← Back to Finance AI

Data Retention & Deletion Policy

Effective Date: January 1, 2025 · Last Reviewed: March 25, 2026

1. Purpose

This policy defines how Finance AI (“the Company”) retains, archives, and deletes personal and financial data. It ensures that data is kept only as long as necessary to fulfill the purposes for which it was collected, and that deletion is performed securely and in compliance with applicable data privacy laws including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other relevant regulations.

2. Scope

This policy applies to all personal data, financial data, and metadata collected, processed, or stored by the Company, whether in production databases, backups, logs, or third-party systems.

3. Data Minimization Principles

  • Collect only what is needed: We collect the minimum data required to provide the service. For example, we request only the Plaid product scopes necessary for account balances and transactions — not the full range of available financial data
  • Limit processing scope: Data is processed solely for the purposes described in our Consumer Consent Policy. No personal or financial data is used for advertising, profiling, or sale to third parties
  • Anonymize where possible: When data is sent to AI services for generating financial insights, personally identifiable information is stripped and only anonymized or aggregated transaction data is transmitted
  • Restrict access: Access to personal data is limited to the authenticated user and authorized personnel with a legitimate operational need

4. Retention Schedule

The following table defines retention periods for each category of data:

Data CategoryRetention PeriodTrigger for Deletion
Account profile (name, email)Duration of active accountAccount deletion request
Plaid access tokens (encrypted)Until bank account is disconnected or account is deletedDisconnect action or account deletion
Financial data (transactions, balances)Duration of active accountAccount deletion request
Manually entered data (stocks, mortgages)Duration of active accountUser deletion or account deletion
AI chat historyDuration of active accountAccount deletion request
Stripe customer & subscription dataAs required by tax/financial regulations (up to 7 years)End of legal retention obligation
Application logs & analytics90 days (anonymized)Automatic rolling deletion
Database backups30 daysAutomatic rolling deletion

5. Deletion Procedures

5.1 User-Initiated Deletion

Users may request deletion of their account and all associated data at any time by contacting privacy@financeai.app. Upon receiving a verified request:

  • All personal and financial data is permanently deleted from production databases within 30 days
  • Plaid access tokens are revoked, terminating data access from the linked institution
  • Data in rolling backups is purged as backups expire (within 30 days)
  • A confirmation email is sent to the user once deletion is complete

5.2 Bank Account Disconnection

When a user disconnects a linked bank account, the associated Plaid access token is immediately revoked and deleted. Historical transaction data from that account is retained on the user’s dashboard unless the user explicitly requests its removal.

5.3 Automated Deletion

  • Application logs older than 90 days are automatically purged
  • Database backups older than 30 days are automatically deleted by the hosting provider (Neon)

5.4 Secure Destruction

All deletion operations are permanent and irreversible. Data is deleted from the database (not merely soft-deleted or archived). Encrypted tokens are destroyed along with access to the corresponding encryption keys where applicable.

6. Legal & Regulatory Compliance

  • CCPA: California residents may exercise their right to deletion under CCPA. We will honor verified requests within 45 days
  • GDPR: EU residents may exercise their right to erasure (“right to be forgotten”) under Article 17. We will honor verified requests within 30 days
  • Exceptions: Data may be retained beyond the standard retention period only where required by law (e.g., tax records, legal holds, or regulatory obligations). In such cases, the data is retained for the minimum period required and then permanently deleted

7. Policy Enforcement & Review

  • This policy is reviewed and updated at least annually, or when changes to infrastructure, vendors, or regulations require it
  • The Security Lead is responsible for enforcing this policy and ensuring all retention schedules are followed
  • Violations of this policy are treated as security incidents and investigated accordingly

For questions about this policy or to request data deletion, contact privacy@financeai.app.