DocXBuddy

Data Retention Policy

Last updated: January 8, 2025

1. Overview

This Data Retention Policy explains how long DocxBuddy retains personal data and other information collected from users. We are committed to retaining data only as long as necessary for legitimate business purposes and in compliance with applicable laws.

2. Data Categories and Retention Periods

2.1 Account Data

  • User profile information: Retained for the lifetime of the account
  • Email address: Retained for the lifetime of the account
  • Password (encrypted): Retained for the lifetime of the account
  • Account preferences: Retained for the lifetime of the account

Deletion trigger: Account deletion by user or after 3 years of inactivity

2.2 Document Data

  • Uploaded files: Retained until user deletion or account termination
  • Document metadata: 30 days after file deletion
  • Processing logs: 90 days after document processing
  • AI interaction history: 1 year or until account deletion

Deletion trigger: User action, account deletion, or automatic expiry

2.3 Chat and Communication Data

  • Chat sessions with AI: 1 year from last interaction
  • Support conversations: 3 years for compliance and quality purposes
  • Feedback submissions: 2 years for product improvement

Deletion trigger: Automatic expiry or user request

2.4 Payment and Billing Data

  • Payment information: Not stored (handled by Stripe)
  • Billing records: 7 years for tax and legal compliance
  • Invoice data: 7 years for accounting purposes
  • Subscription history: 7 years for financial records

Legal requirement: Required by tax authorities and payment regulations

2.5 Technical and Usage Data

  • Access logs: 12 months for security analysis
  • Error logs: 6 months for debugging purposes
  • Analytics data: 24 months for product improvement
  • Performance metrics: 12 months for system optimization

Purpose: Security monitoring and service improvement

2.6 Marketing and Communication

  • Marketing consent: Until consent is withdrawn
  • Email campaign data: 3 years for effectiveness analysis
  • Unsubscribe records: Permanent (to respect preferences)

Note: You can withdraw consent at any time

3. Automated Deletion Processes

We have implemented automated systems to ensure data is deleted according to our retention schedules:

  • Daily cleanup: Removes expired temporary files and cache data
  • Weekly reviews: Identifies inactive accounts and expired sessions
  • Monthly purging: Deletes data that has reached retention limits
  • Quarterly audits: Reviews retention compliance and policies

4. User-Initiated Deletion

Users have control over their data and can request deletion at any time:

4.1 Account Deletion

  • Complete account deletion removes all personal data within 30 days
  • Some data may be retained longer if required by law
  • Billing records are retained for legal compliance (7 years)

4.2 Selective Data Deletion

  • Individual documents can be deleted immediately
  • Chat history can be cleared per session or entirely
  • Marketing preferences can be updated anytime

5. Legal and Regulatory Requirements

Some data must be retained to comply with legal obligations:

5.1 GDPR Compliance

  • Data is only retained for legitimate purposes
  • Regular reviews ensure minimal necessary retention
  • Users can request deletion under "right to be forgotten"

5.2 Financial Regulations

  • Tax records must be retained for 7 years
  • Payment processor requirements may extend retention
  • Anti-money laundering compliance may require extended retention

5.3 Security and Legal Proceedings

  • Data may be retained longer if subject to legal hold
  • Security incident data retained for investigation purposes
  • Court orders may require extended retention

6. Data Backup and Archive

We maintain secure backups for business continuity:

  • Daily backups: Retained for 30 days
  • Weekly backups: Retained for 6 months
  • Monthly archives: Retained for 1 year
  • Annual archives: Retained for legal compliance periods

7. Third-Party Data Retention

Some data is processed by third-party services with their own retention policies:

  • Supabase: Database and authentication data
  • Stripe: Payment processing records
  • AWS: File storage and backup systems
  • Analytics providers: Usage and performance data

8. Data Security During Retention

All retained data is protected with appropriate security measures:

  • Encryption: All data encrypted in transit and at rest
  • Access controls: Limited access on need-to-know basis
  • Regular audits: Security reviews and compliance checks
  • Secure disposal: Proper deletion when retention period ends

9. Policy Updates

This policy may be updated to reflect changes in:

  • Legal requirements and regulations
  • Business practices and data usage
  • Technology and security measures
  • User needs and feedback

We will notify users of material changes through email or website notices.

10. Contact Information

For questions about data retention or to request data deletion:

  • Email: privacy@docxbuddy.com
  • Data Protection Officer: dpo@docxbuddy.com
  • Address: Via del Lauro 9, Milan, Italy - 20121