Data Retention and Disposal Policy
Last updated: June 3, 2026
1. Scope
This policy applies to all consumer and business data processed by the RinseRight CRM, including data received from Plaid Inc., Google Business Profile, Stripe, Twilio, and Cloudflare R2.
2. Categories of data and retention windows
| Data category | Retention | Reason |
|---|
| Plaid access tokens | Until user disconnects | Bank API credential; revoked the moment the user disconnects. |
| Bank transactions imported via Plaid | 7 years from posting | IRS retention requirement for Schedule C expense substantiation. |
| OAuth tokens (Google Business Profile) | Until user disconnects | Revoked on disconnect. |
| Customer PII (name, address, phone, email) | Life of business + 3 yrs | Active customer relationship; tax/legal records. |
| Invoice + payment records | 7 years | IRS retention requirement. |
| SMS conversations | 7 years | A2P 10DLC compliance + dispute records. |
| Audit logs | 2 years | Operational security review. |
| Receipt photos (Cloudflare R2) | 7 years | Tax substantiation requirement. |
| Employee/contractor records | 7 years after termination | Tax and labor-law retention. |
| Session cookies / login state | 30 days max | Re-authentication enforced. |
3. Triggers for deletion
Data is irreversibly deleted upon any of the following events:
- The user clicks Disconnect on the /admin/taxes/banks page. Plaid access tokens, BankAccount rows, and BankTransaction rows for that institution are cascade-deleted within seconds.
- The user clicks Disconnect on the /admin/reviews page. The GbpIntegration record is deleted and the OAuth refresh token is destroyed.
- A customer is deleted from the CRM via the admin UI. All related Job, Quote, Invoice, Conversation, and Attachment records cascade-delete.
- A specific Expense, MileageLog, or receipt is deleted by the admin from its respective management page.
- The retention window in section 2 elapses (annual review removes records older than the documented retention period).
- The user submits a verified deletion request to cameron@rinserightservices.com. We respond within 30 days, per applicable consumer-privacy laws.
4. Method of disposal
- Database rows. Hard
DELETE from the production database. No soft-delete columns are kept after the retention window expires. Foreign-key cascades ensure no orphaned records remain. - Object storage. Receipt photos and job photos are deleted from the Cloudflare R2 bucket via the S3-compatible
DeleteObject API call. - Backups. Fly.io managed-volume snapshots are retained for 14 days on a rolling basis. Deleted records remain recoverable from snapshots only for up to 14 days, after which the snapshot rotates out and the data is permanently unrecoverable.
- Encrypted credentials. Plaid access tokens and OAuth tokens are AES-256-GCM encrypted at rest. Deletion of the database row destroys the only copy of the ciphertext; the encryption key provides no value without it.
5. Special handling for Plaid-sourced data
- Plaid access tokens are AES-256-GCM encrypted at the application layer in addition to the volume-level encryption provided by our hosting platform.
- Transaction data is retained for the 7-year IRS Schedule C retention window, after which the corresponding records are permanently deleted during the annual policy review.
- A user disconnecting their bank account via /admin/taxes/banks cascade-deletes the PlaidItem row, after which we no longer have the credential needed to fetch additional data on their behalf.
6. Policy review
This policy is reviewed at least annually by the business owner and updated as data-handling practices change. Material changes are reflected in the “Last updated” date above.
7. Contact
Questions about this policy, requests to access or delete your data, or compliance inquiries: cameron@rinserightservices.com.
See also: our Information Security Policy, Privacy Policy, and SMS Terms & Conditions.