes on construction/health & safety data: As a processor, we delete project records when no longer needed for the Service. If a user (controller) requires longer retention (e.g., 5 years for general H&S records, 40 years for certain exposure records under COSHH/asbestos regs), they must export/download copies before expiry — we do not retain beyond our policy unless legally compelled (e.g., court order).

 

2. Types of Data and Retention Periods


1. Project-Specific User Data

Includes:

  • Documents
  • Files
  • Forms
  • Contractor details
  • Health & safety records
  • Compliance uploads
  • Project directories
  • Site checks
  • Any content uploaded/created for a specific project


Retention Period:

  • Until the end of the paid access period
  • (Project completion + archiving window, e.g., 12–24 months as specified at purchase)
  • Plus a grace period of 30–90 days


Justification / Legal Basis:

  • Necessary to provide the Service
  • Contract performance (UK GDPR Art. 6(1)(b))
  • No longer needed after access expires


Deletion Trigger / Action:

  • Automatic deletion after grace period
  • Secure overwrite/purge from databases, storage, and backups


2. Registered User Account Data


Includes:

  • Name
  • Email address
  • Company name
  • Phone number (if provided)
  • Hashed password
  • Account ID
  • Billing/payment references (tokenised)
  • Login history


Retention Period:

  • For the life of the active account
  • Plus 6 years after last project/payment or account closure
  • (Unless erasure is requested)


Justification / Legal Basis:

  • Legitimate interests (Art. 6(1)(f))
  • Account management
  • Reactivation for future projects
  • Fraud prevention
  • Defending contract claims (Limitation Act 1980)


Deletion Trigger / Action:

  • On user request (erasure)
  • Or after 6-year post-closure period (unless legal hold applies)
  • Minimal data retained only


3. Payment / Transaction Data

Includes:

  • Transaction IDs
  • Amounts
  • Dates
  • (Full card details never stored)


Retention Period:

  • 7 years from transaction date
  • Or as required by payment processor / HMRC


Justification / Legal Basis:

  • Legal obligation
  • Tax / VAT records
  • Companies Act / HMRC rules


Deletion Trigger / Action:

  • Deleted or anonymised after retention period
  • Only references retained if linked to account


4. Logs & Technical Data

Includes:

  • Access logs
  • IP addresses
  • Audit trails (non-project specific)


Retention Period:

  • 12–24 months
  • Or shorter where possible


Justification / Legal Basis:

  • Legitimate interests
  • Security
  • Debugging
  • Abuse prevention


Deletion Trigger / Action:

  • Automatic purge after retention period


5. Aggregated / Anonymised Data

Includes:

  • Usage statistics
  • Anonymised analytics derived from projects


Retention Period:

  • Indefinite (no longer personal data)


Justification / Legal Basis:

  • Legitimate interests
  • Service improvement


Deletion Trigger / Action:

  • Not applicable (non-personal data not deleted)



3. How We Delete Data


  • Automatic deletion occurs at the end of the retention period via scheduled processes.


  • Data is securely deleted (overwritten, purged from cloud storage/databases/backups in line with industry standards, e.g., NIST guidelines or equivalent).


  • Backups are rotated; old backups containing deleted data are overwritten over time (typically within 30–90 days).


  • We cannot recover deleted data once purged.


4. User Rights – Deletion Requests (Right to Erasure)


Under UK GDPR Article 17, you may request deletion of your personal data ("right to be forgotten").

  • Project data: Usually already deleted or scheduled for deletion post-project. We can accelerate if requested.


  • Account data: We will delete your account and associated personal data within 30 days of a valid request, except where we must retain it (e.g., for legal obligations, defending claims, or fraud prevention - we will explain any exceptions).



  • We verify identity and respond within one month (extendable if complex). No fee unless manifestly unfounded/excessive.


5. Exceptions to Deletion


We may refuse or partially refuse erasure if:


  • Required for legal obligations (e.g., tax records).


  • For establishing, exercising, or defending legal claims.


  • Archiving in the public interest, scientific/historical research (rarely applies).


  • Freedom of expression/information (not applicable here).

 

 

6. Changes to This Policy


We may update this policy. Changes will be posted here with the updated effective date. Significant changes notified via email or in-app.


7. Contact


For questions, deletion requests, or complaints: Email: admin@shopfithub.com Post: iCon Safety Systems Limited, CSH Consulting, The Barn 8 Oakley Hay Lodge, Great Folds Road, Corby, Northamptonshire, NN18 9AS.


This policy forms part of our overall data protection framework and should be read alongside our Privacy Policy and Terms of Service.


By using ShopFit Hub, you acknowledge this policy.