Data Retention & Disposal Policy
Version 1.0 | Effective: February 24, 2026 | Confidential
1. Purpose
This policy defines the requirements for retaining, archiving, and disposing of consumer data collected and processed by the Monaro application. The objective is to ensure that personal and financial data is retained only as long as necessary for its intended purpose, and is securely disposed of when no longer needed, in compliance with GDPR, CCPA, and India's Digital Personal Data Protection Act (DPDPA).
2. Scope
This policy applies to all consumer data collected, processed, and stored by Monaro, including personal information, financial data from SMS scanning and CSV imports, authentication data, application usage data, payment and subscription data, and audit/system logs.
3. Retention Periods
| Data Category | Retention Period | Disposal Method |
|---|---|---|
| User profile (name, email) | Account duration + 30 days | Permanent deletion from database |
| Imported transaction data | Account duration + 30 days | Permanent deletion from database |
| Account balances | Account duration + 30 days | Permanent deletion from database |
| Liability/debt data | Account duration + 30 days | Permanent deletion from database |
| AI Copilot query logs | 90 days from creation | Automatic purge via scheduled job |
| Authentication/session logs | 1 year from creation | Automatic purge via scheduled job |
| Audit trail logs | 2 years from creation | Automatic purge via scheduled job |
| Payment records | 7 years from transaction | Managed by Razorpay |
| Error and application logs | 90 days from creation | Auto-expired by Sentry |
| Product analytics events | 1 year from creation | Auto-expired by PostHog |
4. Account Deletion Process
When you delete your Monaro account, we execute the following steps within 30 days:
- Financial Data Deletion: All transactions, balances, debts, and analytics are permanently deleted
- Profile Data Deletion: Account info, preferences, and plans are permanently deleted
- Auth Data Purge: Authentication records removed, active sessions invalidated
- Log Anonymization: Audit logs are anonymized with hashed placeholders
- Payment Provider Notification: Razorpay subscriptions cancelled
5. Secure Disposal Methods
- Database records: SQL DELETE + PostgreSQL VACUUM to reclaim storage
- Log data: Auto-expired by providers (Sentry 90 days, PostHog 1 year)
- Backups: Rolling 7-day window — deleted data naturally purges
6. Your Data Rights
- Access: Export all your data (JSON/CSV) via app settings or email request (fulfilled within 30 days)
- Rectification: Update your information directly in the app
- Erasure: Delete your account to trigger full disposal process
- Portability: Standard machine-readable export format
- Restrict Processing: Revoke SMS permissions or stop importing to halt data collection
7. Contact
Data requests: arthi@nivo.run