Effective: 05/20/26 · Version: 1.0

StackSense Data Retention Policy

StackSense is still in beta; these policies are subject to change as the product evolves. This policy defines how long StackSense keeps each category of personal data, why, and how it gets deleted. It supports the Privacy Policy and internal compliance obligations.

Purpose

Define how long StackSense keeps each category of personal data, why, and how it gets deleted. This document supports the Privacy Policy section 7 and is required by GDPR Article 5(1)(e), Quebec Law 25, and several state privacy laws.

This is both a user-facing commitment (summarized in the Privacy Policy) and an internal engineering specification.

1. Retention principles

  1. We collect only the minimum data needed
  2. We keep it only as long as needed to deliver the service or meet a legal obligation
  3. We delete it on a documented schedule
  4. Users can trigger early deletion through the data rights panel
  5. Some categories must be retained longer because law requires it (billing, tax)
  6. Backups are deleted on a rolling cycle, not instantly, and users are informed of this

2. Retention schedule by data category

Data categorySourceRetention while account activeRetention after account deletionLegal basis for retention period
Account email and hashed passwordUser signupUntil account is deletedSoft-deleted immediately. Hard-deleted within 90 days.Performance of contract while active. Limited post-deletion for backup cycle.
Supplement, peptide, dose logsUser entryUntil account is deletedPermanently deleted within 90 days from primary DB. Up to 6 months in backups.Performance of contract. Health data deletion is mandatory under GDPR right to erasure.
Symptom logsUser entryUntil account is deletedPermanently deleted within 90 days. Up to 6 months in backups.Same.
Body composition dataUser entryUntil account is deletedPermanently deleted within 90 days.Same.
Injection site notesUser entryUntil account is deletedPermanently deleted within 90 days.Same.
Photos attached to logsUser uploadUntil account is deleted or user deletes the photoPermanently deleted within 90 days.Same.
Protocol notes / cycle plansUser entryUntil account is deletedPermanently deleted within 90 days.Same.
Subscription tier and statusStripe + our DBUntil account is deletedAnonymized after deletion. Tier never linked back.Service delivery.
Billing records (invoices, payment history)Stripe7 years from issuance7 years from issuanceCanadian tax law (Income Tax Act), Quebec consumer protection law, GAAP. This overrides user deletion requests for billing records only. Users get a clear notice about this in the deletion flow.
Stripe customer recordStripeUntil account is deletedAnonymized in Stripe (PII fields cleared) after 90 days. Stripe retains transaction records for their compliance reasons (PCI-DSS, AML).Stripe DPA defines their retention.
IP address (server logs)Web server, Vercel30 days30 daysSecurity investigation window. Required for abuse prevention.
User-agent strings, device typeWeb server30 days30 daysSame.
PostHog / Plausible analytics eventsApp90 daysn/a (anonymized at collection)Trend analysis. Beyond 90 days we use aggregates.
Sentry crash reports (if user opted in)App90 days90 daysBug investigation.
Email correspondence (to privacy@, support@)Gmail/Workspace3 years3 yearsLimitations period for consumer claims. We may shorten this once we have legal counsel.
Compliance records (DPAs, breach register, DPIA, audit logs)InternalIndefinite for active records, 7 years after retirementSameRequired for regulator inspection.
Signup ToS and Privacy acceptance recordsDBIndefinite while account exists, 7 years after deletion7 yearsRequired to prove consent in disputes.

3. Definitions

4. Deletion grace period

When a user deletes their account, we apply the following grace period to prevent accidents:

Users are told this explicitly in the deletion flow and in the Privacy Policy.

6. Exception: legal hold

If StackSense receives a litigation hold or regulator preservation order, the deletion job must skip affected users. Implement an admin flag:

ALTER TABLE users ADD COLUMN legal_hold BOOLEAN DEFAULT FALSE;

Cron job: WHERE deleted_at IS NOT NULL AND purge_after < NOW() AND legal_hold = FALSE.

When a hold is in place, the user remains soft-deleted but data is preserved. Inform the user that we have received a legal order (unless prohibited from doing so).

7. Exception: billing records

Stripe customer records and our local billing-summary records (subscription_history, invoices, payment_history) are retained for 7 years from the transaction date. This is to satisfy:

Tell users this in the deletion flow:

When you delete your account, your health data is gone from our active database within 90 days. Your billing records will be retained for 7 years because tax law requires it. These records show only that you paid for the service, the amount, and the date. They do not include health data.

This honors the user's right to erasure to the maximum extent permitted under Article 17(3)(b) GDPR (compliance with legal obligation).

8. User-triggered partial deletions

Users can also delete individual logs (a wrong entry, a private note) without deleting their whole account. These deletions follow the same backup-rotation rule: gone from primary DB immediately, gone from backups on rotation.

We do not maintain a "trash bin" by default. If a user wants undo, that's a product feature, not a compliance one. Currently out of scope.

9. Vendor responsibilities

Each vendor processing user data must also honor deletion within a comparable timeline. Verified via:

VendorTheir retention commitmentWhere documented
SupabaseHonors data deletion within standard backup windowDPA
VercelLogs auto-delete on schedule, no persistent user PIIDPA
StripeAnonymizes customer PII on request, retains transaction data per their complianceDPA
AnthropicNo personal data sent under our integration. Generic compound queries only.DPA + architecture review
PostHog / PlausibleAnonymized at collection, 90-day retentionPrivacy settings + DPA
Sentry90-day retention setting we controlProject settings

When we delete a user, we trigger downstream deletion at each vendor where required.

10. User communication

Summarize this in plain English in the Privacy Policy section 7 and the in-app data rights panel. Don't make users read this whole policy.

User-facing summary:

When you delete your account, your health data is gone from our active database within 90 days. Backups roll off over the following 6 months. Your billing records are retained for 7 years because tax law requires it.

11. Review

This policy is reviewed annually, or whenever:

Last reviewed: 05/20/26

End of Data Retention Policy. Version 1.0.