SmartAlex Data Retention and Deletion Policy
1. Purpose and scope
This Data Retention and Deletion Policy (this "Policy") explains how THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", or "our"), retains and deletes data in connection with the SmartAlex platform, websites, applications, and APIs (the "Services").
This Policy is the single source of truth for how long the different categories of data we handle are kept and when they are deleted. Other SmartAlex documents, including our Privacy Policy, our Data Processing Addendum, and our Telephony and Call Recording Notice, reference the retention periods set out here.
1.1 Relationship to the Data Processing Addendum
Where a Data Processing Addendum or another written agreement governs Customer Data that we process on a customer's behalf, that agreement controls, and this Policy is intended to be read consistently with it. If there is any conflict between this Policy and the applicable Data Processing Addendum in respect of Customer Data, the Data Processing Addendum prevails to the extent of the conflict.
2. Retention principles
We apply the following principles to every category of data described in this Policy:
- We keep personal data only for as long as it is necessary for the purpose for which it was collected, or for as long as we are required to keep it by law.
- We practise data minimization: we aim to collect and retain only the data we actually need to provide, secure, and improve the Services.
- When data is no longer needed for its original purpose and we are not required to keep it, we delete it or anonymize it so that it no longer identifies a person.
- Retention periods are set as documented targets. They may be shortened where a customer configures a shorter period, and they may be extended where a longer period is required by law or is otherwise permitted under Section 6.
3. Roles and responsibilities
3.1 Customer Data processed on a customer's behalf
For Customer Data that we process on a customer's behalf, the customer is the controller or responsible party and sets retention through its workspace configuration and its own policies. SmartAlex acts as the operator or processor and retains, deletes, or anonymizes that data in accordance with the customer's configuration, our agreement with the customer, and this Policy.
3.2 SmartAlex account and operational data
For SmartAlex's own account, billing, security, and operational data, SmartAlex determines the applicable retention periods and is responsible for deleting or anonymizing that data when it is no longer needed.
4. Retention schedule
The table below sets out our stated default retention periods by data category. These are the documented targets and apply unless a shorter period is configured by the customer, unless a longer period is required by law, or unless an exception under Section 6 applies.
| Data category | What it includes | Default retention |
|---|---|---|
| Call recordings, transcripts, summaries, and call metadata | Audio recordings, generated transcripts, AI summaries, and associated call metadata created through the Services. | Retained in accordance with the customer's workspace configuration. Where no shorter period is configured, this data is retained during the active subscription term and is deleted or anonymized within 90 days after termination of the account or after a verified deletion request, unless a longer period is required by law. |
| Backups | Encrypted backups of platform data held for disaster recovery and business continuity. | Held on a rolling cycle of up to 180 days, after which they are purged in the ordinary course of the backup rotation. |
| Account and billing data | Workspace and user account records, subscription details, invoices, and payment records. | Retained for the life of the account and for a limited period after closure. Certain records are retained longer where required for tax, audit, or legal compliance. |
| Support and communications records | Support tickets, correspondence, and related notes. | Retained for as long as needed to handle the request and for a reasonable period afterwards, for quality, reference, and dispute-handling purposes. |
| Security and audit logs and error events | Access logs, audit trails, security event records, and application error events. | Retained for a limited period for security, debugging, monitoring, and compliance purposes, then deleted or anonymized. |
| Marketing and consent records | Marketing subscriptions, communication preferences, and records of consent and opt-out. | Retained while consent is valid or until it is withdrawn. A suppression record is kept after withdrawal so that we can continue to honour opt-outs. |
Where our infrastructure or hosting arrangements affect how quickly data is removed, we act consistently with the periods above. The service providers that support our storage, backup, and processing are listed in our Subprocessor List.
5. Deletion and anonymization
5.1 Deletion process
When data reaches the end of its retention period, or when a valid deletion request is verified, we first delete it from our live production systems. Copies of that data that remain in encrypted backups are then removed as those backups age out and are purged on the backup cycle described in Section 4, rather than being extracted individually from each backup.
5.2 Anonymization and aggregation
In some cases we anonymize or aggregate data instead of deleting it, so that it no longer identifies or relates to an identifiable person. Anonymized or aggregated data, for example statistics about usage and performance, may be retained and used beyond the periods above, because it is no longer personal data.
6. Legal holds and exceptions
We may retain data for longer than the periods set out in this Policy where doing so is necessary or permitted, including where we need to:
- comply with a legal, regulatory, tax, accounting, or reporting obligation;
- establish, exercise, or defend legal claims, or respond to a legal hold, investigation, or lawful request;
- detect, prevent, or address fraud, abuse, security incidents, or other prohibited or unlawful activity; or
- enforce our agreements and terms, or protect our rights, property, or safety and those of our customers and others.
Where an exception applies, we retain only the data that is reasonably necessary for that purpose and for as long as that purpose requires, after which the data is deleted or anonymized.
7. Customer controls
Customers have controls over the data they process through the Services. Depending on the workspace configuration, a customer can:
- configure retention periods for call recordings, transcripts, summaries, and related data through workspace settings;
- delete individual items, such as a specific recording or transcript, from within the Services; and
- request export or deletion of Customer Data, including in order to respond to a request from an individual.
For how individuals can exercise data-subject or data-protection rights, and how those requests are handled between a customer and SmartAlex, see our Privacy Policy and our Data Processing Addendum.
8. Relationship to other documents
This Policy is the source of truth for our data retention periods. Our other documents refer back to it rather than restating the periods:
- our Privacy Policy describes what personal data we collect and why, and references this Policy for how long we keep it;
- our Data Processing Addendum governs Customer Data by contract and references this Policy for default retention and deletion behaviour;
- our Telephony and Call Recording Notice references this Policy for how long call recordings, transcripts, and related data are retained; and
- our Trust and Security Overview describes the safeguards that protect data during its retention period.
Where the Data Processing Addendum or another written agreement states that it governs Customer Data, that agreement prevails over this Policy in respect of that Customer Data to the extent of any conflict.
9. Updates and contact
We may update this Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we make material changes, we will update the version and effective date below and, where appropriate, provide additional notice.
For questions about your data, including retention or deletion of personal data, contact us at privacy@getsmartalex.com. For questions about this Policy itself, contact us at legal@getsmartalex.com.
This Policy is issued by THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, and is governed by the laws of the Republic of Singapore.
10. Version and effective date
This Data Retention and Deletion Policy is version 1.0 and is effective from 8 July 2026.