# Data Retention Policy

**Last Updated:** March 18, 2026  
**Effective Date:** March 18, 2026  
**Classification:** Public

## 1. Overview

This Data Retention Policy outlines how AccountScope ("we", "our", or "us") retains, stores, and deletes customer data in compliance with UK GDPR and data protection best practices.

## 2. Scope

This policy applies to all data processed by AccountScope, including:
* User account information
* Uploaded bank statements and financial documents
* Transaction data and analysis results
* Generated reports
* Communication records
* System logs and analytics

## 3. Data Categories and Retention Periods

### 3.1 Active Customer Data

**Account Information:**
* **Retention:** Duration of active subscription + 30 days
* **Includes:** Name, email, company details, authentication data
* **Purpose:** Service provision, authentication, billing

**Financial Documents (PDFs, CSVs):**
* **Retention:** Duration of active subscription + 90 days
* **Includes:** Original uploaded bank statements
* **Purpose:** Service provision, reprocessing capability

**Transaction Data:**
* **Retention:** Duration of active subscription + 90 days
* **Includes:** Extracted transactions, categorizations, annotations
* **Purpose:** Service provision, report generation, analysis

**Generated Reports:**
* **Retention:** Duration of active subscription + 365 days
* **Includes:** Forensic reports, summaries, professional reports
* **Purpose:** Service provision, client access, audit trail

### 3.2 Inactive/Cancelled Accounts

**Grace Period:** 90 days after subscription cancellation

During grace period:
* Account remains accessible (read-only after 30 days)
* Data available for download
* Reactivation possible without data loss

After grace period:
* All customer data permanently deleted
* Deletion is irreversible
* Customer notified 30 days and 7 days before deletion

### 3.3 System & Operational Data

**Audit Logs:**
* **Retention:** 2 years
* **Includes:** User actions, system events, security events
* **Purpose:** Security, compliance, troubleshooting

**Analytics Data:**
* **Retention:** 1 year (anonymized after 90 days)
* **Includes:** Usage patterns, performance metrics
* **Purpose:** Service improvement, product development

**Support Communications:**
* **Retention:** 3 years
* **Includes:** Chat logs, email correspondence, support tickets
* **Purpose:** Service quality, legal compliance

**Backup Data:**
* **Retention:** 90 days (rolling)
* **Includes:** Encrypted backups of all customer data
* **Purpose:** Disaster recovery, business continuity

### 3.4 Legal/Compliance Data

**Financial Records (Billing):**
* **Retention:** 7 years
* **Includes:** Invoices, payment records, tax documents
* **Purpose:** Legal compliance (HMRC requirements)

**Legal Hold Data:**
* **Retention:** Duration of legal obligation
* **Includes:** Data subject to legal proceedings or regulatory investigation
* **Purpose:** Legal compliance

## 4. Data Deletion Process

### 4.1 Automated Deletion
* System automatically flags data for deletion when retention period expires
* Flagged data reviewed by Data Protection Officer
* Automated deletion jobs run weekly
* Deletion confirmed via system logs

### 4.2 Secure Deletion Methods

**Database Records:**
* Overwritten with null values
* Record permanently removed from active database
* Soft-deleted records purged after 30 days

**File Storage:**
* Files deleted from primary storage (Supabase)
* Files deleted from CDN cache
* Backup copies expire per backup retention policy

**Encrypted Backups:**
* Encryption keys destroyed
* Backup media securely wiped or destroyed

### 4.3 User-Initiated Deletion

Customers can request immediate data deletion by:
1. Using "Delete Account" in account settings
2. Contacting support@accountscope.app
3. Submitting GDPR erasure request

Processing time: Within 30 days of verified request

## 5. Exceptions to Deletion

Data may be retained beyond standard periods when:
1. **Legal Obligation:** Required by law or regulation
2. **Active Legal Proceeding:** Subject to litigation or investigation
3. **Legitimate Interest:** Necessary for fraud prevention or security
4. **Consent:** Customer explicitly consents to extended retention
5. **Anonymization:** Data anonymized and no longer personally identifiable

## 6. Data Subject Rights

Under UK GDPR, customers have the right to:
* **Access:** Request copy of their data
* **Rectification:** Correct inaccurate data
* **Erasure:** Request deletion ("right to be forgotten")
* **Portability:** Receive data in machine-readable format
* **Restriction:** Limit how we process their data
* **Objection:** Object to processing for specific purposes

To exercise these rights, contact: privacy@accountscope.app

## 7. Data Protection Officer

**Contact:**
* **Email:** dpo@accountscope.app
* **Subject Line:** "Data Retention Inquiry"

## 8. Third-Party Processors

Our data processors also comply with this retention policy:
* **Supabase:** Database and file storage
* **Vercel:** Application hosting
* **Google Cloud:** PDF processing service
* **Stripe:** Payment processing (separate retention policy)

Processor agreements ensure data is deleted when no longer needed.

## 9. Cross-Border Data
* **Data Location:** UK and EU data centers only  
* **US Data Transfers:** None (all data stays in UK/EU)  
* **Adequacy Decisions:** Only transfer to countries with UK adequacy decision

## 10. Breach Notification

In case of data breach:
* Customers notified within 72 hours
* UK ICO notified if required by law
* Affected data clearly identified
* Remediation steps communicated

## 11. Policy Updates

This policy may be updated to reflect:
* Changes in law or regulation
* Changes in business practices
* Customer feedback
* Security improvements

**Notification:** Customers notified 30 days before material changes

## 12. Audit & Compliance
* Annual review by Data Protection Officer
* Quarterly deletion job audits
* Regular compliance assessments
* Documentation maintained for 7 years

## 13. Questions & Concerns

For questions about this policy:
* **Email:** privacy@accountscope.app  
* **Subject:** "Data Retention Policy Question"  
* **Response Time:** Within 5 business days

## 14. Regulatory Authority

**UK Information Commissioner's Office (ICO)**
* Website: https://ico.org.uk
* Helpline: 0303 123 1113
* Complaints: https://ico.org.uk/make-a-complaint