Data Retention and Disposal Policy

1. Purpose

This Data Retention and Disposal Policy describes how SimpleMonth collects, retains, and securely disposes of customer data in accordance with applicable data protection and privacy laws, including but not limited to U.S. privacy regulations and Plaid platform requirements.

This policy applies to all customer data processed or stored by SimpleMonth, including data received via third-party service providers such as Plaid.

2. Scope of Data

SimpleMonth may process the following categories of data:

• User account information (email address, authentication metadata)
• Financial account metadata retrieved via Plaid (e.g., account balances, transactions, investment holdings)
• Application usage data required for product functionality
• Support and operational communications

SimpleMonth does not store banking credentials, login passwords, or authentication secrets for financial institutions. These are handled directly by Plaid.

3. Data Retention Principles

SimpleMonth follows the principle of data minimization, retaining data only for as long as necessary to:

• Provide core application functionality
• Comply with legal, regulatory, and contractual obligations
• Resolve disputes or enforce agreements
• Maintain security, auditing, and operational integrity

4. Retention Periods

Unless otherwise required by law, SimpleMonth applies the following retention standards:

4.1 Active User Accounts

• Customer data is retained for the duration of an active user account.

4.2 Inactive or Closed Accounts

Upon account deletion or termination, user-associated data is deleted or anonymized within a reasonable operational period, unless retention is required for:

• Legal compliance
• Fraud prevention
• Security auditing
• Backup integrity (see Section 6)

4.3 Financial Data from Plaid

• Financial data retrieved via the Plaid API is retained only as long as necessary to support user-requested features.
• Users may revoke Plaid access at any time, after which no new data is collected.

5. User-Initiated Data Deletion

Users may request deletion of their account and associated data by contacting support or using in-app account deletion features (where available).

Upon verified request:

• Account access is disabled
• User-associated data is scheduled for deletion in accordance with this policy

6. Backups and Residual Data

• Encrypted backups may temporarily retain data after deletion
• Backup data is protected with access controls and encryption
• Backup retention periods are limited and data is purged automatically according to provider policies

7. Data Disposal Methods

SimpleMonth uses the following secure disposal methods:

• Logical deletion from production databases
• Automated lifecycle expiration where applicable
• Secure deletion mechanisms provided by cloud infrastructure vendors
• Encryption-protected storage until data is fully purged

8. Third-Party Service Providers

SimpleMonth relies on trusted service providers (including Supabase, Vercel, and Plaid) that maintain their own data retention, security, and compliance controls. Data handling by these providers is governed by contractual agreements and applicable certifications (e.g., SOC 2).

9. Policy Review and Updates

This policy is reviewed periodically and updated as necessary to reflect:

• Changes in legal or regulatory requirements
• Updates to business operations
• Changes in third-party service provider practices

10. Contact Information

For questions regarding this policy or data handling practices, contact:

Email: info@simplemonth.com

Security Issues: info@simplemonth.com