Data Retention & Deletion Policy

Issued by the Traxlo group of companies:

Traxlo UAB — Saulėtekio al. 15-1, LT-10224 Vilnius, Lithuania, legal entity code 305546038
Traxlo sp. z o.o. — ul. Sucha 3 / P. II, 50-086 Wrocław, Poland, KRS 0000905450, NIP 8992901577
Traxlo Ltd — 5th Floor, 167-169 Great Portland Street, London W1W 5PF, United Kingdom, Company Number 16868283

(collectively, "Traxlo")

Document version: 1.0 Last updated on: 2026-05-05 Document owner: Traxlo Data Protection Officer Review cadence: annual, or on legal/regulatory change

1. Purpose

This Policy sets out Traxlo's commitments regarding the retention, anonymization, and deletion of Personal Information processed across all of Traxlo's services and customer engagements, in compliance with:

Regulation (EU) 2016/679 ("EU GDPR") — for processing under the establishment of Traxlo UAB (Lithuania) and Traxlo sp. z o.o. (Poland), and for processing concerning data subjects in the European Economic Area;
United Kingdom GDPR and the Data Protection Act 2018 ("UK GDPR") — for processing under the establishment of Traxlo Ltd (United Kingdom), and for processing concerning data subjects in the United Kingdom;
Applicable national laws of each jurisdiction in which Traxlo operates, including but not limited to Lithuanian, Polish, Romanian, and English law (Appendix A).

The Policy operationalises Articles 5(1)(c), 5(1)(e), 17, 28(3)(g), and 32 of the EU GDPR (and the corresponding articles of the UK GDPR) for the operation of the Tasku platform, and applies to Traxlo's relationships with Taskers (independent service providers), customer organisations, end users, and third-party data subjects whose Personal Information is processed in the course of providing the service.

Where (a) a customer security or data-protection agreement (e.g. a Vendor Information Security Requirements Agreement, Data Processing Agreement, or equivalent contractual instrument), (b) a mandatory retention or erasure obligation under applicable national or EU legislation, or (c) a valid erasure request by a data subject under Article 17(1) GDPR (to which no Article 17(3) exception applies), requires a stricter retention or deletion outcome than this Policy, that requirement prevails for the affected engagement or record.

A detailed internal specification covering each system, table, and data field is maintained by Traxlo and made available to customers, regulators, and auditors on request.

2. Scope

This Policy applies to all Personal Information processed by Traxlo across:

The Tasku mobile and web applications used by Taskers and customer personnel
The internal administration platform used by Traxlo personnel