← Legal & compliance

Data Retention

Sign in

Draft administrative policies

  • Subject to attorney review before commercial launch — not legal advice or a binding contract until published by the operator.
  • No certification claims: not SOC 2, HIPAA, PCI DSS, or bank-level certified.
  • Billing: subscription status may be shown; payment card numbers are not stored in the application database.
  • Support access: vendor staff cannot access your tenant silently; tenant OWNER approval is required for time-boxed support sessions.

Check Designer — Data Retention Policy (Draft)

Status: Draft administrative/security policy — subject to attorney review before commercial launch.

1. Purpose

This policy describes how long categories of Check Designer data are typically retained in current deployments and how deletion/export requests are handled. It supplements the Privacy Policy and operator runbooks.

2. Active tenant data

While a tenant account is active, the Service retains data needed to operate:

CategoryRetention approach
Users, roles, store permissionsUntil removed by tenant admins or tenant termination
Accounts, templates, mappings, printer settingsUntil deleted in-app or tenant termination
Print queue and printed check historyUntil deleted/voided per workflow or tenant termination
Audit logAccumulates for accountability; no automatic purge in application code today
Support access session recordsRetained for audit; terminal sessions remain queryable
Tenant subscription metadataRetained while tenant exists; plan/status fields in `TenantSubscription`

Customer responsibility: You define internal retention needs for checks and payroll records under your industry rules; the application does not auto-delete printed history by age unless you implement operational procedures.

3. Encrypted sensitive fields

Bank account numbers and signature images stored with `enc:v1:` encryption remain in the database until the account row is deleted or the tenant is removed. Rotating `BANK_DATA_ENCRYPTION_KEY` without re-encryption makes prior ciphertext unreadable — treat key backups as retention-critical (see `SECURITY_POLICY.md`).

4. Backups

Operator-managed backups (daily SQLite copies, manifests, optional config archives) may retain full database snapshots including all tenants in that file.

ItemTypical retention
Daily backupsPer operator schedule (e.g., cron); often 30+ days on disk
Pre-restore snapshotsCreated before restore operations
Manual phase backupsUntil operator deletes

Backup retention is governed by `BACKUP_RESTORE_POLICY.md` and server runbooks — not by in-app user settings.

5. Suspended or terminated tenants

Platform operators may suspend tenant access (per platform controls). Data may remain in the database until a defined offboarding process runs. Formal deletion of a tenant and all related rows is an operator manual process today — not a self-service “delete my organization” button.

*Counsel should define post-termination retention and deletion SLAs at launch.*

6. Logs

Application and web server logs should avoid decrypted secrets, MICR plaintext, and encryption keys. Log retention on the server is an operator configuration (rotation, duration) — not enforced in application code in Phase 2P-A.

7. Export and portability requests

7.1 Self-service operational exports

Customers with appropriate permissions (typically OWNER or ADMIN with backup access) may use Settings → Backup & Export:

ExportScopeSensitive data
SQLite database downloadEntire deployment database fileEncrypted blobs; instance-wide on shared hosting
Project JSONStructured project dataAccount numbers and signatures redacted in JSON

These exports are operational tools, not a certified legal portability mechanism.

7.2 Formal export requests

For organization-wide or user-specific formal export beyond in-app buttons, submit a written request per `ACCOUNT_DELETION_REQUEST_POLICY.md` §5. The operator reviews scope and may provide files offline after identity verification. No automated export package is generated by the application today.

8. Deletion and redaction requests

End-user and tenant deletion or redaction requests are manual / admin review only per `ACCOUNT_DELETION_REQUEST_POLICY.md`.

TopicPolicy
Self-service tenant wipeNot available
Hard-delete production data on submitNot performed automatically
Typical fulfillmentDeactivation, suspend, redaction, selective row delete
Printed history / audit / billingMay be retained per law and operator policy
BackupsNot auto-deleted; may age out per §4

In-app summary: Settings → Legal & compliance → Data export / deletion requests.

9. Legal hold

If litigation or investigation requires preservation, the operator may suspend normal deletion despite this policy, after legal counsel direction.

10. Review

Retention periods for commercial SaaS should be confirmed with attorney review and documented in the customer agreement and DPA where required.

*Draft only — Phase 2P-C expanded export/deletion request sections. No runtime changes.*