1. Introduction

This Data Retention Policy explains how CertFetch (“we”, “our”, “us”) retains documents, account information, and security/audit data for brokers, clients, subcontractors, and website users. This policy is designed to align with the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988 (including the APPs).

2. CertFetch Is a Document Platform (Not Your Sole Archive)

CertFetch is a document management and sharing platform. We are not an official government archive or a regulated records custodian.

Brokers and businesses remain responsible for meeting any record-keeping obligations that apply to them (including insurance and business record retention requirements). CertFetch can support your record keeping, but it should not be treated as your only system of record unless you have assessed it for your specific compliance needs.

3. What We Retain and For How Long

3.1 Insurance Documents & Uploaded Files

Documents stored in CertFetch are retained for as long as they remain in an active account, unless removed by an authorized user (subject to plan limits, permissions, and any applicable retention controls).

• Clients may delete documents they own or manage (subject to permissions).
• Brokers may delete documents they uploaded or manage for linked clients (subject to permissions).
• Subcontractor uploads are retained until deleted by the requesting client or their linked broker.

Replacements create new versions. Version history and document activity may remain available within the platform unless versions are deleted by an authorized user or removed as part of account closure.

3.2 Deleted Documents

When a document is deleted, it is removed from normal access within the platform. We then process deletion from active storage systems in accordance with our operational processes, which may include short delays due to security controls, queue processing, integrity checks, and disaster recovery safeguards.

We do not keep deleted document content for longer than necessary for operational security and integrity, unless retention is required by law, a valid legal request, or a legitimate need to investigate fraud, abuse, or security incidents.

3.3 Account Information

Account details (such as name, email, company details, permissions, and settings) are retained while an account is active.

When an account is closed or deleted, we will delete or anonymize personal information where reasonably possible and legally permitted. Some information may be retained where needed for:

• security and fraud prevention
• auditability and dispute resolution
• billing, tax, and accounting obligations (where applicable)
• legal compliance and enforcement of our terms

3.4 Audit Trails & Security Logs

CertFetch maintains audit and security records to protect users and ensure platform integrity. This may include login history, document access events, share activity, administrative access logs, rate-limit and abuse detection events, and system notifications.

Typical retention windows are:

• Security logs: retained for a limited period (generally 30–180 days) unless needed longer for incident investigation
• Audit trails related to documents and access: retained while the related account or documents remain active, and may be retained after closure where required for compliance or dispute resolution
• Billing/accounting records (if applicable): retained for the period required by law

4. Broker and Business Responsibilities

Brokers and businesses may be required to retain certain records under New Zealand and/or Australian laws and professional obligations. CertFetch does not provide legal advice and does not determine what your business must retain.

You should maintain retention and archiving processes appropriate to your business and licensing obligations. If you choose to rely on CertFetch as part of those processes, you remain responsible for ensuring your retention approach is compliant.

5. Storage Locations

CertFetch stores and processes data using trusted infrastructure providers, which may include:

• AWS S3 (typically Australia/Sydney region or equivalent)
• PostgreSQL for metadata and account information
• Encrypted storage and time-limited access controls (e.g., presigned links)

6. User-Controlled Deletion

Users may delete documents or request account closure at any time, subject to permissions and the structure of linked accounts (for example, broker-client relationships and team access).

We may delay or limit deletion where required to comply with law, protect other users, prevent fraud, or maintain platform security and integrity.

7. Changes to This Policy

We may update this policy from time to time. Continued use of CertFetch after changes take effect constitutes acceptance of the updated policy.

8. Contact

For questions about data retention, contact: privacy@certfetch.com