Data Retention Policy
Creator Capital Pty Ltd
Suite 302, 13/15 Wentworth Ave, Sydney NSW 2000
Email: admin@creatorcapitalmgmt.com
Last Updated: August 2025
Introduction
This Data Retention Policy outlines how Riskify collects, stores, and deletes data, particularly personal information and user-generated content, in the course of providing our Safe Work Method Statement (SWMS) generation services. We are an Australian-based service and adhere to the Privacy Act 1988 (Cth) and other relevant laws. The purpose of this policy is to be transparent about what data we retain, how long we keep it, and how we securely dispose of data when it’s no longer needed. By using Riskify, you trust us with your information, and we take that responsibility seriously by implementing retention practices that safeguard your data and respect your privacy.
Scope: This policy applies to all information collected through the Riskify platform or otherwise provided to us by users. It covers both personal data (such as account details and personal information that may be contained in SWMS content) and non-personal data (such as technical logs or aggregated usage statistics). It also applies to all forms of data storage – whether the data is stored in our primary databases, in backup archives, or on any third-party services we utilize (for example, cloud hosting providers). All Riskify staff and any service providers who handle data on our behalf are required to follow the principles in this Data Retention Policy.
Our Data Retention Principles
Riskify’s data retention practices are guided by the following principles:
Only Keep What We Need: We aim to collect and retain the minimum amount of data necessary to provide our services effectively. Data is retained only for as long as it serves a legitimate business purpose or is required by law. If information is no longer needed, we will delete or de-identify it in line with this policy and legal requirements .
Compliance with Law: As an Australian service, we comply with the Australian Privacy Principles (APPs)under the Privacy Act. APP 11.2 specifically requires that we take reasonable steps to destroy or permanently de-identify personal information when we no longer need it for any purpose for which it was collected, unless we are legally required to retain it . This means we will not keep your personal data indefinitely “just in case” – we will securely dispose of it when it is no longer necessary, except where retention is mandated (for example, by tax or accounting laws, or for resolving disputes).
Transparency: We strive to be open about our retention practices. This policy details the types of data we hold and the general timeframes for retention. If you have any questions about how long we keep specific information, you can contact us for more details. We believe you have a right to know how long your data lives in our systems.
Security Throughout Lifecycle: Data is protected with appropriate security measures during its retention period, and we apply equally stringent measures when it comes time for deletion. Whether data is actively in use, archived on a backup server, or marked for deletion, we ensure it remains secure against unauthorized access. When we dispose of data, we do so in a manner that prevents its recovery or misuse .
Types of Data and Retention Periods
Different categories of data are retained for different lengths of time, depending on their purpose and applicable legal requirements. Below is an overview of the types of data Riskify handles and our retention approach for each:
Account Information: This includes personal details you provide when you register or maintain an account with Riskify, such as your name, email address, company (if provided), and login credentials. We retain your account information for as long as your account remains active so that you can continually use our service. If you choose to cancel your subscription or delete your account, we will retain your account information for a limited period thereafter (generally up to 30 days) in case you reactivate your account or there are any issues to resolve. After that period, we will permanently delete or anonymise your account personal information, except for any data we are required to keep for legal reasons (see Legal Obligations below).
Subscription and Payment Records: We keep records of your subscription status, payment history, and billing information. This data is necessary for accounting, auditing, and compliance with Australian financial record-keeping laws. Financial transaction records (e.g. invoices, receipts, payment confirmations) are generally retained for at least 5 to 7 years, in line with Australian Taxation Office requirements and general corporate record obligations. This ensures we can produce evidence of transactions if required for tax or legal purposes. After the mandatory retention period, we archive or securely delete these records. Any credit card details or payment credentials are not stored on our servers (they may be handled by our secure payment gateway provider); however, summary records of transactions are kept as described.
SWMS Documents and User-Generated Content: A core feature of Riskify is that it generates and stores Safe Work Method Statements and related documents for your use. By default, we retain all SWMS documents you create on our platform so that you can access your past projects at any time, reuse templates, and track your safety compliance work. Keeping this history also allows us to provide you with a better user experience (for example, enabling version history or auto-populating frequently used information). These documents are stored securely in our cloud infrastructure. We will retain your generated SWMS content until you delete them or request removal, or until your account is deleted. If you delete a specific SWMS file, it will be removed from active systems immediately and from our backups within 30 days (backups may retain deleted files for a short period before they are purged in the normal backup rotation). If you delete your account entirely, all associated SWMS content will be deleted or anonymised as part of the account deletion process, after a short grace period as noted under Account Information. Important: We do not use your SWMS content for any purpose other than providing the service to you (and internal processes like backups or improving our template suggestions). We do not share your personal project content with any third parties.
Usage Logs and Analytics Data: We maintain logs of user activity and interactions on the platform (e.g., login times, actions taken, error logs), as well as aggregated analytics data. These logs are used for performance monitoring, security auditing, and product improvement. For example, we may log when a user generates a document or encounters an error, so we can troubleshoot and enhance our system. Usage logs that contain personal identifiers (like user ID or IP address) are retained for a shorter period – typically 12 months – unless we need to keep them longer to investigate security incidents or abuses. We periodically review and purge these detailed logs to avoid retaining them longer than necessary. Aggregate analytics data (which does not identify individuals) may be kept longer for historical analysis; however, this data does not contain personal information. Any analytics data that is stored in identifiable form will follow the same retention limits as other personal data.
Communications and Support Inquiries: If you contact us for support or communicate with us (via email, contact form, or chat), we may keep those communications to help address your issue and for our records. Support emails and messages are typically retained for up to 2 years, so we have context for any follow-up inquiries and can improve our customer service. In some cases, we may need to retain specific correspondence longer if it contains important information (for example, a notice of a dispute or a legal inquiry). We will treat any personal information in communications in line with our Privacy Policy and ensure it’s deleted once it’s no longer needed.
Secure Deletion and Destruction of Data
When data reaches the end of its retention period or is no longer required, we take steps to securely delete or destroy it. Our data deletion procedures include:
Permanent Deletion from Systems: We remove the data from our active databases and systems. For example, deleting a user account triggers the removal of personal details and user files from our primary database. We ensure that references to that data are also removed, so it is not accessible or recoverable through the application interface.
Removal from Backups: Riskify performs regular backups of our systems for redundancy and disaster recovery. These backups are encrypted and securely stored. When data is deleted from our active systems, it may still reside in backup files for a certain retention period. We have processes to cycle out and overwrite backups so that, after a maximum of 30 days, deleted user data will no longer exist in any of our backups. In cases where immediate purge is required (such as a verified erasure request under privacy law), we will make efforts to locate and delete personal data from backups as well, or ensure it is rendered effectively inaccessible.
Secure Destruction Methods: For any physical media (if any) or export files that contain personal information slated for deletion, we use secure destruction methods. This could include cryptographic wiping of disks, secure deletion commands, or physical destruction (shredding) of storage devices. For cloud-based storage, we rely on cloud provider tools to permanently erase data blocks. Our goal is to ensure that once data is scheduled for deletion, it is irrecoverable and cannot be reconstructed by any means .
Documentation: We maintain internal logs of data deletion events for accountability. This means there is an auditable record when user accounts or certain types of data are purged from our system. These records (which themselves contain no personal content beyond perhaps a user ID and date of deletion) are kept to confirm compliance with our retention policies and legal obligations.
Legal Obligations and Exceptions
There are certain circumstances in which we might retain data longer than our standard periods, if required to comply with legal obligations or to protect our rights:
Compliance with Law: If Australian law or regulations require us to retain certain information for a specified period, we will do so. For instance, as mentioned, financial records must be retained for a minimum period under tax laws. Similarly, under the Corporations Act or other legislation, certain business records should be kept for 7 years. We will retain any data as required to comply with applicable law and regulatory requirements, even if you request its deletion, but only for the mandated duration and purpose.
Litigation and Dispute Resolution: If we are aware of a potential legal claim, investigation, or dispute that relates to your data or use of our services, we may preserve relevant information until the issue is resolved. This is to ensure we have the records needed to establish facts and defend our company or comply with court orders. Such data will be segregated and only used for the appropriate legal purposes.
Enforcement of Terms: Sometimes data may be retained to allow us to enforce our Terms of Service or other agreements. For example, if a user has violated our terms (such as by posting prohibited content or engaging in fraudulent activity), we may retain evidence of the misconduct (like log entries or content snapshots) even after that user is banned or deleted, in case it is needed to demonstrate the breach or to cooperate with law enforcement.
Importantly, any extension of retention under these exceptions will be limited in scope and duration. We will not keep data “just in case” – there must be a concrete reason, grounded in law or our operational requirements, to hold it beyond normal periods. Additionally, even when data is retained for longer due to an exception, we will not use it for new purposes; it will only be retained in a secure state until it can be safely deleted.
Your Rights and Choices Regarding Data Retention
We strive to honor your rights concerning your personal information:
Access and Correction: As detailed in our Privacy Policy, you have the right to access personal information we hold about you and to request corrections if it is inaccurate. While this Data Retention Policy focuses on deletion, we want to remind you that you can contact us to obtain a copy of your data stored on Riskify (subject to verification of identity) and to correct any errors. This is part of ensuring we don’t keep outdated or incorrect data.
Data Deletion Requests: You have the option to request deletion of your personal data in certain cases. For example, if you wish to fully terminate your relationship with Riskify and have your personal information removed, you can contact us to request account deletion. We will then take reasonable steps to delete the personal data we hold about you (except for any data we must keep as noted in Legal Obligations above). We will confirm with you once the deletion is completed. Note that deletion of your data means you will lose access to the Riskify service and any SWMS documents stored on our platform, so we will typically verify such requests and ask you to back up any needed data before deletion.
Anonymization: In some cases, rather than complete deletion, we may anonymize your data (so it can no longer be associated with you). This might occur if we have data that is beneficial for statistical purposes (e.g., total number of SWMS created in a region) but not needed in identifiable form. Anonymization is a way to retain useful insights without retaining personal info. Once anonymized, that data is no longer subject to this Data Retention Policy as personal data (because it can’t be linked to an individual).
Opt-Out of Data Retention: Certain data (like cookies or analytics data) you may opt not to have collected in the first place, as outlined in our Cookie Policy. By minimizing what data enters our system about you (for instance, by using privacy browser settings or not providing optional profile information), you control what we hold. We encourage users to only share data that is necessary and to utilize our service’s settings to limit data collection if available.
Review and Updates of This Policy
Riskify may modify this Data Retention Policy from time to time. Changes could be needed to reflect updates in our practices, technology, or legal obligations. If we make significant changes (for example, changing how long we keep certain data or introducing new categories of data), we will provide notice to our users, such as by posting a prominent notice on our website or contacting you via email. We include a “last updated” date so you can easily see when the last changes were made. We encourage you to review this policy periodically to stay informed about how we handle your data.
This Data Retention Policy works in conjunction with our Privacy Policy, which provides more details on how we collect, use, and protect personal information. In the event of any inconsistency between this policy and our Privacy Policy or Terms of Service, this policy specifically governs issues of data retention and deletion, whereas the Privacy Policy governs broader privacy matters.
Contact Us
If you have questions or concerns about our data retention practices, or if you would like to request deletion of your data, please contact us. You can reach Riskify’s support team and privacy officer at [email protected]. We will address your inquiries promptly in accordance with applicable law. Your trust is important to us, and we are happy to explain any part of this policy or how we handle your data. By contacting us, you can also request a copy of this policy or other privacy documentation in an alternative form if required. We are here to help and committed to ensuring your information is managed responsibly throughout its life cycle with Riskify.
Data Retention Policy
Creator Capital Pty Ltd
Suite 302, 13/15 Wentworth Ave, Sydney NSW 2000
Email: admin@creatorcapitalmgmt.com
Last Updated: August 2025
Introduction
This Data Retention Policy outlines how Riskify collects, stores, and deletes data, particularly personal information and user-generated content, in the course of providing our Safe Work Method Statement (SWMS) generation services. We are an Australian-based service and adhere to the Privacy Act 1988 (Cth) and other relevant laws. The purpose of this policy is to be transparent about what data we retain, how long we keep it, and how we securely dispose of data when it’s no longer needed. By using Riskify, you trust us with your information, and we take that responsibility seriously by implementing retention practices that safeguard your data and respect your privacy.
Scope: This policy applies to all information collected through the Riskify platform or otherwise provided to us by users. It covers both personal data (such as account details and personal information that may be contained in SWMS content) and non-personal data (such as technical logs or aggregated usage statistics). It also applies to all forms of data storage – whether the data is stored in our primary databases, in backup archives, or on any third-party services we utilize (for example, cloud hosting providers). All Riskify staff and any service providers who handle data on our behalf are required to follow the principles in this Data Retention Policy.
Our Data Retention Principles
Riskify’s data retention practices are guided by the following principles:
Only Keep What We Need: We aim to collect and retain the minimum amount of data necessary to provide our services effectively. Data is retained only for as long as it serves a legitimate business purpose or is required by law. If information is no longer needed, we will delete or de-identify it in line with this policy and legal requirements .
Compliance with Law: As an Australian service, we comply with the Australian Privacy Principles (APPs)under the Privacy Act. APP 11.2 specifically requires that we take reasonable steps to destroy or permanently de-identify personal information when we no longer need it for any purpose for which it was collected, unless we are legally required to retain it . This means we will not keep your personal data indefinitely “just in case” – we will securely dispose of it when it is no longer necessary, except where retention is mandated (for example, by tax or accounting laws, or for resolving disputes).
Transparency: We strive to be open about our retention practices. This policy details the types of data we hold and the general timeframes for retention. If you have any questions about how long we keep specific information, you can contact us for more details. We believe you have a right to know how long your data lives in our systems.
Security Throughout Lifecycle: Data is protected with appropriate security measures during its retention period, and we apply equally stringent measures when it comes time for deletion. Whether data is actively in use, archived on a backup server, or marked for deletion, we ensure it remains secure against unauthorized access. When we dispose of data, we do so in a manner that prevents its recovery or misuse .
Types of Data and Retention Periods
Different categories of data are retained for different lengths of time, depending on their purpose and applicable legal requirements. Below is an overview of the types of data Riskify handles and our retention approach for each:
Account Information: This includes personal details you provide when you register or maintain an account with Riskify, such as your name, email address, company (if provided), and login credentials. We retain your account information for as long as your account remains active so that you can continually use our service. If you choose to cancel your subscription or delete your account, we will retain your account information for a limited period thereafter (generally up to 30 days) in case you reactivate your account or there are any issues to resolve. After that period, we will permanently delete or anonymise your account personal information, except for any data we are required to keep for legal reasons (see Legal Obligations below).
Subscription and Payment Records: We keep records of your subscription status, payment history, and billing information. This data is necessary for accounting, auditing, and compliance with Australian financial record-keeping laws. Financial transaction records (e.g. invoices, receipts, payment confirmations) are generally retained for at least 5 to 7 years, in line with Australian Taxation Office requirements and general corporate record obligations. This ensures we can produce evidence of transactions if required for tax or legal purposes. After the mandatory retention period, we archive or securely delete these records. Any credit card details or payment credentials are not stored on our servers (they may be handled by our secure payment gateway provider); however, summary records of transactions are kept as described.
SWMS Documents and User-Generated Content: A core feature of Riskify is that it generates and stores Safe Work Method Statements and related documents for your use. By default, we retain all SWMS documents you create on our platform so that you can access your past projects at any time, reuse templates, and track your safety compliance work. Keeping this history also allows us to provide you with a better user experience (for example, enabling version history or auto-populating frequently used information). These documents are stored securely in our cloud infrastructure. We will retain your generated SWMS content until you delete them or request removal, or until your account is deleted. If you delete a specific SWMS file, it will be removed from active systems immediately and from our backups within 30 days (backups may retain deleted files for a short period before they are purged in the normal backup rotation). If you delete your account entirely, all associated SWMS content will be deleted or anonymised as part of the account deletion process, after a short grace period as noted under Account Information. Important: We do not use your SWMS content for any purpose other than providing the service to you (and internal processes like backups or improving our template suggestions). We do not share your personal project content with any third parties.
Usage Logs and Analytics Data: We maintain logs of user activity and interactions on the platform (e.g., login times, actions taken, error logs), as well as aggregated analytics data. These logs are used for performance monitoring, security auditing, and product improvement. For example, we may log when a user generates a document or encounters an error, so we can troubleshoot and enhance our system. Usage logs that contain personal identifiers (like user ID or IP address) are retained for a shorter period – typically 12 months – unless we need to keep them longer to investigate security incidents or abuses. We periodically review and purge these detailed logs to avoid retaining them longer than necessary. Aggregate analytics data (which does not identify individuals) may be kept longer for historical analysis; however, this data does not contain personal information. Any analytics data that is stored in identifiable form will follow the same retention limits as other personal data.
Communications and Support Inquiries: If you contact us for support or communicate with us (via email, contact form, or chat), we may keep those communications to help address your issue and for our records. Support emails and messages are typically retained for up to 2 years, so we have context for any follow-up inquiries and can improve our customer service. In some cases, we may need to retain specific correspondence longer if it contains important information (for example, a notice of a dispute or a legal inquiry). We will treat any personal information in communications in line with our Privacy Policy and ensure it’s deleted once it’s no longer needed.
Secure Deletion and Destruction of Data
When data reaches the end of its retention period or is no longer required, we take steps to securely delete or destroy it. Our data deletion procedures include:
Permanent Deletion from Systems: We remove the data from our active databases and systems. For example, deleting a user account triggers the removal of personal details and user files from our primary database. We ensure that references to that data are also removed, so it is not accessible or recoverable through the application interface.
Removal from Backups: Riskify performs regular backups of our systems for redundancy and disaster recovery. These backups are encrypted and securely stored. When data is deleted from our active systems, it may still reside in backup files for a certain retention period. We have processes to cycle out and overwrite backups so that, after a maximum of 30 days, deleted user data will no longer exist in any of our backups. In cases where immediate purge is required (such as a verified erasure request under privacy law), we will make efforts to locate and delete personal data from backups as well, or ensure it is rendered effectively inaccessible.
Secure Destruction Methods: For any physical media (if any) or export files that contain personal information slated for deletion, we use secure destruction methods. This could include cryptographic wiping of disks, secure deletion commands, or physical destruction (shredding) of storage devices. For cloud-based storage, we rely on cloud provider tools to permanently erase data blocks. Our goal is to ensure that once data is scheduled for deletion, it is irrecoverable and cannot be reconstructed by any means .
Documentation: We maintain internal logs of data deletion events for accountability. This means there is an auditable record when user accounts or certain types of data are purged from our system. These records (which themselves contain no personal content beyond perhaps a user ID and date of deletion) are kept to confirm compliance with our retention policies and legal obligations.
Legal Obligations and Exceptions
There are certain circumstances in which we might retain data longer than our standard periods, if required to comply with legal obligations or to protect our rights:
Compliance with Law: If Australian law or regulations require us to retain certain information for a specified period, we will do so. For instance, as mentioned, financial records must be retained for a minimum period under tax laws. Similarly, under the Corporations Act or other legislation, certain business records should be kept for 7 years. We will retain any data as required to comply with applicable law and regulatory requirements, even if you request its deletion, but only for the mandated duration and purpose.
Litigation and Dispute Resolution: If we are aware of a potential legal claim, investigation, or dispute that relates to your data or use of our services, we may preserve relevant information until the issue is resolved. This is to ensure we have the records needed to establish facts and defend our company or comply with court orders. Such data will be segregated and only used for the appropriate legal purposes.
Enforcement of Terms: Sometimes data may be retained to allow us to enforce our Terms of Service or other agreements. For example, if a user has violated our terms (such as by posting prohibited content or engaging in fraudulent activity), we may retain evidence of the misconduct (like log entries or content snapshots) even after that user is banned or deleted, in case it is needed to demonstrate the breach or to cooperate with law enforcement.
Importantly, any extension of retention under these exceptions will be limited in scope and duration. We will not keep data “just in case” – there must be a concrete reason, grounded in law or our operational requirements, to hold it beyond normal periods. Additionally, even when data is retained for longer due to an exception, we will not use it for new purposes; it will only be retained in a secure state until it can be safely deleted.
Your Rights and Choices Regarding Data Retention
We strive to honor your rights concerning your personal information:
Access and Correction: As detailed in our Privacy Policy, you have the right to access personal information we hold about you and to request corrections if it is inaccurate. While this Data Retention Policy focuses on deletion, we want to remind you that you can contact us to obtain a copy of your data stored on Riskify (subject to verification of identity) and to correct any errors. This is part of ensuring we don’t keep outdated or incorrect data.
Data Deletion Requests: You have the option to request deletion of your personal data in certain cases. For example, if you wish to fully terminate your relationship with Riskify and have your personal information removed, you can contact us to request account deletion. We will then take reasonable steps to delete the personal data we hold about you (except for any data we must keep as noted in Legal Obligations above). We will confirm with you once the deletion is completed. Note that deletion of your data means you will lose access to the Riskify service and any SWMS documents stored on our platform, so we will typically verify such requests and ask you to back up any needed data before deletion.
Anonymization: In some cases, rather than complete deletion, we may anonymize your data (so it can no longer be associated with you). This might occur if we have data that is beneficial for statistical purposes (e.g., total number of SWMS created in a region) but not needed in identifiable form. Anonymization is a way to retain useful insights without retaining personal info. Once anonymized, that data is no longer subject to this Data Retention Policy as personal data (because it can’t be linked to an individual).
Opt-Out of Data Retention: Certain data (like cookies or analytics data) you may opt not to have collected in the first place, as outlined in our Cookie Policy. By minimizing what data enters our system about you (for instance, by using privacy browser settings or not providing optional profile information), you control what we hold. We encourage users to only share data that is necessary and to utilize our service’s settings to limit data collection if available.
Review and Updates of This Policy
Riskify may modify this Data Retention Policy from time to time. Changes could be needed to reflect updates in our practices, technology, or legal obligations. If we make significant changes (for example, changing how long we keep certain data or introducing new categories of data), we will provide notice to our users, such as by posting a prominent notice on our website or contacting you via email. We include a “last updated” date so you can easily see when the last changes were made. We encourage you to review this policy periodically to stay informed about how we handle your data.
This Data Retention Policy works in conjunction with our Privacy Policy, which provides more details on how we collect, use, and protect personal information. In the event of any inconsistency between this policy and our Privacy Policy or Terms of Service, this policy specifically governs issues of data retention and deletion, whereas the Privacy Policy governs broader privacy matters.
Contact Us
If you have questions or concerns about our data retention practices, or if you would like to request deletion of your data, please contact us. You can reach Riskify’s support team and privacy officer at [email protected]. We will address your inquiries promptly in accordance with applicable law. Your trust is important to us, and we are happy to explain any part of this policy or how we handle your data. By contacting us, you can also request a copy of this policy or other privacy documentation in an alternative form if required. We are here to help and committed to ensuring your information is managed responsibly throughout its life cycle with Riskify.