How long can a company retain your credit Card details?

xendistar · 4 February at 10:33AM

Earlier this week I found a charge on my credit card for a service (IT VPN) I stopped using back in October 2022. I have not had any correspondence with the company since I stopped using them back in 2022. My credit card I was using back in 2022 had expired and been renewed, same credit company, same account number.

My Question is once you stop dealing with a company how long should the company hold on to your credit details, should they be removed from the company systems after "X" amount of time??

I have contacted the company in question but have not had any response, I have contacted the Credit card company and requested a Charge back which is currently being reviewed.

Can anybody advise please

user1977 · 4 February at 11:05AM

Presumably they think you have an ongoing contract with them, which is why they charged you? So I'd expect them at least to be able to retain payment details until then.

Where is "IT VPN" based, I can't find them from a quick search?

Jenni_D · 4 February at 11:10AM

Have they also charged you in previous years but you've not noticed before?

MyRealNameToo · 4 February at 11:16AM

https://forums.moneysavingexpert.com/discussion/6653733/how-long-can-a-company-retain-your-credit-card-details

Nothing in your post shows that they hold your credit card details at all.

From what you are saying you stopped using the software but didnt cancel the service as such the service is continuing and therefore they have a legitimate reason to retain the details. The law doesnt set time limits per se but, assuming they are in the UK or EU and therefore subject to GDPR, give general principles of data minimisation, legitimate business need etc. As a rule of thumb it would be 7 years after the service ends given you have up to 6 years to make a claim against them plus 12 months for issues with paperwork getting to them etc.

Merchants dont necessarily hold your card details though, some card processors instead hold the card details on behalf of their clients and instead giving the merchant a hashcode to hold instead. This means the merchant doesnt need to meet the same stringent requirements as holding cards does because if no one can do anything with the hashcode if the data is stolen.

It's a standard feature for Mastercard, Visa and AmEx that for CPAs that they will update card details prior to the next payment being taken. This is precisely so that you dont get stopped for driving without insurance or have your private medication stopped because you didnt spot your card had expired. Worth noting that payments under CPA only need the card number and so the expiry date, CVV etc do not need to be stored.

born_again · 4 February at 11:49AM

In effect that can hold them as long as they like.

7 years is not unusual for tax purposes.

Company will have either requested new card details via Visa/Mastercard updater system (part of the card regulations retailer & provider sign up to) or they have processed under 16 digit card number, which odds on is the same & this will have been passed to your account.

Or are you one that thinks that replacing a card is enough to stop companies from taking funds without contacting them to cancel? see above.🤦‍♀️

Bank only have to refund any payments within 13 months, FCA regs. Over that is deemed to be consumer error for not monitoring account. Only way to get it back is from company. But for that you need proof (email etc) that you actually cancelled, & did not assume that they would no longer take payments.

xendistar · 4 February at 4:30PM

Time for some clarification. The VPN service was cancelled in October 2022 and acknowledged by the provider as they provided a service support ticket number for the cancellation. I also stopped using the service from that point.

I have checked previous CC statement and I can not see any further charges since I paid 12 months in advance in January 2022 until the one that appeared on my CC on Jan 25th 2026

As for the Company in question, I am unsure where they are based as I have not been able to find a postal address for them. I believe they are a USA company but I do not know if they have a UK or European address.

My main concern about holding my credit card details beyond the time end of my contract has been answered by "NotMyRealName" so I am happy at this stage to confirm that this enquiry is marked as resolved. Should my credit card company decline my requested Charge Back then I will return to this forum and raise a new post about recovering the Money

Jenni_D · 4 February at 4:55PM

Please don't raise a new post - just continue this one so we have all the context. 🙂

Grumpy_chap · 4 February at 5:34PM

OP - you say that the service was cancelled in October 2022 and also that you stopped using the service form that point.

You were not charged in 2023, 24, 25 but have now been charged in 2026.

Is there any possibility that the facility to access the VPN remains installed on your PC and, if so, could you have somehow accessed the service inadvertently, thus being charged again?

user1977 · 4 February at 5:40PM

I don't think anybody can tell you what rules they're meant to adhere to without knowing where in the world they are.

born_again · 4 February at 6:17PM

https://forums.moneysavingexpert.com/discussion/comment/81870099#Comment_81870099

How hard was that. About us page

About Us

It’s VPN is brought to you by:

Imladris Services S.L.
Calle Codeso 39 A
38390 Santa Úrsula
S/C Tenerife
Spain

https://itsvpn.com/about-us/

Jenni_D · 4 February at 9:35PM

OP said IT VPN, not Its VPN. 🤷‍♀️

How long can a company retain your credit Card details?

Comments

About Us

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free