Help center • Legal
Data Retention & Destruction Policy
Version 1.0.0
The latest version of our data retention & destruction policy. These pages live in the help system so they are easy to reference from registration, listings, and support.
DATA RETENTION & DESTRUCTION POLICY
Quote My Car (Pty) Ltd (“QMC”) Version: 1.0 Effective Date: 27/11/2025
1. Introduction
This Data Retention & Destruction Policy outlines how Quote My Car (Pty) Ltd (“QMC”) manages the storage, retention, archiving, and secure destruction of personal information in compliance with:
- Protection of Personal Information Act (POPIA)
- Financial Intelligence Centre Act (FICA), where applicable
- South African tax and commercial record-keeping laws
- Industry best practices for digital platforms and auction systems
This policy covers all personal, operational, financial, and system records processed by QMC.
2. Purpose of This Policy
This policy ensures that QMC:
- Retains information only for as long as necessary
- Complies with all statutory record-keeping obligations
- Reduces risks linked to excessive data retention
- Ensures secure destruction of obsolete information
- Maintains full POPIA compliance
- Supports fraud-prevention and audit trails in the auction system
3. Scope
This policy applies to:
- Sellers
- Motor dealers
- Public auction participants
- Employees and contractors
- Operators and service providers
- All electronic and physical records held by QMC
4. Legal & Regulatory Basis for Retention
QMC retains information according to:
- POPIA Section 14 – records must not be kept longer than necessary
- FICA – 5–7 years for identity and verification records (when applicable)
- Tax laws – 5 years for financial and transactional data
- Companies Act – corporate records retention
- Audit requirements
- Fraud prevention and operational integrity needs
5. Retention Schedule
5.1 User Accounts & Profile Data
| Data Type | Retention Period |
|---|---|
| Seller profiles | Account lifespan + 2 years |
| Dealer accounts | Account lifespan + 5 years |
| Public bidder accounts | Account lifespan + 5 years |
| Contact details | Retained with account record |
5.2 Auction & Marketplace Records
| Data Type | Retention Period |
|---|---|
| Vehicle listings & associated media | 5 years |
| Dealer-only auction records | 5 years |
| Public auction records | 5 years |
| Bid logs & bidding history | 5 years |
| Buyer–seller communication logs | 3–5 years |
| Auction results & winner records | 5 years |
5.3 KYC & Verification Data
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Public bidder KYC (ID, address proof) | 5–7 years | FICA / POPIA |
| Seller identity verification | 5 years | POPIA / commercial necessity |
| Dealer verification records | 5 years | Compliance |
| Bank account verification results | 5 years | Anti-fraud / audit |
| Fraud-related behavioural logs & risk markers | 7 years | Legitimate interest |
5.4 Financial & Transactional Data
| Data Type | Retention Period |
|---|---|
| Bidder deposit records | 5 years |
| Deposit refund records | 5 years |
| Proof of payment | 5 years |
| Invoices & billing data | 5 years |
| Tax records | 5 years |
| Payment processor logs | 5 years |
5.5 System & Security Logs
| Data Type | Retention Period |
|---|---|
| System access logs | 12–36 months |
| Security incident logs | 5 years |
| Fraud-prevention behaviour logs | 3–5 years |
| Device fingerprint logs | 12–24 months |
| API & backend audit logs | 3–5 years |
5.6 Operational & Administrative Records
| Data Type | Retention Period |
|---|---|
| Internal policies & procedures | Until replaced + 5 years |
| Customer support tickets | 3 years |
| Contracts & signed agreements | Contract term + 5 years |
| Employee & contractor records | Employment term + 5–7 years |
6. Secure Storage of Records
QMC ensures secure storage using:
- Encrypted cloud servers
- Access control lists (ACLs)
- MFA for administrative access
- Segregated databases for high-risk data
- Secure backups and redundancy
- Encrypted physical storage for paper documents (if any)
Only authorised personnel may access sensitive data.
7. Secure Destruction Procedures
7.1 Destruction of Digital Records
When retention periods expire, digital information must be destroyed using:
- Cryptographic erasure
- Secure deletion tools
- Database anonymisation
- Overwriting according to industry/ISO standards
- Physical destruction of drives by approved vendors
7.2 Destruction of Physical Records
Where applicable, physical documents must be destroyed via:
- Cross-cut shredding
- Secure destruction services with certificates
Destruction certificates must be kept for 5 years.
8. Exceptions to Standard Destruction
Data may be retained beyond scheduled timelines when:
- Required by law or regulation
- Linked to ongoing audits or investigations
- Needed for dispute resolution
- Required for fraud prevention and future system protection
- Approved by the Information Officer for documented reasons
9. Suspension of Destruction (Legal Hold)
If QMC becomes aware of:
- Legal proceedings
- Regulatory investigations
- Litigation
- Audit requirements
…then ALL destruction of related data must be immediately suspended until the matter concludes.
10. Responsibilities
Information Officer
- Ensures compliance with this policy
- Approves exceptions
- Oversees secure destruction processes
IT & Technical Teams
- Implement deletion on systems
- Maintain security controls
- Manage backup lifecycle and sanitisation
Operational Staff
- Follow retention protocols
- Report risks or irregularities
11. Review of This Policy
This policy must be reviewed:
- Annually
- After any major system or business changes
- After changes in law
- After any data breach or audit finding