Data Retention & Disposal

Data Retention and
Disposal Policy

Document owner: Proofey Information Security / Compliance

Effective date: March 12, 2026

Last reviewed: March 12, 2026

Next review date: March 12, 2027

Version: 1.0

This policy defines how Proofey retains and disposes of personal data and sensitive information, in support of our Privacy Policy and compliance with GDPR, CCPA/CPRA, and other applicable regulations.

1. Purpose

This Data Retention and Disposal Policy defines how Proofey ("we," "us," or "our") retains and disposes of personal data and other sensitive information. It ensures that we:

Retain data only as long as necessary for defined purposes or as required by law.
Dispose of data in a secure, auditable manner when retention periods end or when individuals request deletion.
Comply with applicable data protection laws, including the GDPR, CCPA/CPRA, and other relevant regulations.

This policy supports our Privacy Policy and is intended for use by personnel responsible for data handling, development, and compliance.

2. Scope

This policy applies to:

All personal data and sensitive information collected, processed, or stored by us in connection with our products and services (including the Proofey application).
Data held in our primary systems (e.g., Supabase databases and storage), backups, logs, and any third-party systems we use to process or store user data.
All personnel, contractors, and agents who handle such data on our behalf.

3. Definitions

Term	Definition
Personal data	Any information relating to an identified or identifiable natural person (e.g., account details, email, financial data, receipts).
Retention period	The length of time we keep data before it is deleted or anonymized.
Disposal	Secure deletion, anonymization, or destruction of data so it can no longer be used to identify an individual (except where we are permitted or required to retain it).
Active account	A user account that has not been deleted and is in good standing.
Account deletion	User-initiated or process-driven removal of an account and associated data in accordance with this policy.

4. Data Retention

4.1 General principle

We retain personal data only:

For as long as necessary to provide our services and fulfill the purposes described in our Privacy Policy, or
For as long as required by applicable law, regulation, or legitimate business need (e.g., tax, audit, dispute resolution).

4.2 Retention by category

Data category	Retention period	Notes
Account and profile data (e.g., email, name, profile information)	Duration of active account	Deleted or anonymized upon account deletion.
Financial / Plaid-related data (e.g., linked account metadata, transactions, plaid_items, plaid_accounts)	Duration of active account	Stored only while the user maintains linked accounts and an active account. Deleted as part of account deletion.
Receipts and receipt-derived data (images, OCR text, categories, matches to transactions)	Duration of active account	Deleted as part of account deletion; associated storage objects (e.g., receipt images) are removed.
Support and communications (e.g., support tickets, emails)	As long as needed to resolve the matter, then in line with legal/operational need	May be retained longer if required for disputes or legal obligations.
Logs and operational data (e.g., access logs, error logs, audit trails)	As needed for security, debugging, and compliance; typically not longer than 90 days–1 year for routine logs	Logs that contain personal data should be minimized and retained only as necessary.
Backups	Up to 60 days after deletion from active systems	Data in backups may persist for up to 60 days to allow disaster recovery. After the backup cycle, data is overwritten or backups are disposed of in accordance with this policy.
Data retained for legal/legitimate purposes	As required by law or legitimate interest	e.g., tax, audit, legal hold, fraud prevention. Documented and reviewed periodically.
Anonymized or aggregated data	Indefinitely, where it no longer identifies individuals	Not considered personal data; may be retained for analytics and improvement.

4.3 Exceptions

Legal hold: If we are required to preserve data for litigation, investigation, or regulatory request, we will retain it in accordance with that requirement and will not dispose of it until the hold is released.
Regulatory requirement: Longer retention may be required by specific laws (e.g., tax, financial, employment). We will retain data for the minimum period required by such laws.

5. Data Disposal (Deletion and Secure Destruction)

5.1 Disposal principles

Secure: Disposal must prevent recovery of personal data by ordinary means (e.g., permanent deletion or overwriting; for physical media, secure destruction).
Documented: Where feasible, disposal actions (e.g., account deletion runs) should be logged for accountability and audit.
Complete: Disposal should cover all copies of the data in primary systems, backups (after the backup retention window), and any shared or derived datasets that can identify the individual.

5.2 User-initiated account deletion

When a user requests account deletion (e.g., via the Proofey app or our designated process, including https://proofey-app.com/delete-account):

Verification: We verify the identity of the requester and that the request applies to the correct account.
Deletion sequence: We execute a defined deletion sequence that removes or anonymizes, in an appropriate order (to respect referential integrity), all user-related data, including but not limited to:
- Authentication identity (auth user).
- Profile and account data (e.g., users table).
- Financial and Plaid-related data: plaid_items, plaid_accounts, transactions, failed_webhooks.
- Receipts and related data: receipts, receipt-transaction matches, receipt conversations, categories.
- Notifications: notification_tokens, notification_history, notification_settings.
- Other user-scoped data: businesses, insurances, verified_sender_emails, email_forwarding_logs, subscription_events, user_feature_overrides.
- Files in object storage: profile pictures, receipt images, and other user-specific objects in designated buckets.
Backups: We do not routinely restore backups solely to delete one user's data. Data in backups is retained for up to 60 days and then overwritten or retired in the normal backup cycle. We do not use backup data to reconstruct deleted user data for general use.
Confirmation: Where appropriate, we confirm to the user that their account and associated data have been deleted, and we may reference our Privacy Policy for backup and legal-retention exceptions.

The technical implementation of the above is supported by our account deletion service and the delete-user-account Edge Function, which perform the deletions in the correct order.

5.3 Disposal of data when retention period expires

For data categories with a defined maximum retention period (e.g., certain logs), we will delete or anonymize data when that period is reached, using automated or scheduled processes where possible. Disposal methods must be appropriate to the system (e.g., permanent delete in database and object storage; secure deletion or decommissioning of media).

5.4 Third-party and subprocessor data

Where we use third parties (e.g., Supabase, Plaid, email providers) to process or store personal data, we: choose providers that support secure deletion and comply with our instructions and applicable law; rely on contract terms and provider documentation for retention and deletion behavior; we do not retain copies in our primary systems beyond the periods stated in this policy. Upon account deletion, we remove data from our primary systems; any residual data in a third party's environment is governed by our agreements and their policies (e.g., backup retention). We do not request restoration of backups solely to delete a single user's data.

6. Roles and Responsibilities

Role	Responsibility
Policy owner	Maintain this policy, ensure periodic review, and approve changes.
Engineering / Development	Implement retention and disposal in systems (e.g., account deletion flow, retention logic, logging).
Operations	Ensure backup and log retention align with this policy; support secure disposal procedures.
Support / Privacy	Process deletion and access requests in line with this policy and the Privacy Policy.
Compliance / Legal	Advise on legal retention and disposal requirements; support audits and regulatory responses.

7. Compliance and Legal Alignment

This policy is aligned with our Privacy Policy (including the "Data Retention and Deletion" section). In the event of conflict, applicable law and the Privacy Policy take precedence for user-facing commitments.
We retain and dispose of data in accordance with GDPR (data minimized and retained only as necessary; right to erasure implemented via account deletion and documented exceptions), CCPA/CPRA (deletion requests honored in line with our Privacy Policy and this document), and other applicable laws in the jurisdictions where we operate.

8. Policy Review and Updates

This policy will be reviewed at least annually (or more frequently if required by law or significant changes in processing).
Changes will be approved by the policy owner and communicated to relevant personnel.
Significant changes that affect user rights will be reflected in our Privacy Policy and, where required, communicated to users.

9. Document History

Version	Date	Author	Summary of changes
1.0	March 12, 2026	Proofey Team	Initial policy.

10. References

Privacy Policy (https://proofey-app.com/privacy)
Account deletion: https://proofey-app.com/delete-account
Internal: lib/account-deletion-service.ts, delete-user-account Edge Function, Supabase storage buckets (e.g., profile-pictures, receipt-images)

This document is intended for internal use and compliance. It supports our public Privacy Policy and account deletion process.

Data Retention andDisposal Policy