Director General, Mindbox Ltd.

“13” August 2021

Data Retention and Deletion Policy

  1. Subject Matter and Purpose

    The purpose of this Policy is to ensure that the necessary records and documents are properly protected and maintained, and that records that are no longer required by Mindbox Ltd. (the “Company”) or are of no value to the Company are destroyed in due course. This Policy is also intended to help Company employees understand their responsibilities for storing electronic documents, including email, web files, text files, PDF documents, Microsoft Office files, and any other file formats.

    This Policy sets the required retention periods for certain categories of personal data and sets minimum standards that should be applied when personal data is destroyed in the Company.

    This Policy applies to all departments, business processes and IT systems in all countries where the Company operates.

    This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, and service providers who may collect, process, or have access to personal data. All of the above individuals are responsible for reviewing this Policy and ensuring that it is properly enforced.

  2. Retention Rules

    As indicated below, the rules for storing personal data vary depending on the format of their recording, as well as the legal basis for processing them.

    If for any category of documents not specifically defined in other sections of this Policy (and in particular within the data retention schedule), and unless otherwise provided by applicable law, the required retention period of such document will be considered equal to the limitation period of the data subject, depending on the jurisdiction of the data subject.

    As an exception to the retention periods within the retention schedule data can be extended in such cases as stipulated by the applicable law.

    The company and its employees should regularly review all stored personal data to determine whether the relevant personal data should be destroyed as soon as the purpose of processing has been achieved. The schedule for storing personal data is set out in Appendix 1 to this Policy.

    The General responsibility for data destruction lies with the personal data protection officer.

    After a decision is made to delete the personal data in accordance with the storage Schedule, it must be deleted. The method of deleting personal data depends on the type and nature of the document. Thus, any documents containing sensitive information (especially special categories of personal data) are subject to secure electronic deletion.

    Appropriate control measures should be provided to prevent the irreversible loss of the Company’s material information as a result of malicious or unintentional destruction — such control measures are described in Data Breach Policy.

  3. Electronic Records Storage

    All electronic documents and emails must be stored in the appropriate storage (shown below) to ensure applicable security controls, backup, storage, and deletion of data.

  4. Update and entry into force of the Policy

    This Policy will be updated as necessary to reflect current legislation, official recommendations, and current practices.

    This Policy is considered effective from the moment August 13, 2021.


Appendix 1 to Data Retention and Data Deletion Policy (Data Storage Schedule)

Appendix 2 to Data Retention and Data Deletion Policy (Data Deletion Log)