Back to Home

Data Retention and Disposal Policy

Effective Date: January 4, 2026 | Last Updated: January 4, 2026 | Version: 1.0

Purpose

This Data Retention and Disposal Policy establishes guidelines for the retention, archival, and secure disposal of data collected and processed by Iris Secure Financial. This policy ensures compliance with legal obligations, supports business operations, and protects customer privacy.

Policy Owner:

Scope

This policy applies to:

  • All customer financial data obtained via Plaid API
  • User account information and authentication credentials
  • Business transaction records and invoices
  • System logs and audit trails
  • Backup data and archived records
  • All employees, contractors, and systems processing this data

Legal and Regulatory Basis

Retention Requirements:

  • Tax Records: IRS requires 7 years for business financial records
  • Financial Transactions: Industry best practice of 7 years
  • User Privacy: GDPR/CCPA-aligned data minimization principles
  • Audit Requirements: Sufficient data for business audits and dispute resolution

Data Categories and Retention Periods

Data CategoryRetention PeriodDisposal Method
Financial Transactions7 yearsSecure database deletion
Invoices7 yearsSecure database deletion
Active User AccountsDuration of activityN/A
Closed User Accounts90 daysSecure deletion
Plaid Access TokensActive connection + 30 daysToken invalidation + deletion
System Logs90 daysAutomated purge
Database Backups30-365 days (rotating)Secure overwrite
Deleted User Data30-day grace periodPermanent deletion

Financial Transaction Data

Retention Period: 7 years from transaction date

Rationale: IRS audit period requirements (3-7 years), business audit and dispute resolution needs, customer access to historical financial data

Storage:

  • Active: First 2 years in production database
  • Archive: Years 3-7 in compressed archive storage
  • Disposal: Secure deletion after 7 years

Exceptions: Disputed transactions retained until resolution + 7 years; ongoing legal matters subject to litigation hold

User Account Data

Retention Period:

  • Active Accounts: Duration of account activity
  • Inactive Accounts: 90 days after last login, then marked for deletion
  • Closed Accounts: 90 days after account closure

Disposal:

  • User-initiated deletion: 30-day grace period, then permanent deletion
  • Automatic cleanup: Accounts inactive for 2+ years notified, then deleted after 90 days
  • Authentication tokens: Expired tokens deleted immediately

Plaid Integration Data

Retention Period:

  • Active Connections: Duration of active bank link
  • Disconnected Accounts: 30 days after disconnection
  • Access Tokens: Rotated automatically, old tokens deleted immediately

Disposal: Tokens securely overwritten and removed from database; Plaid item deleted via API when account disconnected

Data Disposal Methods

Electronic Data Disposal

  • Database Records: Secure deletion via database DELETE operations with confirmation queries
  • Encrypted Data: Cryptographic key destruction (crypto-shredding) for archived encrypted data
  • Tokens and Credentials: Immediate overwrite and removal with token invalidation confirmation

Backup Media Disposal

  • Cloud backups managed by provider's secure deletion protocols
  • Verification of deletion via provider APIs
  • Physical media (if applicable): Degaussing or physical destruction

User Data Rights

Right to Access

Request a copy of your personal data delivered in machine-readable format (JSON/CSV) within 30 days.

Right to Deletion

Request account and data deletion with a 30-day grace period before permanent deletion. Note: Financial records are retained for 7 years (anonymized) for tax compliance.

Right to Portability

Structured data provided in machine-readable format (JSON/CSV) within 30 days.

To exercise any rights: [email protected]

Special Circumstances

Legal Holds

Trigger Events: Litigation notice, regulatory investigation, subpoena, or court order

Process:

  1. Legal hold notice issued by counsel
  2. Affected data flagged in system
  3. Automatic deletion suspended
  4. Hold released upon legal completion
  5. Normal retention schedule resumes

Data Breach

Breach-related logs and data retained for 3 years. Forensic evidence preserved. Incident reports maintained per policy.

Policy Review and Updates

  • Annual Review: Full policy assessment
  • Regulatory Changes: Review within 30 days of new laws
  • Incident-Triggered: Review after data-related incidents

Related Policies

Document Version: 1.0

Approval Date: January 4, 2026

Next Review Date: January 4, 2027

Approved By: Support Team