FolioTalk Data Deletion and Retention Policy

Effective Date: February 21, 2026 Last Updated: February 21, 2026

1. Purpose

This policy defines how FolioTalk retains, archives, and deletes user data. It ensures compliance with applicable data protection regulations and our commitments to users regarding their personal and financial information.

2. Data Categories and Retention Periods

Data Category	Description	Retention Period	Deletion Method
User Account Data	Google user ID, name, email	Duration of active account + 30 days after deletion request	Hard delete from database
Plaid Access Tokens	Encrypted tokens for financial institution connections	Until user unlinks the account or deletes their account	Hard delete from database; Plaid item revoked via API
Financial Holdings Data	Investment positions, balances, account info	Refreshed on each session; cached data overwritten on refresh	Overwritten on refresh; hard deleted on account deletion
Server Logs	IP addresses, request timestamps, error logs	90 days	Automatic rotation and deletion
Authentication Tokens	JWT session tokens	24 hours (token expiry)	Automatic expiry; not stored server-side

3. Data Deletion Procedures

3.1 User-Initiated Account Deletion

When a user requests account deletion:

Immediate actions (within 24 hours):
User session is invalidated
All Plaid items are revoked via the Plaid API (/item/remove), which disconnects access to financial institutions
User account is marked for deletion
Within 30 days:
All user data is permanently deleted from the database, including:
- User profile information
- Plaid access tokens (encrypted)
- Any cached financial data
Deletion is verified and logged
Confirmation:
User receives email confirmation that their data has been deleted

3.2 Individual Account Unlinking

When a user unlinks a specific financial institution:

The Plaid item for that institution is revoked via the Plaid API
The associated access token is deleted from our database
Any cached holdings data from that institution is removed

3.3 Automated Data Cleanup

Expired JWT tokens: automatically invalid after 24 hours (stateless, no cleanup needed)
Server logs: automatically rotated and deleted after 90 days
Orphaned records: periodic automated checks remove any data not associated with an active user account

4. Data Deletion Requests

Users can request data deletion by: - Using the account deletion feature within the application - Contacting us at hello@folio.talk

We will acknowledge deletion requests within 48 hours and complete deletion within 30 days.

5. Exceptions

Data may be retained beyond the stated periods only if: - Required by applicable law or regulation - Needed to resolve an active dispute or legal proceeding - Necessary for legitimate security purposes (e.g., fraud investigation)

In such cases, the data is retained only for the minimum period required and is deleted promptly thereafter.

6. Third-Party Data

When we delete user data: - Plaid: We revoke access tokens, which instructs Plaid to stop accessing the user's financial data. Plaid's own data retention is governed by Plaid's Privacy Policy. - Google: We do not store Google credentials. Revoking Google OAuth access is done by the user through their Google account settings.

7. Policy Review

This policy is reviewed and updated at least annually, or whenever there are significant changes to our data handling practices.

8. Contact

For questions about this policy or to submit a data deletion request, contact: - Email: hello@folio.talk