Data Policy

Data Retention and Disposal Policy

Version 1.0

Last updated: January 2026

This Data Retention and Disposal Policy establishes guidelines for the retention, archival, and secure disposal of data collected and processed by Casike. This policy ensures compliance with applicable data privacy laws (GDPR, CCPA), financial regulations, and third-party requirements including Plaid data security standards.

Retention Schedule Summary

Data CategoryRetention Period
User ProfileAccount lifetime + 30 days
Session DataAutomatically expire after inactivity
Plaid Access TokensUntil unlink or account deletion
Financial TransactionsAccount lifetime
Invoices7 years (IRS requirement)
Expenses & Receipts7 years (IRS requirement)
Audit LogsPer regulatory compliance requirements
Database Backups30 days

Scope

This policy applies to: • All user data collected through the Casike application • Financial data accessed via Plaid integration • Payment data processed through Stripe • Social media data from connected platforms (Meta, LinkedIn, X, TikTok, YouTube) • OAuth tokens for third-party integrations • System logs and audit records • Backups and archived data

User Account Data

Account credentials (email, auth tokens): Duration of account + grace period Profile information: Duration of account + grace period Security settings (MFA, trusted devices): Duration of account Session tokens: Automatically expire after inactivity

Financial Data (Plaid Integration)

Plaid access tokens: Until user unlinks or deletes account Bank account metadata: Duration of account Transaction history: Duration of account Account balances: Duration of account Important: Upon account deletion or unlinking, Plaid access tokens are immediately invalidated and all synced financial data is permanently deleted.

Business Data

Business profiles: Duration of account Invoices: 7 years after creation (IRS requirement) Expenses and receipts: 7 years after tax year (IRS requirement) Weekly metrics: Duration of account Budget records: Duration of account

Audit and Security Logs

Authentication logs: Per compliance requirements (security, incident investigation) Financial operation logs: Per compliance requirements (fraud detection) Security alerts: Per compliance requirements (threat analysis) Failed login attempts: Per compliance requirements (security monitoring) Application error logs: Short-term retention (debugging) API usage logs: Short-term retention (rate limiting, analytics)

Data Disposal Methods

Electronic Data Disposal: • Database Records: Permanent deletion with cascading deletes • File Storage: Files permanently deleted from secure cloud storage • Backups: Automated expiration per retention schedule Secure Deletion Standards: • Data is overwritten or cryptographically erased • Encryption keys are destroyed where applicable • Deletion is logged in audit trail • Third-party data tokens are revoked via API

User-Initiated Data Deletion

Account Deletion Process: 1. Immediate Actions: • Account access disabled • Active sessions terminated • Third-party access tokens revoked • Subscriptions cancelled 2. Data Deletion: • All user data permanently deleted • Business records deleted • Financial data deleted • Receipts and files deleted 3. Retained for Compliance: • Anonymized audit logs per regulatory requirements Data Portability: Before deletion, users may export their data in CSV, PDF, or JSON formats.

Third-Party Data Handling

Plaid: • Data received: Transaction history, account balances, metadata • Upon deletion: Tokens revoked via Plaid API Stripe: • Data received: Payment confirmations, subscription status • Upon deletion: Subscription cancelled, customer record deleted OpenAI: • Data sent: Anonymized prompts only • No conversation history stored by Casike

Legal & Regulatory Compliance

GDPR Article 17: Right to erasure - Account deletion within 30 days GDPR Article 20: Data portability - Export functionality available CCPA § 1798.105: Right to deletion - Deletion request honored IRS Publication 583: Business records 3-7 years - 7-year retention for tax data Legal Hold: In the event of litigation or regulatory investigation, affected data is excluded from automated deletion until the hold is lifted.

Contact Us

For data retention or deletion inquiries: Email: privacy@casike.com Response time: Within 30 days (as required by GDPR/CCPA) For urgent deletion requests: Email: security@casike.com Response time: Within 24-48 hours

Related policies:

Privacy PolicyInformation Security Policy

This data retention policy was last reviewed and updated in January 2026.