Data Retention and Disposal Policy
1. Purpose
This policy defines how Formation handles the retention and disposal of consumer financial data in compliance with applicable federal and state privacy laws. It establishes clear timeframes for data retention and outlines procedures for securely disposing of data when it is no longer needed or when a user requests deletion.
2. Scope
This policy applies to all consumer data collected through the Formation application at formationmoney.com, including:
- Financial account data retrieved via the Plaid API
- User-uploaded statements (PDF, CSV, OFX/QFX, image) and the balances, transactions, and holdings parsed from them
- User-entered equity compensation, K-1, and entity data (stock options, RSUs, trusts, LLCs, and related holdings)
- Credit-score data (via Array) and real-estate data from property addresses you add (via RentCast and address-lookup services)
- AURA memory (brief facts and session summaries) and quota usage
- Account information such as authentication credentials, preferences, and profile data
- Subscription and billing data managed through Stripe
- Transactional email records processed through Resend, and SMS two-factor authentication via Twilio
- Usage, performance, and security audit data generated through interaction with the application
3. Data Categories and Retention Periods
| Data Category | Retention Period | Disposal Trigger |
|---|---|---|
| Account credentials | Retained while account is active | Deleted within 30 days of account deletion request |
| Financial account data | Retained while account is active | Deleted within 30 days of account deletion or institution disconnect |
| Transaction history | Retained while the account is active, so your history and trends stay intact | Deleted within 30 days of account deletion |
| Uploaded statements | Parsed data retained while account is active; the original uploaded file is processed transiently and not stored long-term | Deleted within 30 days of account deletion |
| Equity compensation & entity data | Retained while account is active | Deleted within 30 days of account deletion |
| User preferences | Retained while account is active | Deleted within 30 days of account deletion |
| Subscription/billing data | Retained while subscription is active; billing history retained 12 months after cancellation for legal compliance | Purged after retention period or upon account deletion (whichever is later) |
| Usage/analytics data | Anonymized and aggregated after 90 days | No personally identifiable data retained beyond 90 days |
| Aggregation access tokens | Retained while the institution is connected | On disconnect, revoked at the provider where supported and deleted; on account deletion, Plaid items are removed and all stored tokens are deleted within 30 days |
| AURA memory | Brief facts and session summaries (not full transcripts) retained to power AURA's memory; raw chat threads stay in your browser, not on our servers | Cleared on request; soft-deleted memory is purged after 30 days; all deleted within 30 days of account deletion |
| Credit & real-estate data | Credit scores (via Array) and property valuations from addresses you add (via RentCast) retained while the account is active | Credit data deleted on credit-connection disconnect; all deleted within 30 days of account deletion |
| Security & device logs | Audit log of key account actions and technical request data (IP, user agent) retained for security and troubleshooting | Deleted within 30 days of account deletion; server logs rotated by our infrastructure providers |
Account credentials include email addresses and password hashes managed by Supabase Auth. Financial account data includes balances, account names, and account types retrieved through Plaid. Aggregation access tokens include Plaid access tokens.
4. Data Disposal Methods
Formation employs the following methods to ensure data is securely and permanently disposed of when retention periods expire or deletion is requested:
- Database records: Permanently deleted via SQL DELETE operations with cascading deletes across all related tables, ensuring no orphaned references remain.
-
Aggregation tokens: When you disconnect an institution, the token is revoked at the provider (for example, via Plaid
itemRemove) and deleted from our database. On full account deletion, Plaid items are removed via the Plaid API and all stored aggregation tokens are deleted from our database, so Formation can no longer access your financial institutions. - Stripe data: Any active subscription is cancelled via the Stripe API upon account deletion, and the Stripe customer ID is removed from our database. Stripe retains the underlying billing records (invoices, payments) as required by law and its own retention schedule; you may request their deletion directly from Stripe.
- Backups: Supabase manages encrypted backups with automatic rotation. Deleted data is purged from backups within 30 days as older backup snapshots are retired.
- Logs: Server logs (Netlify Functions and Supabase Edge Functions) are rotated and purged by our infrastructure providers, typically within 30 days.
5. User Rights
Formation respects users' rights to control their personal data. Users may exercise the following rights at any time:
- Right to deletion: Users may request deletion of their data through the app's account settings or by emailing info@formationmoney.com. Upon request, all user data is queued for deletion and the process is completed within 30 days.
- Right to data export: Users may export their data before deletion using the app's built-in export feature, ensuring they retain a copy of their information.
- Right to disconnect: Users may disconnect individual financial institutions at any time, which revokes the associated token at the provider where supported and deletes related financial data within 30 days.
6. Review Schedule
This policy is reviewed on an annual basis, or sooner if significant changes occur to our data handling practices, applicable regulations, or third-party service provider agreements.
- Current version effective date: July 7, 2026
- Next scheduled review date: July 7, 2027
7. Compliance
This policy is designed to comply with the following regulatory frameworks and contractual obligations:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
- Applicable state privacy laws across all jurisdictions in which Formation operates
- Plaid's data access, handling, and security requirements under its developer and partner agreements
- Stripe's merchant and data handling agreements (PCI DSS)
- The data-processing terms of our other sub-processors (including Anthropic, OpenAI, Array, RentCast, Resend, and Twilio)
Formation continuously monitors changes to applicable privacy regulations and updates this policy and its practices accordingly.
8. Contact
For questions about this policy or to exercise your data rights, please contact us:
Privacy Inquiries