Data Deletion Policy

DanceLedger Data Deletion Policy

Effective Date: 2026-04-18 Version: 1.0 Owner: Abrazo Software LLC Contact: privacy@abrazo.dev

1. Purpose

This Data Deletion Policy ("Policy") describes how users of DanceLedger, operated by Abrazo Software LLC, may request deletion of their account and associated personal data, and how the Company processes those requests. It operationalizes the right to erasure under GDPR Article 17 and analogous state-law deletion rights in the United States.

2. Requesting Deletion

Users may request deletion of their DanceLedger account by either of the following methods:

  • Calling the authenticated endpoint POST /api/account/delete from a signed-in session (surfaced in the web application Settings page and, where supported, the mobile application).
  • Sending an email request to privacy@abrazo.dev from the email address associated with the account. Support staff verify the requester's identity before initiating deletion for email-based requests.

There is no fee for requesting deletion. A user may request deletion at any time, and the Company does not condition continued service on retention of personal data beyond what is necessary to deliver the service.

3. Soft Delete (Immediate)

Upon a valid deletion request, the Company immediately performs a soft delete:

  • The user account is marked as deleted with a deletedAt timestamp.
  • The user cannot sign in; the next sign-in attempt returns an authentication error.
  • All active sessions belonging to the user are invalidated, and refresh tokens are revoked.
  • The user's data is no longer accessible through the API or visible to the user or to other users.
  • Shared trip data in group trips remains visible to the remaining members for continuity of the group's records, but the deleted user's displayed name is replaced with "Deleted User" and their avatar is removed.
  • Future webhook events from third parties (Stripe, RevenueCat, Plaid) are processed against the soft-deleted record and recorded for audit but do not restore access.

Soft delete takes effect within seconds of the request being accepted and is irreversible from the user's perspective without a separate, authenticated restore request made within the 30-day soft-delete window.

4. Hard Purge (30 days)

An automated cron job runs nightly at 03:00 UTC and permanently removes all data associated with accounts whose deletedAt timestamp is more than 30 days in the past. Hard purge covers:

  • MongoDB: User document, owned trips (including embedded plans and members), owned groups, chat conversations, user profile (including embedded festival bookmarks and notes), owned festivals, tracking configurations, and related audit metadata beyond the audit retention period.
  • PostgreSQL: Expenses authored by the user, expense split rows referencing the user, Stripe customer record, Plaid items and transactions, and subscription rows.
  • S3: All receipt image objects under receipts/{userId}/*.
  • Stripe: Any active subscription is cancelled at period end prior to record removal; the Stripe customer record is deleted via the Stripe API.
  • RevenueCat: The subscriber record is deleted via the RevenueCat REST API so that subsequent store events for the same rcAppUserId do not re-create an entitlement.
  • Plaid: Each active Plaid item is removed via /item/remove so that Plaid ceases fetching transactions for the account.

The hard purge job is idempotent and re-runs the following night if any step fails, with monitoring and alerting on persistent failures.

5. Data Not Deleted

The following categories are intentionally not deleted and are retained per the Data Retention Policy and applicable legal obligations:

  • Audit log entries recording administrative actions, security-relevant events, and deletion requests themselves. Retained for 1 year.
  • Anonymized analytics aggregates that no longer identify the user (for example, counts of trips created per week).
  • Shared trip expense records are retained within the group for continuity of the group's records. The monetary amount, description, category, and timestamp remain; the paidBy identity is replaced with "Deleted User" and personal identifiers are severed.

6. GDPR Right to Erasure — Article 17

This Policy implements the right to erasure under GDPR Article 17 for users in jurisdictions where that right applies. Users may request deletion at any time for any reason, and the Company will complete the request within 30 days of receipt, with soft delete taking effect immediately and hard purge completing automatically within the subsequent 30-day window. Where the Company must retain certain records to comply with a legal obligation or to establish, exercise, or defend legal claims, those records will be retained only to the extent and for the duration strictly necessary.

7. Confirmation

The user receives an email confirmation at two points:

  1. On acceptance of the deletion request — summarizing that soft delete has taken effect, the 30-day soft-delete window, and instructions for requesting reversal within that window.
  2. On completion of hard purge — confirming that personal data has been permanently removed from DanceLedger's primary systems and from third-party processors (Stripe, Plaid, RevenueCat) to the extent supported by each processor's API.

Confirmation emails are sent from privacy@abrazo.dev and include a reference identifier so that users and support staff can correlate the deletion lifecycle.

8. Review Schedule

This Policy is reviewed at least annually and whenever the deletion mechanics, storage architecture, or applicable regulation materially changes. Material changes are versioned at the top of this document.

Back to DanceLedger