Data Retention & Deletion Policy

1. Purpose

This Data Retention & Deletion Policy describes how Chronly retains, manages, and securely deletes personal information in accordance with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

Chronly collects and processes financial transaction data to provide bookkeeping, categorization, receipt management, and tax tracking functionality.

2. Categories of Information Collected

Chronly may collect and store the following categories of information:

• Account registration information (name, email address, business details)
• Bank transaction data synchronized via Plaid
• Transaction categorizations (business/personal)
• Uploaded receipts and supporting documents
• Tax-related annotations (including GST/PST/HST amounts)
• Usage and audit logs necessary for system integrity and security

Chronly does not store users' online banking credentials.

3. Retention Principles

Chronly retains personal information only:

• For as long as the user maintains an active account; and
• As necessary to provide services requested by the user; and
• As required to comply with applicable legal, tax, accounting, or regulatory obligations.

By default, user transaction and receipt data is retained for the duration of the user's active account to preserve historical financial records.

4. Account Deletion & User-Requested Deletion

Users may request deletion of their account and associated personal information at any time by:

• Using in-app account deletion functionality; or
• Submitting a written request to [email protected]

Upon verified request:

• Plaid access tokens will be revoked;
• Linked financial account connections will be terminated;
• Transaction data, receipts, and associated personal information will be permanently deleted from active systems within a reasonable period (generally within 30 days).

Backup copies are retained only for disaster recovery purposes and are automatically overwritten in accordance with system retention schedules.

5. Legal Retention Requirements

In certain circumstances, Chronly may retain limited information where required to:

• Comply with tax, accounting, or legal obligations;
• Resolve disputes;
• Enforce agreements;
• Detect or prevent fraud or security incidents.

Where retention is required by law, data will be retained only for the minimum period required and then securely deleted.

6. Secure Deletion Practices

Chronly implements administrative, technical, and physical safeguards to protect personal information.

When data is deleted:

• It is removed from production databases;
• Associated file storage (including receipts) is permanently deleted;
• Access credentials are revoked;
• Data is no longer accessible to users or internal staff.

Chronly uses secure cloud infrastructure providers that maintain industry-standard data protection and destruction practices.

7. Policy Review

This policy is reviewed at least annually and updated as necessary to reflect operational, legal, or regulatory changes.

8. Privacy Contact

For privacy-related questions or deletion requests, contact: