Data Processing and Retention Policy

Last updated: 21 June 2026

This policy explains how Sumtra handles business data stored in the platform. It supports our Privacy Policy and applies to account, business, document, customer, employee, planner, and uploaded data.

1. Ownership and Control

Customer business data belongs to the customer business or account that added it. Sumtra processes that data to provide the service, support users, secure the platform, comply with legal obligations, and maintain operational records.

2. Data We Store

  • Business details, users, roles, branding, document settings, directors, bank accounts, and templates.
  • Customers, suppliers, items, invoices, quotes, credit notes, statements, payments, and expenses.
  • Job cards, vehicle details, licence disk data, job reports, VitalSystems records, signatures, diagrams, planner records, employees, leave forms, payslips, loans, and attachments.
  • Generated PDFs, uploaded images, slip files, audit logs, security events, AI usage logs, and system emails.

3. Processing Purposes

We process data to operate the platform, generate documents, provide reports, run subscriptions, send emails, protect accounts, troubleshoot issues, improve features, and meet legal, tax, accounting, security, and compliance obligations.

4. Retention Periods

  • Active account data is retained while the account or business remains active.
  • Cancelled or inactive account and business data is generally retained for at least 5 years after the subscription ends, unless the customer requests deletion and no legal reason requires further retention.
  • Accounting, invoice, tax, employee, and legal records may be kept longer where required by law or legitimate business records obligations.
  • Security, audit, and AI monitoring logs are retained for a reasonable period to investigate abuse, errors, disputes, and compliance issues.
  • Backups may contain deleted data temporarily until the backup cycle expires.

5. Export and Deletion Requests

Customers may request export, correction, or deletion of business data by emailing info@sumtra.app. We may need to verify identity and authority over the business workspace before acting on a request.

Self-service account deletion, where available, removes the user's account access and related personal account record. Business workspace deletion is handled separately from the Businesses page by the business owner. If you need help deleting, exporting, or archiving data, contact info@sumtra.app.

6. Deletion Limits

We may decline or delay deletion where records must be retained for tax, accounting, employment, legal claims, fraud prevention, platform security, or regulatory obligations. Where deletion is not possible, we may restrict access, archive, or de-identify data where practical.

7. Cancellation and Data Retention

Subscription cancellation stops future billing for the relevant business, but it does not automatically erase all business records. To cancel future billing, sign in, go to Account > Businesses, and use Cancel Billing for the relevant business. If you cannot access the account, or if you want help preserving records for legal or accounting purposes, email info@sumtra.app.

8. Security

We use access controls, HTTPS, account security controls, logging, selected encryption, operational monitoring, backups, and administrative safeguards. No system is risk-free, so users should also keep passwords secure, manage roles carefully, and report suspicious activity.

9. Subprocessors and Third Parties

We may use service providers for hosting, email, payment processing, security checks, AI-assisted processing, and operational support. We do not sell customer business data.

10. Product Improvements

Customers may send product recommendations, workflow improvements, or feature requests to info@sumtra.app. Feedback may be reviewed and used to improve the platform.