ArtAML™ Data Retention and Deletion Policy

Version 1.0 | 18th June 2026

1. Purpose

1.1. This policy explains how ArtAML Limited manages the retention and deletion of personal data processed on behalf of our Clients. It sets out the periods for which data is held, the process by which it is deleted, and your responsibilities as a Client when retaining data beyond those periods.
1.2. This policy should be read alongside ArtAML’s Data Processing Agreement (‘DPA’), which sets out the contractual terms governing data retention and deletion as between ArtAML and its Clients, and ArtAML’s Privacy Policy, which sets out retention periods across all categories of personal data ArtAML processes. Where there is any conflict between this policy and the DPA, the DPA shall prevail.

1.3. ArtAML operates in accordance with UK GDPR, EU GDPR, the Data Protection Act 2018, and applicable anti-money laundering legislation.

2. Scope

2.1. This policy applies to all personal data processed by ArtAML on behalf of clients, including:

2.1.1. Due diligence records
2.1.2. Identity verification documents
2.1.3. Beneficial ownership information
2.1.4. Transaction and artwork records

2.2. ArtAML generally acts as a Data Processor on behalf of its Clients. Clients remain responsible for determining the retention period required by applicable law.

3. Legal Framework

3.1. Data Protection
3.1.1. Under UK GDPR and EU GDPR Article 5(1)(e), personal data must not be kept for longer than is necessary for the purposes for which it was collected. ArtAML applies this principle to all personal data it processes, regardless of where the data subject is located.
3.2. AML Record-Keeping Requirements
3.2.1. Anti-Money Laundering legislation requires obliged entities to retain customer due diligence records for defined periods following the end of a business relationship or transaction. The applicable retention period depends on where your organisation is registered.

3.2.2. The applicable retention periods by jurisdiction are set out in Appendix 1.

3.2.3. ArtAML configures data retention periods within the platform by reference to the client’s country of registration. Where a client operates across multiple jurisdictions, ArtAML can configure retention periods on a per-jurisdiction basis on request. Clients are responsible for notifying ArtAML of any change to their country of registration or jurisdictional scope that may affect their applicable retention period.

4. Retention Periods

4.1. Completed Tasks

4.1.1. Personal data from completed due diligence tasks is retained for the period applicable to your organisation’s country of registration, as set out in Appendix 1.

4.1.2. The retention period runs from the date on which the relevant task is marked as complete in the ArtAML platform.

4.1.3. Where a business relationship with a customer spans multiple tasks, the retention period for each task runs from that task’s individual completion date.

4.1.4. ArtAML currently calculates retention periods by reference to task completion dates recorded within the platform.

4.1.5. Clients remain responsible for ensuring that the resulting retention period satisfies their applicable AML record-keeping obligations. Where a business relationship continues beyond the completion of the relevant task, clients should contact ArtAML to discuss appropriate retention arrangements.

4.1.6. ArtAML intends to introduce a dedicated relationship-end date field to support retention calculations based on the end of a business relationship. Until that feature is available, clients with ongoing relationships spanning multiple tasks should not rely solely on individual task completion dates as a proxy for their AML retention obligations.

4.1.7. ArtAML retains completed task data for the applicable retention period set out in Appendix 1, running from the date of task completion as described in clause 4.1.2. For most clients this is five years. Data is deleted at the end of that period in accordance with the process set out in section 5, regardless of whether the client’s subscription remains active. Clients with an active subscription retain access to their data throughout the applicable retention period. The basis for this retention model and the process that applies on termination or expiry of a subscription are set out in the Data Processing Agreement.

4.2. Cancelled Tasks
4.2.1. Tasks cancelled before completion are deleted 30 days after the date of cancellation.
4.3. Active Tasks
4.3.1. Tasks that remain in progress are not subject to automatic deletion.

5. Deletion Process

5.1. Grace Period
5.1.1. When a task becomes eligible for deletion, a 30-day grace period begins. During this period:

5.1.1.1. Risk Managers receive an email notification explaining the deletion process, with the option to receive ongoing reminders.
5.1.1.2. Tasks due for deletion are displayed on the GDPR Compliance page within the application.
5.1.1.3. All data remains fully accessible.
5.1.1.4. Authorised users may download task data if they have a lawful basis for retaining it (see section 7).

5.1.2. Important: if your organisation has ongoing legal proceedings or other compliance requirements that necessitate retaining data beyond the standard period, you must download the relevant data before the grace period expires. ArtAML is not able to delay deletion on account of a client’s legal proceedings or internal requirements. See section 9 for further detail.
5.2. What Is Deleted
5.2.1. After the grace period expires, all personal data associated with a task is permanently deleted, including:

5.2.1.1. Task records and questionnaire responses
5.2.1.2. Uploaded documents and identity verification data
5.2.1.3. Identity verification session data
5.2.1.4. Permission and access records
5.2.1.5. All associated database records

5.3. Deletion events are recorded in audit logs. Grace period records (without personal data) are retained for compliance reporting purposes.
5.4. Where deleted data remains within ArtAML’s backup systems following deletion from active platform systems, ArtAML will ensure that such backup copies are permanently deleted or rendered irrecoverable within 90 days of the deletion date.

6. Account Data on Termination or Expiry

6.1. Where a client’s subscription is terminated or expires, a separate process applies to the export and deletion of account data. ArtAML will provide the client with a secure export of all account data. The client will have 30 days to download the exported data and confirm receipt. ArtAML may extend this period on request.

6.2. Following confirmation of receipt, or after expiry of the 30-day period, ArtAML will delete the client’s Organisation and all associated personal data from active platform systems. Where ArtAML is aware that applicable AML legislation requires retention beyond the subscription end date, deletion will be deferred accordingly. Clients remain responsible for ensuring their retention obligations are met.

6.3. Backup copies will be permanently deleted within 90 days of the deletion date. Full details of this process are set out in the Data Processing Agreement.

7. Downloading Data Before Deletion

7.1. Download Process
7.1.1. During the grace period, authorised users may download task data. Each download requires:
7.1.1.1. Selection of a reason for retaining the downloaded data

7.1.1.2. A written explanation of why retention is necessary

7.1.2. The download package includes the complete task data as a ZIP file and an audit PDF recording the download request, lawful basis selected, and download history.
7.2. Common Reasons for Retaining Downloaded Data
7.2.1. Common reasons for retaining downloaded data include:
7.2.1.1. Compliance with legal or regulatory obligations
7.2.1.2. Compliance with contractual obligations
7.2.1.3. Responding to legal proceedings, disputes or investigations
7.2.1.4. Internal risk management or compliance requirements
7.2.1.5. Other lawful business purposes permitted by applicable law
7.2.2. Clients remain responsible for ensuring that any retention of downloaded data complies with applicable data protection laws and any other legal obligations that apply to them.

7.2.3. “Just in case” or speculative retention may not be permissible under applicable data protection laws.

8. Your Responsibilities Upon Downloading Data

8.1. When you download data from ArtAML on behalf of your organisation, your organisation assumes sole responsibility for the downloaded copy of that data. As data controller, your organisation is responsible for its subsequent handling and compliance with applicable data protection laws. Specifically, you must:

8.1.1. Store the data with appropriate technical and organisational security measures (GDPR Article 32)

8.1.2. Delete the data when the lawful basis for retaining it expires

8.1.3. Respond to any data subject access or deletion requests relating to that data

8.1.4. Report any data breaches to the relevant supervisory authority (for example, the ICO) within 72 hours where required

8.2. These responsibilities are also reflected in your agreement with ArtAML. If you are in any doubt about your obligations as a data controller, you should seek independent legal advice.

9. When Deletion May Be Delayed

9.1. ArtAML may delay deletion only where ArtAML itself has a direct legal obligation, for example:

9.1.1. Active litigation to which ArtAML is a party
9.1.2. A regulatory investigation of ArtAML
9.1.3. ArtAML’s own tax compliance requirements

9.2. A client’s legal proceedings, regulatory enquiry, or internal retention requirement does not constitute grounds for ArtAML to delay deletion. If you need to preserve data for your own legal or compliance purposes, you must download it during the grace period (see section 5.1).

10. Data Subject Rights

10.1. Data subjects may contact ArtAML to:

10.1.1. Request information about the deletion status of their data
10.1.2. Verify that deletion has taken place
10.1.3. Exercise other rights under GDPR Articles 15–22

10.2. Where ArtAML acts solely as a Data Processor, requests will normally be referred to the relevant Client as Data Controller unless ArtAML is legally required to respond directly.

10.3. Manual deletion requests are handled separately and are subject to applicable AML record-keeping obligations, which may limit the ability to delete data before the end of the applicable retention period.

11.Policy Review

11.1. This policy is reviewed annually and updated as necessary to reflect changes in applicable law, regulatory guidance, and ArtAML’s operational practices.

11.2. Appendix 1 is updated from time to time to reflect changes in applicable AML legislation and regulatory guidance. The date of the most recent update is shown at the top of this policy. Clients are encouraged to check the current version periodically.

12.Contact

12.1. For questions about this policy, to exercise your data protection rights, or to raise a concern, please contact us using the details below:
12.1.1. ArtAML Limited 27 Old Gloucester Street, London WC1N 3AX
12.1.2. Data Protection Officer: Dr. Chris King E: [email protected] T: +44 203 488 2966
12.1.3. General enquiries: [email protected]
12.2. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113, or with the supervisory authority in the EU member state of your establishment where applicable.