Data Retention & Destruction Policy
Last Updated: 8 April 2026
1. Introduction
This Data Retention and Destruction Policy outlines how Tapnet Solutions (Pty) Ltd (Registration No. 2023/135522/07) retains, archives, and destroys personal information and other data in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), specifically Condition 3 (Purpose Specification), and other applicable South African legislation.
This policy applies to tapnet.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.
We are committed to ensuring that personal information is not retained for longer than is necessary to achieve the purpose for which it was collected or subsequently processed, unless retention is required or authorised by law. When data is no longer needed, it is destroyed in a secure and irreversible manner.
POPIA Condition 3, Purpose Specification: Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party. Records must not be retained longer than is necessary to achieve that purpose.
2. Retention Schedule
The following table sets out the retention periods for each category of data we collect, together with the legal basis for retention and the method of destruction upon expiry.
| Data Category | Retention Period | Legal Basis | Destruction Method |
|---|---|---|---|
| Contact form submissions | 2 years from submission | POPIA Section 14, legitimate interest | Permanent deletion from database |
| Booking requests | 2 years from booking date | POPIA Section 14, legitimate interest | Permanent deletion from database |
| Quote requests | 2 years from submission | POPIA Section 14, legitimate interest | Permanent deletion from database |
| Client service agreements | 5 years after completion | Companies Act 71 of 2008, Tax Administration Act | Secure shredding (physical), permanent deletion (digital) |
| Financial and tax records | 5 years from end of tax year | Tax Administration Act 28 of 2011, Income Tax Act | Secure shredding (physical), permanent deletion (digital) |
| Invoice records | 5 years from date of invoice | VAT Act 89 of 1991, Tax Administration Act | Secure shredding, permanent deletion |
| Admin account data | Duration of role + 1 year | Contractual necessity | Permanent deletion from database, credential invalidation |
| Google Analytics data | 26 months (GA4 default) | Consent | Automatic deletion by Google |
| Scroll/engagement sessions | 1 year from creation | Legitimate interest (anonymized) | Permanent deletion from database |
| AI chatbot conversations | 90 days | Legitimate interest | Automatic deletion |
| Cookie consent records | Until cleared by user or 2 years | POPIA Section 11 (consent evidence) | Cleared from localStorage by user |
| Server/application logs | 90 days | Legitimate interest, security | Automatic rotation and deletion |
| Backup data | 30 days | Business continuity | Automated deletion of expired backups |
| Marketing consent records | Until consent withdrawn + 1 year | POPIA Section 11 | Permanent deletion |
| Breach notification records | 5 years from breach | POPIA Section 22, compliance | Secure deletion |
3. Account Deletion Process
Users may request the deletion of their personal data at any time. We have established the following process to handle such requests efficiently and transparently:
- Submit a request: Email the Information Officer at wynand@tapnet.co.za with the subject line “Data Deletion Request” and sufficient information to identify your records.
- Acknowledgement: Your request will be acknowledged within 5 business days of receipt.
- Processing: Deletion will be completed within 30 days of acknowledgement, subject to any legal retention obligations.
- Financial records: Where financial or tax records are associated with your account, these will be retained for a minimum of 5 years as required by the Tax Administration Act and related legislation. You will be informed of this at the time of acknowledgement.
- Anonymized data: Fully anonymized analytics data that cannot be linked back to you may be retained for statistical and improvement purposes.
- Confirmation: A written confirmation will be sent to you upon completion of the deletion process, detailing what data was deleted and any data retained under legal obligation.
Please note: Requesting deletion of your data may affect our ability to provide services to you. We will inform you of any such consequences before proceeding with the deletion.
4. Destruction Methods
When data reaches the end of its retention period or a valid deletion request is processed, we apply the following destruction methods to ensure data is permanently and irreversibly removed:
4.1 Digital Records
- Permanent deletion from database using Prisma delete operations, ensuring referential integrity and complete removal of associated records.
- Overwriting of stored data where simple deletion is insufficient.
- Cryptographic erasure where applicable, rendering encrypted data permanently inaccessible by destroying the encryption keys.
4.2 Physical Records
- Cross-cut shredding of all physical documents containing personal information, ensuring reconstruction is not possible.
4.3 Backups
- Automated expiry and deletion of backup data after the 30-day retention window.
- Backup destruction is verified through automated monitoring.
4.4 Third-Party Data
- Deletion requests are sent to all relevant operators and third-party service providers, including Vercel, Neon, Google, and OpenAI, in accordance with our operator agreements and data processing contracts.
- We follow up to confirm that third-party deletion has been completed.
4.5 Verification
- All destruction activities are logged with the date, method, data category, and responsible party.
- Destruction logs are reviewed and verified by the Information Officer.
5. Automated Retention Enforcement
To ensure consistent and timely data destruction, we employ the following automated enforcement mechanisms:
- Automated database cleanup scripts: Scheduled scripts identify and permanently delete records that have exceeded their retention period, as defined in the retention schedule above.
- Google Analytics automatic data expiry: GA4 is configured with a 26-month data retention window, after which user-level and event-level data is automatically deleted by Google.
- Log rotation: Server and application logs are subject to automatic rotation and deletion after 90 days.
- Quarterly manual review: The Information Officer conducts a quarterly review of retention compliance, verifying that automated systems are functioning correctly and that no data is being retained beyond its prescribed period.
Continuous improvement: Our automated retention systems are regularly tested and updated to ensure they remain effective and aligned with current legislation and best practices.
6. Exceptions to Standard Retention
In certain circumstances, data may be retained beyond the standard retention periods set out in this policy. The following exceptions apply:
- Legal hold: Data will be preserved and exempted from routine destruction if it is subject to pending or anticipated legal proceedings, regulatory investigation, or a lawful preservation order. The legal hold remains in effect until the matter is resolved and the hold is formally lifted by the Information Officer.
- Regulatory requirement: Where a specific law or regulation requires a longer retention period than specified in this policy, the statutory requirement will prevail.
- Dispute: Data relevant to a dispute between Tapnet Solutions (Pty) Ltd and a data subject or third party will be retained until the dispute is fully resolved, including any applicable appeal period.
- Anonymized data: Fully anonymized data, where re-identification of any individual is not possible, may be retained indefinitely for statistical, research, or analytical purposes. Such data falls outside the scope of POPIA as it no longer constitutes personal information.
7. Roles and Responsibilities
The following roles and responsibilities ensure the effective implementation and ongoing compliance of this policy:
7.1 Information Officer
- Overall accountability for data retention compliance and the implementation of this policy.
- Approving any exceptions to standard retention periods.
- Conducting quarterly reviews of retention practices and automated enforcement mechanisms.
- Verifying destruction logs and confirming data deletion upon request.
7.2 Development Team
- Implementing and maintaining automated deletion scripts and database cleanup processes.
- Ensuring that data lifecycle management is built into all systems and applications.
- Promptly addressing any technical issues that may affect retention compliance.
7.3 All Staff
- Complying with the retention schedules outlined in this policy.
- Reporting any anomalies, suspected breaches of retention requirements, or data that appears to be retained beyond its prescribed period to the Information Officer.
8. Policy Review
This Data Retention and Destruction Policy is reviewed annually by the Information Officer to ensure it remains current, accurate, and compliant with applicable legislation.
The policy will also be updated whenever:
- Relevant legislation changes or new regulations are introduced that affect data retention obligations.
- New data types or processing activities are introduced by Tapnet Solutions (Pty) Ltd.
- A material change occurs in our technology infrastructure, third-party service providers, or business operations that impacts how data is stored or destroyed.
Contact the Information Officer
If you have any questions about this policy, wish to request the deletion of your personal data, or require further information about our retention practices, please contact:
Information Officer: Wynand de Beer
- Company: Tapnet Solutions (Pty) Ltd
- Registration No: 2023/135522/07
- Email: wynand@tapnet.co.za
- Phone: 079 174 8357
- Address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa
Questions about this policy? Contact our Information Officer: