How long should freelancers keep client files and records?
Tax law tells you to keep it for years. Privacy law tells you to delete it when you are done. Both are real, and they are not talking about the same thing.
The Delivvo team· July 17, 2026 11 min read
Two rules govern how long you keep a client's material, and they point in opposite directions. Tax law says keep it for years. Privacy law says delete it when you are finished. Most freelancers resolve the tension by keeping everything forever, which obeys the first rule, breaks the second, and slowly builds a pile that can only ever hurt them.
The rules are not actually in conflict. They govern different objects. Once you see the split, the policy writes itself in about ten minutes and you never think about it again.
The floor: what tax authorities make you keep
Start with the rule that has numbers in it.
The IRS sets its retention periods by reference to how long it can still come after you. The headline is three years, but the list matters more than the headline (IRS):
3 years is the default: "Keep records for 3 years if situations (4), (5), and (6) below do not apply to you."
6 years "if you do not report income that you should report, and it is more than 25% of the gross income shown on your return."
7 years "if you file a claim for a loss from worthless securities or bad debt deduction."
4 years for employment tax records, "after the date that the tax becomes due or is paid, whichever is later."
Indefinitely "if you do not file a return" or "if you file a fraudulent return."
There is a trap sitting in the middle of that list. The six-year rule is not a choice you make. It is triggered by a mistake you may not know you made, because if you knew you had understated income by more than a quarter, you would not have filed it that way. You cannot know at filing time which bucket you are in. Which means the honest default for a freelancer is not three years. It is six.
Keep reading
The UK gives a straighter answer with a longer tail. HMRC: "You must keep your records for at least 5 years after the 31 January submission deadline of the relevant tax year." Their own worked example makes the real length clear: a 2022 to 2023 return filed by 31 January 2024 means "you must keep your records until at least the end of January 2029" (HMRC). That is close to six years from the end of the tax year it covers. File very late and it stretches further.
In the UAE, the Federal Tax Authority put out a reminder in August 2025 that under corporate tax "both Taxable Persons and Exempt Persons must retain relevant records for a period of at least seven (7) years," and warned that failing to do so "may result in late fines and penalties for tax non-compliance" (Federal Tax Authority). Exempt persons too, which catches people who assume having no tax to pay means having no records to keep.
Notice what none of these authorities asked for. Not one of them wants the client's forty gigabytes of raw footage. They want books, invoices, contracts, receipts, bank records. The things that prove a number on a return.
The ceiling: what privacy law makes you delete
Now the rule with no numbers in it, which is why people ignore it.
The GDPR's storage limitation principle requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" (UK GDPR Article 5). There is no number because the test is relative. Necessary is measured against the purpose you collected the data for. When the purpose is done, the clock has run out, whatever your hard drive has room for.
The next line is the one that bites a solo operator: "The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1." Demonstrate. A retention period you never decided is not a defence, and "I just kept it" is not a reasoning you can show anyone.
And other people can force the question. Article 17 gives a person the right to have their data erased "without undue delay" where "the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed" (GDPR Article 17).
The escape hatch is narrow and it is the hinge of this whole piece. Erasure does not apply where processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject." Your tax record-keeping duty is precisely such an obligation. So the law does not ask you to choose between the IRS and the GDPR. It tells you which parts of the pile are protected by the first rule, and leaves the rest exposed to the second.
One nuance worth holding, since it decides who is responsible for what. On your own books, your invoices, your contracts, your client list, you are the controller and the retention decision is yours. On material the client handed you to work on, their customer export, their user database, their subscriber list, you are usually a processor acting on their instructions, and the answer to how long you keep it should be in the contract. If it is not in the contract, you are improvising with someone else's liability.
The two rules are about different things
Here is the split that dissolves the problem.
The record is the contract, the invoice, the proof of payment, and the moment the client accepted the work. It is small. It is mostly names, dates, and amounts. It is legally required for years, and it is the thing every tax authority above is actually asking about.
The raw material is everything else. The forty gigabytes of footage. The customer export they gave you to build the dashboard. The layered PSDs, the staging database dump, the credentials, the folder of headshots. It is large, it is frequently full of other people's personal data, and no tax authority has ever wanted a byte of it.
Keep the first. Delete the second.
Almost nobody does, and the reason is not laziness. It is that in a normal freelance setup the two things live in the same place. One folder per client, dragged into Drive across two years, holding the signed PDF and the client's entire customer list side by side. One folder gets one policy. And the safest-looking policy for a folder you cannot see inside of is forever.
That is the actual bug. The question was never "how long do I keep things." It is that "things" is one undifferentiated pile, so it gets one rule, and the one rule is the wrong rule for half of what is in there.
Forever is a terrible answer for the raw material. It is the maximum-damage version of every bad day available to you: the breach, the stolen laptop, the subpoena, the erasure request you cannot honour, the ex-client asking what you still hold two years after the invoice cleared. None of that risk is earning you anything. You finished the job.
A pile of old paper files in worn folders, the undifferentiated heap most freelancers actually keep
Regulators have started looking at exactly this
This stopped being theoretical recently. European regulators spent 2025 running a coordinated study of how organisations actually handle deletion, and published it in February 2026.
The numbers give it weight: "32 DPAs across Europe took part in this initiative" and "a total of 764 controllers across Europe responded to the action" (EDPB). These were not corner shops. They ranged from SMEs to multinationals, many with actual compliance teams and budgets.
Two of the findings should stop a freelancer cold. Controllers reported difficulties with "the determination of retention periods and the deletion of personal data in the context of back-ups." And some were leaning on "inefficient anonymisation techniques to handle erasure requests as an alternative to deletion," which is a formal way of saying they renamed things instead of removing them.
Read that as a freelancer and the message is not comforting, it is clarifying. The two hardest problems across 764 organisations with staff and lawyers are the exact two things you are currently handling on instinct: never deciding a retention period, and never dealing with backups.
The backup problem nobody solves
You deleted the folder. Did you?
Time Machine has it. Backblaze has it. The Drive trash holds it for thirty days. Version history holds an older copy longer. There is an external drive in a desk drawer from 2023 that has it. You emailed yourself a zip of it once. The client's WeTransfer link may still resolve.
The EDPB flagged backups specifically, and they flagged it because it is genuinely hard rather than because everyone is careless. Backups exist to defeat deletion. That is their entire purpose. A system designed so that nothing is ever really gone is going to be bad at making things really gone.
You do not have to solve this the way a bank solves it. You have to know where copies land and have a sweep that reaches them. If your answer to "where are the copies" is a shrug, you do not have a retention policy. You have a hope.
A policy that fits on one page
This is the whole thing, and it is short:
Decide two numbers, not one. Records: seven years. That clears the IRS six-year exposure, HMRC's five-after-January, and the FTA's seven in one move. Raw material: thirty to ninety days after final payment, unless the contract says otherwise.
Put it in the contract. "Contractor will retain project files for 90 days after final payment and delete them thereafter" protects both sides and pre-empts an awkward conversation later.
Warn before you delete. One email at day sixty. It reads as professional rather than as housekeeping, and it is a decent last touch on a finished job. It fits naturally into an offboarding checklist.
Keep the record small enough that keeping it costs nothing. A signed contract PDF and an invoice snapshot are kilobytes. Storage is not the reason you are deleting anything.
Know where the copies are. Write the list once: backup software, cloud trash, email, external drives, transfer links. It takes an afternoon and it never needs doing again.
Never hold credentials past handover. Rotate at offboarding. The client's admin password in your manager is a liability with no upside for either of you.
Hands sorting documents into a cardboard file box, separating the record from the raw material
Making the split actually possible
The reason the record-versus-raw-material split stays theoretical for most freelancers is that their tools cannot perform it. Deleting a client folder deletes the evidence along with the footage, so nobody deletes anything.
This split is the thing Delivvo is built around, and the mechanic is worth being specific about. The moment a contract is signed or an invoice is paid, Delivvo snapshots it: a frozen PDF, the line items, the amount, the currency, and the timestamp of the moment it reached that state, written into a private archive. That archive is deliberately decoupled from the live project. Delete the client, delete the project, delete the document itself, and the archived snapshot survives, with the names, emails, and project title preserved on the record so it still makes sense on its own years later.
Which means clearing out a finished client's working files stops being an act of self-harm. Keep the record, bin the raw material, as two separate actions rather than one impossible one. The client's files, the approvals, and the invoices all live in one portal while the job is live, so you know what you hold instead of guessing. And payments run straight through your own gateway, because Delivvo takes 0% of client payments and never touches the money.
Delivvo snapshots every signed contract and paid invoice into an archive that survives deleting the client, the project, and the document itself. So you can delete a finished project's files on schedule without losing the record your tax authority will ask for. See how it works.
The bottom line
Keeping everything forever feels like caution. It is the opposite. It satisfies a tax rule that only ever wanted your invoices, while quietly breaking a privacy rule that had a genuine point, and it grows the blast radius of every bad day you have not had yet.
Split the pile. The record is small, cheap, and required, so keep it for seven years and stop thinking about it. The raw material is large, risky, and finished, so give it ninety days and let it go. Write both numbers into the contract, tell the client before the second one runs out, and find out where your backups actually are. That is the whole policy, and it is shorter than the folder you are avoiding.