Why we keep some records
We keep a record of the request and our response to prove we honoured it (required by GDPR Art 5(2) and 12(3)). Everything else is deleted on erasure.
We retain DSAR records (the request and our response) as part of our compliance audit trail to demonstrate compliance with GDPR Art 5(2) and Art 12(3) — this falls under the Art 17(3)(b) legal-obligation exception to erasure. All other personal data is deleted on erasure (except billing records covered by Swedish bookkeeping law and sub-processor logs which retain for legally-mandated periods per our DPA). Admin audit logs separately have a 3-year retention enforced in code.