Effective Date: 2026-04-18 Version: 1.0 Owner: Abrazo Software LLC Contact: privacy@abrazo.dev
This Data Retention Policy ("Policy") defines how long DanceLedger, operated by Abrazo Software LLC, retains each category of user and operational data. Retention periods are set to be the minimum necessary to deliver the service, satisfy financial and security record-keeping obligations, and preserve forensic evidence of system integrity, consistent with the principle of storage limitation in GDPR Article 5(1)(e).
The table below lists each data category, its storage system, its retention period, and the justification for retaining it for that duration.
| Data Type | Storage | Retention | Justification |
|---|---|---|---|
| User account (profile, credentials) | MongoDB | Until deletion request + 30 days | Service delivery |
| Trip data (trips, plans, members) | MongoDB | Until deletion request + 30 days | Service delivery |
| Expense records (amounts, splits, notes) | PostgreSQL | Until deletion request + 30 days | Financial record keeping |
| Receipt images | S3 | Until deletion request + 30 days | Financial record keeping |
| Plaid access tokens | PostgreSQL | Until user removes bank link or deletion | Bank aggregation service |
| Plaid transactions | PostgreSQL | Until deletion request + 30 days | Transaction import feature |
| Stripe customer records | PostgreSQL | Until deletion request + 30 days | Subscription management |
| Subscription records (Stripe, Apple, Google) | PostgreSQL | Until deletion request + 30 days | Entitlement tracking |
| Chat conversations (AI trip planning) | MongoDB | Until deletion request + 30 days | AI trip planning history |
| Session tokens | MongoDB | 2 hours (auto-expiry) | Authentication |
| Search cache (festival, flight, hotel queries) | MongoDB | TTL index (24 hours) | Performance optimization |
| Audit logs (admin actions, security events) | MongoDB | 1 year | Security compliance |
| Webhook events (Stripe, RevenueCat) | PostgreSQL | 90 days | Idempotency and forensics |
When a user requests account deletion or an administrator disables an account, the associated data enters a 30-day soft-delete grace period. During this window:
The grace period balances the user's right to erasure against the common case of mistaken or impulsive deletion requests, and against regulatory obligations to retain records that may be in active dispute.
An automated cron job runs nightly at 03:00 UTC and performs irreversible hard-purge on all accounts whose soft-delete timestamp is more than 30 days in the past. The purge covers, in a single transaction boundary where supported:
The purge job emits a structured log summary (DATA_PURGE_SUMMARY) with counts per data category, consumed by monitoring dashboards. Failures are alerted via PagerDuty and re-attempted on the next nightly run.
Data is kept no longer than is necessary for the purposes for which it is processed. The combination of scoped retention periods, TTL indexes on transient collections, a defined soft-delete window, and automated hard-purge after 30 days gives effect to the storage limitation principle. Where a data category has a fixed calendar retention (audit logs, webhook events), the Company reviews that retention annually and reduces it where operational experience permits.
This Policy is reviewed at least annually and whenever a new data category is introduced, a storage system is added or retired, or applicable regulation changes. Material changes are versioned at the top of this document.