Data Retention & Disposal Policy
Last updated: April 22, 2026
1. Purpose and Scope
This Data Retention and Disposal Policy ("Policy") outlines how Finintra ("we," "our," or "us") manages the lifecycle of personal and financial data collected through our platform. This policy is designed to ensure compliance with data privacy laws (such as GDPR and CCPA) and to meet the security requirements of our partners, including Plaid.
This policy applies to all customer data, transaction records, and account information stored within our systems.
2. Data Retention Principles
We adhere to the following principles regarding data retention:
- Minimization: We only collect and retain data that is strictly necessary for providing our services.
- Accuracy: We strive to keep retained data accurate and up-to-date.
- Security: All retained data is protected by industry-standard encryption and security protocols.
- Purpose Limitation: Data is only retained for the purposes for which it was collected.
3. Retention Periods
| Data Category | Retention Period | Justification |
|---|---|---|
| Active Account Data | Duration of active relationship | Necessary for service provision |
| Financial Transaction Records | Duration of active relationship + 7 years | Tax and legal compliance |
| Deleted Account Data | Deleted within 30 days of request | Right to erasure (GDPR/CCPA) |
| Audit Logs & Security Data | 1 year | Security monitoring and auditing |
| Plaid Connection Data | Until account disconnection | Operational necessity |
4. Data Deletion and Disposal Procedures
When data reaches the end of its retention period or a deletion request is made, we follow a systematic disposal process:
- Soft Deletion: Initially, some records (like organization members) may be marked as "removed" to maintain referential integrity while removing them from active service.
- Hard Deletion: Upon organization or account deletion, we perform a cascade delete operation within our primary database. This permanently removes all associated records, including financial accounts, transactions, and user associations.
- Backups: Data removed from active databases may persist in encrypted backups for up to 90 days before being completely overwritten.
- Disposal Verification: We regularly audit our deletion processes to ensure that cascade deletes are functioning correctly and that no "orphaned" data remains.
5. User-Initiated Deletion
Users have the right to request the deletion of their data at any time. This can be done by:
- Deleting an Organization: Organization owners can delete their entire organization, which triggers an immediate cascade deletion of all organization-related data.
- Disconnecting Accounts: Users can disconnect specific financial institutions, which removes the associated access tokens and synced data.
- Support Requests: Users can contact privacy@biteon.nl to request full account deletion.
6. Policy Review
This policy is reviewed at least annually to ensure it remains aligned with evolving legal requirements and our operational practices. Updates are reflected in the "Last updated" date at the top of this page.
7. Contact Information
If you have any questions regarding our data retention or disposal practices, please contact our Data Protection Officer at:
privacy@biteon.nl