Data Retention Policy

How STALLZERO retains, manages, and deletes your personal data in compliance with applicable privacy laws.

Last Updated: January 30, 2026

•

Next Scheduled Review: July 30, 2026

Policy Overview

STALLZERO ("we," "our," or "us") is committed to responsible data management. This Data Retention Policy outlines how long we retain different categories of personal data, the criteria used to determine retention periods, and the processes for secure data deletion.

This policy is designed to comply with applicable data protection regulations including:

General Data Protection Regulation (GDPR) - European Union
California Consumer Privacy Act (CCPA) - United States
California Privacy Rights Act (CPRA) - United States
Financial industry regulations and Plaid partnership requirements

Scope of This Policy

This policy applies to all personal data collected, processed, and stored by STALLZERO, including:

Account information (name, email, profile data)
User-generated content (tasks, goals, journal entries, etc.)
Financial data (bank connections, transactions, budgets)
Authentication data (passwords, MFA factors, session tokens)
Usage and analytics data
Third-party integration data (Google, Plaid, etc.)
Support and communication records

Data Retention Schedule

The following table outlines our retention periods for different categories of data:

Data Category	Retention Period	Basis for Retention
Account Information	Duration of account + 30 days	Contractual necessity, account recovery
User Content (Tasks, Goals, Journal)	Duration of account + 30 days	Service delivery, user request
Financial Data (Transactions)	7 years from transaction date	Tax/legal requirements, financial regulations
Bank Connection Tokens	Until disconnected or account deletion	Service functionality, Plaid requirements
Authentication Data (Passwords)	Duration of account	Security, access control
MFA/2FA Factors	Until disabled or account deletion	Security requirements
Session Tokens	24 hours - 30 days (depending on type)	Session management, security
Google OAuth Tokens	Until revoked or account deletion	Integration functionality
Support Tickets	3 years from resolution	Quality assurance, dispute resolution
Usage Analytics	2 years (anonymized thereafter)	Service improvement, legitimate interest
Consent Records	Duration of account + 7 years	Legal compliance, audit trail
Backup Data	90 days from primary deletion	Disaster recovery, data integrity

Financial Data - Special Handling

Financial data connected through Plaid and similar services receives special handling to comply with financial industry regulations and our partnership agreements:

Bank account credentials: Never stored by STALLZERO - handled directly by Plaid
Access tokens: Encrypted at rest, automatically revoked upon account deletion or user request
Transaction history: Retained for 7 years per tax and financial compliance requirements
Account balances: Refreshed data only, historical balances retained with transactions

Important: Upon account deletion, we immediately revoke all Plaid access tokens and cease fetching new financial data. Historical transaction data may be retained in anonymized form for the legally required period.

Data Deletion Process

User-Initiated Deletion

Users may request deletion of their account and personal data at any time through:

Settings → Privacy & Consent → Request Data Deletion
Email request to privacy@stallzero.com

Deletion Timeline

Immediate (Within 24 hours)

Account access disabled, third-party tokens revoked, active sessions terminated

Within 30 days

Primary data deleted from production systems, anonymization of retained analytics

Within 90 days

Removal from backup systems, confirmation email sent to user

Data That May Be Retained

Certain data may be retained beyond the deletion request due to legal obligations:

Financial transaction records (7 years - tax compliance)
Consent records (7 years - legal compliance)
Records required for ongoing legal proceedings
Anonymized statistical data (not personally identifiable)

Automatic Data Deletion

We implement automated processes to ensure data is not retained beyond necessary periods:

Session tokens: Automatically expire and are purged daily
Temporary files: Deleted within 24 hours of creation
Failed upload data: Purged within 7 days
Inactive accounts: Notified after 12 months of inactivity, data deletion after 18 months
Expired OAuth tokens: Removed within 30 days of expiration

Security During Retention

All retained data is protected using industry-standard security measures:

Encryption at rest (AES-256) and in transit (TLS 1.3)
Access controls with principle of least privilege
Regular security audits and penetration testing
Secure deletion methods (cryptographic erasure where applicable)
Backup encryption with separate key management

Policy Review Schedule

This Data Retention Policy is reviewed and updated on a regular schedule:

Regular Review: Every 6 months (January and July)
Ad-hoc Review: When regulations change, new data types are collected, or partnerships require
Audit: Annual third-party compliance audit

Review History:

• January 30, 2026 - Initial policy creation for Plaid onboarding
• Next scheduled review: July 30, 2026

Your Rights

You have the following rights regarding your data retention:

Right to Access: Request a copy of all data we hold about you
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion of your data (subject to legal retention requirements)
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Export your data in a machine-readable format
Right to Object: Object to processing based on legitimate interests

To exercise these rights, visit Settings → Privacy & Consent or contact us at privacy@stallzero.com

Contact Us

For questions about this Data Retention Policy or to exercise your data rights:

Email: privacy@stallzero.com
Data Protection Officer: dpo@stallzero.com
Website: stallzero.com