Data Retention & Deletion Policy

Effective Date: April 23, 2026

1. Purpose

This policy defines how VaultKeeper retains, archives, and deletes user data across its entire service surface: manually-entered financial records, bank connection data (Plaid / Teller), subscription state (RevenueCat / Apple), AI chat data (Anthropic), crash reports (Firebase Crashlytics), and operational logs (Cloudflare).

2. Retention Periods

Data Type	Retention Period	Notes
User account and financial data	Duration of account	Deleted immediately upon in-app account deletion (Settings → Delete Account)
Transactions, wallets, categories	Duration of account	User can delete individual records at any time via the app
Scheduled transactions	Duration of account	User can delete or deactivate
Bank access tokens (Plaid / Teller)	Until disconnected	Deleted from Cloudflare KV on disconnection + on account deletion. Plaid items are also revoked at Plaid on deletion.
Bank transaction data (imported)	Duration of account	Stored as regular transactions after import; subject to user deletion
Cached bank balances	1 hour TTL, refreshed on foreground	Never persisted long-term; overwritten on each fetch
Subscription state (RevenueCat / Apple)	Duration of account	Written by RC webhook and Apple Server Notifications; deleted on account deletion
AI chat messages	Session only	Not persisted by VaultKeeper. Anthropic retains API payloads for up to 30 days for trust & safety, then deletes.
AI rate-limit counters	45 days	Cloudflare KV TTL; covers current + following billing cycle
Wallet share tokens	Until revoked	Deleted on account deletion or manual revoke in-app
Authentication records	Until account deletion	Managed by Firebase Auth; deleted by `user.delete()` during account deletion flow
Household and invite data	Duration of membership	Removed when member leaves, is removed, or on account deletion
Crash reports	90 days	Firebase Crashlytics default retention
Worker request logs	30 days	Cloudflare operational logs for abuse prevention + debugging
Firebase Realtime Database backups	3 years	Daily exports to our private GCS bucket. Account deletion is propagated to backups within 30 days of the next scheduled backup cycle.

3. User-Initiated Deletion

Users can delete data through several mechanisms, all self-serve:

Individual records — delete specific transactions, wallets, categories, or scheduled transactions via the application interface on iOS or web.
Bank disconnection — disconnect a bank account from Settings → Bank Connections. Access tokens are immediately deleted from Cloudflare KV and Plaid items are revoked at Plaid. Previously imported transactions remain in the user's record unless manually deleted.
AI consent revocation — revoke AI chat consent from Settings → VaultKeeper AI. Subsequent AI messages are blocked; chat session history (held only in memory) is cleared when the sheet closes.
Wallet share revocation — delete a wallet share link from the wallet's share sheet. The public shared/{token} mirror is deleted; the token is invalidated.
Subscription cancellation — handled by Apple at iOS Settings → Apple ID → Subscriptions. Apple's Server Notifications + RevenueCat's webhook update the subscription node in Firebase within minutes.
Full account deletion — Settings → Account → Delete Account. Two-step destructive confirmation, then the client performs: Firebase multi-path delete of users/{uid}/*, households/{uid}/* (if owner), household membership record (if member), wallet shares, pending invites; Cloudflare Worker cleanup of all KV tokens + Plaid item revocation; Firebase Auth user deletion.

4. Automated Deletion

Bank access tokens are invalidated when the bank connection expires or is revoked by the financial institution (Plaid / Teller return an error, which triggers the app's "reauth needed" flow).
AI rate-limit counters expire automatically via Cloudflare KV's 45-day TTL.
Anthropic API payload retention is capped at 30 days per their operational policy.
Firebase Crashlytics stops retaining a user's crashes 90 days after collection.
Cloudflare Worker request logs age out at 30 days.
No consumer data is retained beyond what is necessary to provide the service or satisfy the retention windows above.

5. Data Deletion Procedures

When a user requests account deletion:

Client disables Firebase listeners to prevent race conditions.
Client calls POST /api/account/cleanup which the Worker uses to revoke Plaid items (so Plaid stops billing) and wipe all KV tokens under plaid:{uid}:*, teller:{uid}:*, ai_rate:{uid}:*, and ai_burst:{uid}:*.
Client performs an atomic Firebase RTDB multi-path update setting every one of the user's data paths to null.
Client calls Auth.auth().currentUser?.delete() to remove the Firebase Auth record.
Client signs out locally and returns to the auth screen.

Deletion propagates to Firebase's managed backups within 30 days. Anthropic's trust-and-safety retention continues for up to 30 days from the last API call regardless of our deletion. Cloudflare request logs age out independently at 30 days.

6. Data Export

Before deletion, users can export all their transaction data via Settings → Export to CSV. The export is byte-compatible with the web version and includes: date, type, category, amount, currency, wallet, destination wallet (for transfers), exchange rate, converted amount, and note. Subscription state and app preferences are not included in the CSV; email info@vaultkeepermoney.com for a full data package.

7. Regulatory Compliance

Data retention and deletion practices are designed to comply with GDPR, CCPA, and Apple App Store requirements. Data subjects may exercise their rights by contacting us through the channels listed in the Privacy Policy. We respond within 30 days.

8. Backup Restore Requests

Backups are retained for operational recovery (e.g. ransomware, accidental data loss). A user whose account was deleted and who later requests restoration must contact us at info@vaultkeepermoney.com within 30 days of deletion. After 30 days we cannot guarantee the data is still in an accessible backup.

9. Policy Review

This policy is reviewed at least annually or when changes are made to data processing practices. The last substantive review was April 23, 2026.