ZYC-DATA-001 Record Keeping & Data Retention Policy

(Applies to all Zeyro staff, directors, contractors and consultants — Approved October 2025)

Background

Zeyro is required under the UK MiFID framework (as implemented in UK law through the Financial Services and Markets Act 2000 and the FCA Handbook, including SYSC 9.1 and COBS 11.8) and the UK data-protection regime — comprising the UK GDPR and Data Protection Act 2018, as currently in force — to keep complete, accurate and retrievable records of its regulated activities and any personal data it processes.

Because Zeyro does not hold client money or execute transactions, our record-keeping obligations focus on financial-promotion approvals, client onboarding, risk management, and corporate governance.

This policy defines how Zeyro creates, stores, retains and deletes records across all business lines, ensuring compliance with both data-protection and regulatory-retention requirements under UK law.

Purpose

To ensure that Zeyro:

  • Retains records long enough to meet UK legal and regulatory requirements.

  • Protects personal data under the UK data-protection regime.

  • Disposes of data securely and proportionately.

Scope

Applies to all information created or received by Zeyro in any form — digital or paper — relating to:

  • Financial promotions (approvals, withdrawals, reviews, client correspondence)

  • Client onboarding and due diligence

  • Governance, risk and compliance reporting

  • Employee records and training

Key Principles

1. Lawful Basis and Record Purpose

  • Records are held only for specified and lawful purposes, including compliance with the UK MiFID framework, AML regulations and contractual obligations.

  • Each record must have a clear owner (typically the policy or process owner).

Controls risk: Ensures personal and regulatory data are processed only when necessary and justified.

2. Retention Periods

Record Type

Retention Period

Legal / Regulatory Basis

Financial-promotion approvals, reviews, withdrawals

5 years from approval date

UK MiFID (COBS 11.8; SYSC 9.1)

Client onboarding and KYB/KYC data

5 years after relationship end

MLR 2017 Reg 40

Governance & risk records (BWRA, Board minutes, Conflicts Register)

5 years

SYSC 9.1; Companies Act

Employee records & training logs

6 years after employment end

Employment Law; UK GDPR Art. 5(1)(e)

Personal data not linked to a legal obligation

As short as possible; deleted when purpose ends

UK GDPR Art. 5(1)(e)

Controls risk: Balances UK regulatory retention with the UK GDPR’s data-minimisation principle.

3. Storage and Security

  • All digital records are stored in SharePoint or other approved cloud environments with access control and multi-factor authentication.

  • Sensitive data (client identification, risk scoring, SoRs) is restricted to authorised staff.

  • Paper documents are rare and must be scanned, uploaded and shredded within five business days.

Controls risk: Prevents loss, unauthorised access or duplication of records.

4. Access and Retrieval

  • Records must be readily accessible for FCA or law-enforcement inspection.

  • All retrieval requests go through the MLRO or delegated compliance staff.

  • Data access is logged and reviewed quarterly.

Controls risk: Ensures transparency and audit readiness.

5. Deletion and Destruction

  • When a record reaches its retention limit, it is securely deleted or destroyed unless required for ongoing investigation or litigation.

  • Deletion methods: secure digital purge, overwriting or certified destruction by an approved provider.

  • A Record Disposal Log is maintained to evidence compliance.

Controls risk: Ensures personal data and regulatory records are not kept longer than necessary.

6. Data Subject Rights (UK Data-Protection Regime)

  • Individuals have the right to access, correct or delete personal data held by Zeyro under the UK data-protection regime.

  • Requests are handled within one month unless an exemption applies (for example, where data must be retained for a legal or regulatory obligation).

  • The MLRO maintains oversight of all data-subject-rights requests.

Controls risk: Demonstrates compliance with transparency and accountability requirements under the UK data-protection regime.

7. Roles and Responsibilities

  • MLRO / Compliance Officer – owns this policy, maintains the retention schedule and oversees disposal.

  • Board – approves the retention strategy and monitors compliance.

  • All staff – must handle records securely and report any data-handling incidents immediately.

Controls risk: Ensures governance and individual accountability are clear.

8. Review and Audit

  • This policy and the retention schedule are reviewed annually as part of the BWRA.

  • Any breach of record-keeping or data-protection obligations must be reported to the MLRO and may be notifiable to the Information Commissioner’s Office (ICO) or FCA.

Controls risk: Keeps the firm’s data-management practices aligned with evolving UK legal standards.

Document Control

Field

Details

Policy Code

ZYC-DATA-001

Policy Title

Record Keeping & Data Retention Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Last Reviewed By

Gareth Malna

Change History

v 1.0 (Oct 2025): Initial publication defining UK MiFID and UK data-protection requirements for record keeping and retention.

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousZYC-INFO-001 Information Security & Data Protection PolicyNextZYC-OUT-001 Outsourcing & Third-Party Risk Policy

Last updated