Data Retention and Disposal Policy
Last updated: January 8, 2026
1. Purpose
This Data Retention and Disposal Policy outlines how Expense Tracker ("we," "our," or "us") retains, manages, and disposes of user data. This policy ensures compliance with applicable data protection laws and demonstrates our commitment to responsible data stewardship.
2. Data Categories and Retention Periods
| Data Category | Retention Period | Justification |
|---|---|---|
| Account Information | Duration of account + 30 days | Service provision and account recovery |
| Transaction Data | 7 years | Tax compliance and financial record-keeping |
| Bank Connection Tokens | Until disconnection | Required for ongoing bank synchronization |
| Authentication Credentials | Duration of account | Account security and access |
| Session Data | 30 days after last activity | Session management and security |
| Authentication Challenges | 5 minutes | Security - prevents replay attacks |
| Unverified Accounts | 7 days | Allow time for email verification |
3. Data Deletion Procedures
3.1 User-Initiated Deletion
Users may request deletion of their account and associated data at any time through:
- The Settings page within the application
- Contacting us at privacy@expensetracker.app
Upon receiving a deletion request, we will:
- Immediately revoke all bank connections via Plaid
- Delete all personal data within 30 days
- Send confirmation once deletion is complete
3.2 Automatic Data Disposal
The following data is automatically disposed of:
- Expired sessions: Purged 30 days after last activity
- Authentication challenges: Deleted after 5 minutes
- Unverified accounts: Removed after 7 days
- Disconnected bank tokens: Immediately upon user disconnection
4. Data Disposal Methods
When data reaches the end of its retention period, we employ the following disposal methods:
- Database Records: Secure deletion from our database systems
- Backups: Rotated out within 90 days of source deletion
- Third-Party Services: Deletion requests sent to service providers (e.g., Plaid)
5. Third-Party Data Sharing
When you connect your bank accounts, your financial data is processed by Plaid Inc. Upon disconnection or account deletion:
- We immediately revoke Plaid access tokens
- Plaid retains data according to their own retention policy
- You may also contact Plaid directly to request deletion
For more information, see Plaid's End User Privacy Policy.
6. Legal and Regulatory Compliance
This policy is designed to comply with:
- CCPA (California Consumer Privacy Act): Right to deletion honored within 45 days
- GDPR (General Data Protection Regulation): Right to erasure honored within 30 days
- Financial Record-Keeping Laws: 7-year retention for tax-related transaction data
7. Exceptions
We may retain data beyond the stated retention periods when required to:
- Comply with legal obligations or court orders
- Resolve disputes or enforce agreements
- Detect and prevent fraud or abuse
- Maintain security and operational integrity
8. Policy Review
This Data Retention and Disposal Policy is reviewed annually and updated as necessary to reflect changes in our practices, technology, legal requirements, or business operations.
9. Contact Us
If you have questions about this policy or wish to exercise your data rights, please contact us:
Email: privacy@expensetracker.app