Version 1.0 · Last updated 4 July 2026
This policy explains how long Zaisei keeps each type of data and how it is securely disposed of, consistent with the data-minimisation and storage-limitation principles of applicable data-protection laws (e.g. GDPR/UK GDPR and CCPA/CPRA). It complements our Privacy Policy.
| Data | Where | Retention |
|---|---|---|
| Account (email, password hash) | Server (Postgres) | Until you delete your account |
| Bank/brokerage access tokens (encrypted) | Server (Postgres) | Until you remove the linked institution or delete your account |
| Property records | Server (Postgres) | Until you remove the property or delete your account |
| Balances, transactions, holdings, recurring | Not stored server-side | Fetched live; only cached on your device |
| Sessions (login tokens) | Server (Postgres) | Full-access: 30 days, extended on use. Read-only shares: the lifetime you choose. Expired sessions are cleared automatically. |
| On-device caches (transactions, holdings, FX, logos) | Your device | Until you log out or switch accounts (then wiped); also refreshed periodically |
| Server request logs (IP, path, status) | Server | 31 days, then deleted automatically |
| Encrypted database backups | Backup storage | 30 days, then rotated out automatically |
You can delete your account at any time from Profile → Delete account in the app. When you do:
account record is deleted, and every related record is removed by
cascading deletion: sessions, linked identities, bank links, provider users
and properties.We may retain the minimum data required to comply with legal obligations (e.g. tax, anti-fraud) or to resolve disputes, for only as long as the law requires.
Records are removed from the live database via cascading deletes. Backups are stored encrypted and rotated out on the schedule above; media at end of life is cryptographically erased. Third-party providers dispose of data per their own retention terms once a connection is revoked.
Most retention and deletion actions are self-service in the app. For any other request (access, correction, export, or deletion assistance), contact [email protected]. We aim to respond within the timeframe required by applicable law (e.g. 30 days under GDPR).