Xoxoday Plum retains personal data only for as long as necessary to fulfil the purpose for which it was collected, securely deletes it upon contract termination or upon request, and fulfils right-to-erasure requests within 30 days in compliance with GDPR, CCPA/CPRA, and applicable regional privacy regulations.
Retention Framework
Xoxoday Plum operates a configurable, policy-driven data retention framework built to meet the requirements of GDPR, CCPA/CPRA, and applicable regional privacy laws. Personal data is retained only for the duration necessary to fulfil the purpose for which it was collected, or as contractual and legal obligations require. Different data categories — including user profile data, transactional records, and system logs — are assigned defined retention timelines that are reviewed periodically to ensure ongoing compliance. When a precise retention period cannot be determined upfront, Xoxoday Plum applies structured review criteria to prevent data from being held longer than necessary. Retention decisions are grounded in the legal basis for processing, applicable business needs, and the rights of data subjects.Secure Deletion and Disposal
When data is no longer required — whether at the end of a contract, following a scheduled retention review, or in response to a deletion request — Xoxoday Plum removes it from primary systems, replicated environments, and backup stores. Personal data stored electronically, including special category data such as health-related information collected for employee wellness programmes, is permanently erased using secure disposal methods. All disposal activities are documented, approved by the Data Protection Officer (DPO), and maintained in an auditable record. This governance model aligns with the accountability principles underpinning ISO 27001 and SOC 2 Type II certification frameworks, ensuring your organisation can demonstrate compliance during third-party audits.Right to Erasure
Xoxoday Plum supports the right to erasure as defined under GDPR and equivalent global standards. Employees, end users, or administrators — including HR teams managing rewards programmes through integrations with Workday, SAP SuccessFactors, or Darwinbox — can initiate a data deletion request at any time. Each request is reviewed by the DPO to confirm it meets the applicable grounds: data is no longer necessary, consent has been withdrawn, processing was unlawful, or a legal obligation applies. Approved requests are executed within 30 days, and the requesting party receives written confirmation of deletion. This enables your organisation to respond effectively to data subject rights inquiries or regulatory audits.Lifecycle Accountability
Xoxoday Plum’s approach to data lifecycle management ensures that confidentiality, integrity, and accountability are maintained from data collection through to final disposal. Clients retain visibility into how data is handled at each stage, and the DPO-oversight model means all retention and deletion decisions are governed, traceable, and defensible. This structured approach gives your organisation the transparency and control required to meet evolving global privacy obligations. Learn more: Xoxoday Plum Help Centre — Data, Policy & PrivacyHow does Xoxoday Plum ensure GDPR compliance?
Understand how Xoxoday Plum’s data processing practices, consent management, and DPO oversight align with GDPR obligations for controllers and processors.
What data processing agreements does Xoxoday Plum provide?
Learn about the data processing agreements available to clients, including sub-processor disclosures and contractual safeguards for cross-border data transfers.