01
Purpose and scope
This policy defines how long Carlo Finance (“Carlo”) retains each category of user data and how that data is disposed of when it is no longer needed. It applies to all data collected through the Carlo application, including data received from third-party services like Plaid.
The goals are straightforward: keep data only as long as it serves a legitimate purpose, dispose of it securely when that purpose ends, and give users clear control over their own data.
02
Data categories and retention periods
The following table summarizes retention periods for each category of data we handle:
| Category | Retention | Disposal method |
|---|
| Plaid account data Account info, balances, transactions | Duration of active account + 30 days | Database deletion + backup rotation |
| Financial projections and scenarios Simulation results, what-if outputs | Duration of active account | Database deletion |
| User profile and goals Income, savings targets, retirement timeline | Duration of active account + 30 days | Database deletion |
| Authentication credentials Hashed passwords, session tokens, Plaid access tokens | Duration of account; immediate on deletion | Cryptographic erasure |
| Usage and analytics data Pages visited, features used, interaction patterns | 24 months rolling | Automated purge |
| Server logs IP addresses, request logs, error logs | 90 days | Automated purge |
| Support communications Email threads, in-app support messages | 2 years after resolution | Manual deletion |
03
User-initiated deletion
You have the right to request deletion of your data at any time. Here is how it works:
How to request deletion
- In-app— use the account settings page to request account deletion directly (available at launch).
- Email — send a request to privacy@carlo.finance from the email address associated with your account.
What happens next
- We verify your identity and acknowledge the request within 5 business days.
- All personal and financial data is deleted from production systems within 30 days of the verified request.
- Plaid access tokens are revoked immediately, severing the connection to your financial institutions.
- Backups containing your data are purged within 30 days of the deletion request (see Backup Retention below).
- We send you a confirmation email once deletion is complete.
What we cannot delete
Aggregate, de-identified data that has been stripped of all personal identifiers and cannot be linked back to you may be retained for product analytics. This data cannot identify you.
04
Account closure process
When you close your Carlo account:
- Immediate— your account is deactivated. You can no longer log in or access simulations.
- Immediate— all Plaid access tokens are revoked. Your financial institutions are disconnected from Carlo.
- Within 30 days— all personal data, financial data, projections, and profile information are deleted from production databases.
- Within 30 days— your data is purged from backup systems as backup rotation completes.
- Confirmation— you receive an email confirming that account closure and data deletion are complete.
05
Backup retention and disposal
Database backups are an essential part of our disaster recovery plan. Here is how they interact with data deletion:
- Backup schedule— production databases are backed up daily. Backups are encrypted at rest using the same encryption standard as the production database.
- Backup rotation— backups are retained on a rolling basis. Older backups are automatically replaced as new ones are created.
- Deletion requests— when a user requests data deletion, their data is purged from backups within 30 days as the backup rotation cycle completes. We do not selectively delete individual records from encrypted backups; instead, we rely on the rotation cycle to ensure complete removal.
- Restoration safeguard— if a backup containing deleted user data must be restored for disaster recovery purposes, we re-apply pending deletion requests immediately after restoration.
06
Exceptions
In limited circumstances, we may retain data beyond the periods listed above:
- Legal holds— if we receive a legal preservation request (litigation hold, government investigation), we will retain relevant data for the duration of the hold, even if it exceeds our standard retention period.
- Regulatory requirements— certain financial regulations may require us to retain specific categories of data for longer than our standard periods. If this applies, we will retain only the minimum data required and delete it as soon as the regulatory obligation ends.
- Fraud prevention— data associated with accounts flagged for fraud or abuse may be retained for up to 3 years after account closure to support fraud prevention and investigation.
In all exception cases, we apply the same security controls to retained data as we do during normal retention.
07
Policy review
This Data Retention & Disposal Policy is reviewed at least annually. Reviews assess:
- Whether retention periods remain appropriate for current product functionality and regulatory requirements.
- Whether disposal methods remain adequate given current data storage technologies.
- Whether new data categories have been introduced that need retention schedules.
- Whether any regulatory changes require adjustments to retention or disposal practices.
The next scheduled review is April 2027.
08
Responsible parties
- Policy owner— the CTO is responsible for maintaining this policy and ensuring that retention and disposal practices are implemented as described.
- Implementation— automated purge jobs for analytics data and server logs are managed by the engineering team. Manual deletion processes (support communications) are tracked and executed by the responsible team member.
- Compliance verification— retention compliance is verified during the annual policy review. As the team grows, this will be incorporated into our planned SOC 2 audit cycle.
09
Contact
Questions about this policy or requests related to data retention and deletion: