Some of the features of our products are designed specifically around not losing data, so while you want us to retain your data, it is replicated to multiple systems and backed up.
When you request destruction of your data by deleting specific items, or closing your account, the data is removed in a time-delayed manner. This both allows you to change your mind (undo, or restore from backup), and allows for the possibility that if your account is compromised and the attacker tries to delete everything, we can recover the data.
We also collect some data which is personally identifiable as a side effect of the system monitoring and logging which we require for our operational stability.
Destruction of system logs
System logs are retained for 180 days before being deleted. We have a legitimate interest in having those logs available both to ensure the reliable operation of our systems, and to provide evidence of activity when users report unexpected states in their account.
Destruction of backup data
The backup copies of data are pruned on an “as-needed” basis based on the ratio of space that would saved by re-compacting them. At the moment there is no guarantee that a particular trip or user will be purged on a timeline, however our support can perform an immediate prune for a particular account on request.
Destruction of data after account closure
After an account is terminated, data and backups are purged within a timeframe of between 37 days to 1 year after closure depending on how long the account was active for, and whether the account was explicitly closed or lapsed due to lack of payment.