Last updated: May 2026 · Gaia Search Ltd · Company No. 15162203 · Version 1.0
Plain English summary: We only keep personal data for as long as we genuinely need it. This policy sets out exactly how long we keep different types of data, why, and how we delete it securely. It applies to all personal data held by Gaia Search Ltd in any format.
This policy applies to all personal data processed by Gaia Search Ltd in the course of our recruitment activity, including data held in email, WhatsApp, spreadsheets, cloud storage, and any third-party tools we use.
The UK General Data Protection Regulation (UK GDPR) requires that personal data is kept in a form that permits identification of individuals for no longer than is necessary for the purpose for which it was collected. This is the "storage limitation" principle under Article 5(1)(e).
This policy exists to ensure we comply with that obligation, minimise the risk of data breaches, and give candidates and clients confidence that their data is handled responsibly.
Important: Keeping data longer than necessary is a compliance risk. Staff should not retain personal data "just in case" — if there is no active recruitment purpose for holding the data, it should be reviewed for deletion.
The table below summarises our standard retention periods by data category. Full detail is in Sections 3–6.
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Active candidate (placed or recently active) | 2 years | From date of last meaningful contact |
| Registered CV — no subsequent contact | 1 year | From date of registration |
| Candidate not placed, no contact in 12 months | Delete or re-consent | 12 months from last contact |
| Placed candidate (successful placement) | 3 years | From date of placement |
| Client contact data (active relationship) | Duration of relationship + 2 years | From end of active engagement |
| Client contact data (no active relationship) | 2 years | From last meaningful contact |
| Website enquiries / contact form submissions | 1 year | From date of submission |
| Email correspondence (recruitment-related) | 2 years | From date of last relevant activity |
| Invoices and financial records | 6 years | From end of financial year — legal requirement (HMRC) |
| Contracts with clients | 6 years | From contract end date — limitation period |
| Website analytics (aggregated) | 26 months | Rolling — standard Google Analytics default |
Where a candidate submits their CV via our website but there is no subsequent contact, interview or placement, we will retain their data for 1 year from the date of registration. After this, data will be securely deleted unless the candidate has re-engaged with us.
Where we are actively working with a candidate — submitting them for roles, arranging interviews, or maintaining regular contact — we will retain their data for 2 years from the date of our last meaningful interaction. "Meaningful interaction" means a substantive exchange, not an automated email.
Where a candidate has been placed in a role through Gaia Search, we will retain their data for 3 years from the date of placement. This allows us to maintain an appropriate relationship, provide reference information if needed, and consider the candidate for future opportunities.
If 12 months pass with no meaningful contact and the candidate has not been placed, we will either delete the candidate's data or contact them to seek renewed consent to retain their details on file. If no response is received within 30 days of our re-consent request, data will be deleted.
Candidate right to erasure: Any candidate can request deletion of their data at any time, regardless of these retention periods. We will process such requests within 30 days. See Section 8.
We do not routinely collect special category data (e.g. health information, ethnicity, disability). If a candidate voluntarily shares such information (for example, to request reasonable adjustments), it will be held only for the duration of the active recruitment process and deleted immediately afterwards unless the candidate requests otherwise.
Contact data for individuals at client organisations will be retained for the duration of the active relationship plus 2 years. This allows us to maintain appropriate post-engagement contact and address any queries that may arise after a placement.
Where there has been no active engagement with a client organisation for 2 years, individual contact records will be reviewed. Where there is no reasonable prospect of re-engagement, data will be deleted. Where there is a legitimate reason to maintain contact, records may be retained with an updated date.
Briefing notes and role specifications containing personal contact information will be retained for 2 years from the date of the brief, or until the end of the client relationship, whichever is later.
Where someone contacts us via the website contact form or by email without entering into an active recruitment process, their data will be retained for 1 year from the date of their enquiry. If the enquiry leads to an active recruitment engagement, the relevant candidate or client retention period will apply instead.
WhatsApp conversations relating to active recruitment will be treated in the same way as email correspondence — retained for 2 years from the date of last relevant activity. Chats with no recruitment outcome will be deleted after 1 year.
If we use Google Analytics or similar tools, aggregated analytics data (which does not identify individuals) is retained for up to 26 months on a rolling basis, in line with Google's standard data retention settings.
Certain records must be retained for legal or regulatory reasons, regardless of the personal data they contain:
Where financial or contractual records contain personal data (e.g. a candidate's name on an invoice), that data will be retained for the duration required by law, after which the record will be deleted or anonymised.
When data reaches the end of its retention period, or when a deletion request is received, we will take the following steps:
Emails and WhatsApp conversations containing the individual's personal data will be permanently deleted from our inbox and any archived folders. We will not retain "just in case" copies.
Candidate and client records in any spreadsheet, database or CRM tool will be permanently deleted. Where a record cannot be fully deleted (e.g. a shared system), it will be anonymised so that the individual can no longer be identified.
CV documents, cover letters and any other files containing personal data will be permanently deleted from cloud storage (e.g. Google Drive, Dropbox, email attachments). We will also check sent items and trash folders.
Where personal data is held by a third-party tool or service provider on our behalf, we will notify them of the deletion requirement and confirm deletion within 30 days.
Deletion review: We conduct a data audit at least once per year to identify and delete records that have exceeded their retention period. This review takes place in January each year.
Any individual has the right to request deletion of their personal data at any time, regardless of the retention periods set out in this policy. We will process such requests within 30 days of receipt.
Email hello@gaia-search.com with the subject line "Data Deletion Request" or "Data Access Request". We may need to verify your identity before processing the request.
We may decline a deletion request in limited circumstances — for example, where we have a legal obligation to retain the data (such as a financial record required by HMRC). In such cases, we will explain why and delete all other data relating to the individual.
We will acknowledge your request within 5 working days and complete the deletion (or provide a reasoned response if we are unable to comply) within 30 days. Where the request is complex, we may extend this by a further 2 months, but will notify you within the first 30 days if this is the case.
This policy will be reviewed at least annually, or sooner if there is a change in our data processing activities, a relevant change in the law, or following any data incident.
In January each year, we will review all personal data held by Gaia Search to:
Retaining personal data beyond the periods set out in this policy without a documented justification constitutes a breach of UK GDPR. Any suspected breach should be reported promptly so it can be assessed and, if necessary, reported to the ICO within 72 hours.
For questions about this policy, to make a data access or deletion request, or to raise a concern about how your data has been handled:
Gaia Search Ltd
Email: hello@gaia-search.com
Subject line: "Data Request" or "Data Retention Query"
Company Registration No: 15162203
London, UK
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.