Data Retention and Disposal Policy

This policy applies to all customer data accessed, processed, or stored by the WhaleWatch application (operated from British Columbia, Canada). It covers personal information collected directly from end users, financial-account data ingested via Plaid, payment metadata received from Stripe, and operational logs generated by the platforms that host the application.

• Data minimization. We collect only the data needed to deliver the Service.
• Purpose limitation. Data is retained only as long as needed for the purpose for which it was collected, plus any period required by law.
• Storage limitation. Retention periods are bounded and documented in §3 below.
• Secure disposal. When retention periods expire or a deletion request is honored, data is removed by methods that prevent recovery (see §4).
• User rights first. A user's deletion request takes precedence over default retention windows except where overridden by law (see §6).

The following retention periods apply by default:

All retention periods may be extended where required by applicable law (e.g., tax, anti-money-laundering, litigation hold) or shortened in response to a verified user deletion request (see §6).

• Application-level deletion. When a user account is deleted, all rows in our PostgreSQL database keyed to that user are removed via cascading ON DELETE CASCADE foreign-key constraints in a single transaction.
• Plaid access tokens. When a user disconnects an institution from the in-app portfolio screen, the corresponding Plaid access_token is invalidated through Plaid's /item/remove endpoint and then deleted from our database.
• Logical deletion of derived data. Holdings, transactions, alerts, and watchlists associated with a deleted account are removed in the same cascade. They are not retained in any anonymized form.
• Backup expiry. Daily Postgres snapshots taken by Supabase expire after 7 days, after which the deleted rows are unrecoverable from any operational system.
• Cryptographic erasure. The underlying storage volume is encrypted with AES-256. Decommissioned volumes at our infrastructure providers (Supabase / AWS) are wiped or cryptographically erased per those providers' certified procedures.
• Log expiry. Logs older than the retention window listed in §3 are dropped automatically by the underlying provider (Cloudflare, Supabase) and cannot be recalled.

We do not directly control retention at our subprocessors, but we hold each to its published retention practices. Users exercising deletion rights can request that we propagate the deletion to subprocessors that hold their data:

• Supabase — primary database; retention as listed in §3.
• Cloudflare — request logs (~7 days), no persistent customer data.
• Plaid — financial-account data; on disconnect, we revoke the access token. Plaid retains its own copy under its data-retention practices, accessible via Plaid's portal.
• Stripe — payment records retained for the period required by financial-services regulation (typically 7 years).
• Resend — transactional email metadata retained per Resend's policy; we do not store delivered email bodies.
• Polygon, Finnhub, FMP, SEC EDGAR, Quiver Quant — public market-data providers; we send no personal information.

• Right of access. Users may request a copy of personal information we hold about them by emailing [email protected].
• Right to correction. Account profile fields are editable in-app; other corrections may be requested by email.
• Right to deletion. Users may request full deletion of their account and all associated data by emailing [email protected]. We action deletion requests within 30 days, including propagation to subprocessors where applicable.
• Right to disconnect linked institutions. Users may disconnect any Plaid-linked brokerage from the in-app portfolio screen; this is immediate and self-serve.
• Right to data portability. Users may export holdings, transactions, watchlists, and alerts in CSV format from the in-app screens, subject to plan limits.
• Right to complain. Users may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or their local data-protection authority.

Notwithstanding the retention periods listed in §3, we may retain specific records for longer where required to: (a) comply with a legal obligation (tax, AML, securities, or other regulation); (b) preserve evidence relevant to an ongoing legal claim, dispute, or law-enforcement request; or (c) investigate suspected fraud or security incidents. Records held under a legal hold are isolated, access is restricted to the minimum personnel needed, and the hold is released — with retained data deleted — once the triggering condition has been resolved.

• Policy owner. WhaleWatch operations team — accountable for maintaining and enforcing this policy.
• Deletion-request handler. Inbound requests to [email protected] are triaged on receipt and actioned within the 30-day window.
• Incident escalation. Any retention-related incident (e.g., failed deletion, accidental over-retention) is escalated to [email protected] for remediation and post-incident review.

This policy is reviewed at least annually, and additionally whenever any of the following occurs: a material change to the categories of data we collect; a change in subprocessors; a change in the legal or regulatory environment that affects retention obligations; a security or privacy incident that suggests this policy needs updating.

This policy is designed to be consistent with:

• Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
• British Columbia Personal Information Protection Act (PIPA-BC)
• EU General Data Protection Regulation (GDPR) Articles 5 (storage limitation), 17 (right to erasure), 30 (records of processing)
• California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)
• SOC 2 Common Criteria CC6.5 (data disposal) and Privacy Criteria P4 (retention & disposal)

For questions about this policy or to exercise any of the rights listed in §6, contact [email protected]. For privacy or security incidents involving retained data, contact [email protected].