RECORDS GOVERNANCE POLICY
Effective Date: March 2 2026
Updated Date: March 2 2026
1. Scope & Relationship to Privacy Policy
This Records Governance, Retention, Destruction & Export Compliance Policy (“Policy”) governs Blade Marine Technologies Limited’s (“Blade”, “Company”, “we”, “us”) management of business records, commercial data, compliance documentation, export-related information, and operational logs.
This Policy supplements and operates alongside Blade’s Privacy Policy.
The Privacy Policy governs personal data processing rights and disclosures.
This Policy governs how long records are retained, how they are secured, and how they are destroyed.
By conducting business with Blade — including purchasing products, acting as a distributor, supplier, service partner, or accessing Blade systems — you acknowledge that records and related data may be created, retained, archived, and destroyed in accordance with this Policy and applicable law.
2. Governance Framework
Blade maintains a structured records governance program aligned with internationally recognized enterprise standards, including:
• ISO 9001 quality management principles (traceability and controlled documentation)
• ISO 27001 information security management principles
• GDPR storage limitation requirements
• Hong Kong Personal Data (Privacy) Ordinance
• U.S. and international taxation and recordkeeping obligations
• International export control and trade compliance regimes
This framework supports:
• Product traceability and recall capability
• Commercial and contractual enforcement
• Export control compliance
• Cybersecurity monitoring and incident response
• Warranty and product liability defense
• Regulatory and taxation compliance
3. Retention Principles
Blade applies the following core principles:
1. Lawful basis retention – Records are retained where legally required or commercially necessary.
2. Risk-based retention – Higher-risk categories (export, recall, financial) receive extended retention controls.
3. Litigation and regulatory hold – Automatic suspension of deletion upon notice of dispute, recall, investigation, export review, or cyber incident.
4. Controlled lifecycle management – Records move from active use to secure archive to destruction in a documented process.
4. Retention Categories
4.1 Corporate, Financial & Tax Records
Includes accounting records, invoices, cross-border transactions, audit files, and statutory filings.
Retention Period:
Minimum 7 years or longer where required by Hong Kong, EU, U.S., or other applicable taxation authorities.
4.2 Commercial Contracts & Distribution Agreements
Includes reseller agreements, OEM agreements, NDAs, supplier contracts, and commercial negotiations forming part of binding arrangements.
Retention Period:
Term of agreement + minimum 7 years following termination.
Extended retention may apply where linked to warranty exposure, product liability, or export compliance obligations.
4.3 Product Traceability, Quality & Recall Records
Includes:
• Serial number registers
• Manufacturing batch documentation
• Quality control and inspection records
• Testing certifications
• Service logs
• Safety reports
Retention Period:
Warranty term + up to 10 years, or longer where required by maritime safety regulations, product liability statutes, or recall obligations.
Blade maintains structured traceability systems consistent with ISO 9001 quality principles to ensure effective field corrective action capability.
4.4 Export Control & Trade Compliance Records
Includes:
• Export classification determinations
• Shipping documentation
• Customs declarations
• End-user certifications
• Restricted party screening results
• Sanctions screening logs
• Cross-border technical data transfers
Retention Period:
Minimum 5–10 years depending on jurisdictional export control requirements (including U.S. EAR-equivalent and other international regimes).
Where export reviews or regulatory inquiries arise, deletion is suspended pending resolution.
4.5 Email Communications
Routine commercial communications are retained for 1–5 years depending on operational need.
• Non-contractual and low-risk correspondence may be deleted after 1 year.
• Emails relating to contracts, pricing, disputes, export compliance, regulatory matters, recalls, warranty issues, financial records, or legal exposure may be retained for up to 5 years or longer where required by law or risk management considerations.
4.6 Telephone Records & Call Logs
Includes call metadata and recorded calls (where lawful).
Retention Period:
1–5 years depending on operational necessity.
Where required for regulatory compliance, recall support, warranty defense, export compliance, dispute resolution, or legal proceedings, retention may extend to a minimum of 5 years or longer where legally required.
4.7 Cybersecurity & System Logs
Includes:
• Authentication logs
• Access control records
• Network security logs
• Intrusion detection logs
• System audit trails
Retention Period:
12–60 months depending on system classification and risk profile.
These records support incident detection, forensic investigation, and regulatory response capability and are maintained under controlled access environments consistent with ISO 27001-aligned practices.
5. Formal Records Destruction Procedure
Blade operates a controlled and auditable destruction process.
5.1 Authorization
Records may only be destroyed:
• After expiration of the applicable retention period
• Following verification that no litigation hold, recall, export review, or regulatory inquiry applies
• With documented approval under internal governance procedures
5.2 Destruction Methods
Destruction methods are appropriate to record type and sensitivity and may include:
• Secure digital deletion with overwrite procedures
• Cryptographic erasure
• Physical shredding of paper records
• Certified destruction of storage media
• Secure disposal through approved vendors
5.3 Documentation
Destruction activities are logged to demonstrate compliance with regulatory and governance standards.
No record subject to recall traceability, export compliance obligation, tax requirement, or litigation hold may be destroyed.
6. Export Control Compliance Framework
Blade maintains a structured export compliance posture appropriate for a global OEM operating in commercial marine markets.
This includes:
• Product classification procedures
• Restricted party and sanctions screening
• Documentation of export determinations
• Control of technical data transfers
• Contractual flow-down of compliance obligations to distributors and suppliers
• Retention of export documentation in accordance with applicable law
7. Cybersecurity & Information Governance
Blade implements layered administrative, technical, and physical safeguards, including:
• Role-based access controls
• Segregated operational environments
• Encryption in transit and at rest where appropriate
• Vendor access controls
• Controlled manufacturing data environments
• Periodic access review and data minimization processes
Security controls are designed in alignment with internationally recognized information security management principles and support enterprise-grade operational resilience.
8. Regulatory & Legal Supremacy
Where a jurisdiction imposes longer retention obligations than stated herein, the longer statutory period shall apply.
Where deletion conflicts with legal defense requirements, export compliance obligations, recall duties, tax law, or regulatory mandates, such legal obligations shall prevail and override any standard retention schedule.
9. Governing Law
This Policy and any matters arising in connection with it shall be governed by the laws of the Hong Kong Special Administrative Region. Any disputes relating to this Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong, except where mandatory data protection or consumer protection laws require otherwise.
10. Severability
If any provision of this Policy is determined to be invalid, unlawful, or unenforceable under applicable law, such provision shall be deemed modified to the minimum extent necessary to make it enforceable or, if modification is not possible, shall be severed. The remaining provisions shall remain in full force and effect.
11. Entire Policy
This Policy forms part of and should be read together with Blade Marine Technologies Limited’s Privacy Policy. In the event of any inconsistency, applicable data protection law and the Privacy Policy shall prevail in relation to personal data matters.
12. Modifications
Blade Marine Technologies Limited reserves the right to update or amend this Policy from time to time to reflect changes in legal requirements, operational practices, cybersecurity standards, or regulatory obligations. Updates will be published on our website with a revised effective date. Continued use of our website or services after such updates constitutes acknowledgment of the revised Policy.
13. Assignment
Blade Marine Technologies Limited may assign, transfer, or otherwise delegate its rights and obligations under this Policy to an affiliate, successor entity, or as part of a corporate restructuring, merger, acquisition, or sale of assets. This Policy shall apply to any permitted successor or transferee.
