Data Retention and Disposal Policy

Statement Scan

Effective Date: February 1, 2025
Last Reviewed: February 8, 2026

1. Purpose

This policy defines how Statement Scan collects, retains, and disposes of user data to ensure compliance with applicable data privacy laws and protect consumer information.

2. Scope

This policy applies to all consumer data collected through the Statement Scan application, including data obtained via Plaid integration.

3. Data Categories and Retention Periods

Data Type	Retention Period	Disposal Method
Account credentials (email, hashed password)	Duration of active account + 30 days after deletion request	Permanent deletion from database
Uploaded documents (PDF/CSV)	Not retained - processed in memory only	Automatic disposal after processing
Portfolio data (saved analyses)	Duration of active account + 30 days after deletion request	Permanent deletion from database
Plaid access tokens	Duration of active connection	Immediate deletion upon disconnection or account deletion
Plaid financial data (holdings)	Session-based for analysis; saved only if user explicitly saves portfolio	Permanent deletion upon account deletion

4. Data Disposal Procedures

4.1 Automatic Disposal

Uploaded documents are processed in application memory and automatically discarded after analysis
Session data expires after user logout

4.2 User-Initiated Disposal

Users may delete individual saved portfolios at any time
Users may disconnect Plaid-linked accounts, triggering immediate token deletion
Users may request full account deletion

4.3 Account Deletion Process

User submits deletion request via email to [email protected]
Request acknowledged within 5 business days
All user data permanently deleted within 30 days
Confirmation sent to user upon completion

5. Plaid-Specific Data Handling

Special provisions for financial data obtained through Plaid integration:

Plaid access tokens are encrypted at rest using Fernet symmetric encryption
We do not store Plaid login credentials
Financial data retrieved from Plaid is used for real-time analysis
Raw Plaid API responses are not permanently stored
Users may revoke Plaid access directly through our application or via https://my.plaid.com/

6. Backup and Disaster Recovery

Database backups retained for maximum 30 days for disaster recovery
Backups are encrypted and access-controlled
Backup disposal follows same timeline as primary data deletion

7. Policy Review

This policy is reviewed annually or upon significant changes to:

Applicable privacy regulations
Data processing practices
Third-party integrations

8. Contact

Data-Related Inquiries

Email: [email protected]
Subject Line: Data Retention Inquiry