Data Retention and Disposal Policy

Effective Date: January 9, 2026 Version: 1.0 Owner: AIPWM Compliance Review Cycle: Annual

1. Purpose

This policy establishes guidelines for retaining and disposing of data collected, processed, and stored by AIPWM. It ensures compliance with legal and regulatory requirements while protecting user privacy and minimizing data liability.

2. Scope

This policy applies to all data processed by AIPWM, including:

User account data
Financial account data (via Plaid, SnapTrade, manual entry)
Transaction history
Investment holdings and performance data
AI conversation logs and client memory
Audit logs and system logs
Backup data

3. Regulatory Framework

AIPWM operates under multiple regulatory requirements affecting data retention:

| Regulation | Requirement | Applies To | |------------|-------------|------------| | SEC Rule 17a-4 | 6 years for brokerage records | Investment records, trade history | | IRS | 7 years for tax-related records | Tax lots, cost basis, gains/losses | | Bank Secrecy Act | 5 years for financial records | Transaction records, KYC data | | CCPA/CPRA | Deletion upon request (with exceptions) | California resident PII | | SOC 2 | Defined retention with secure disposal | All data categories |

4. Data Categories and Retention Periods

4.1 User Account Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Authentication credentials | Password hashes, MFA seeds | Account lifetime + 30 days | Cryptographic erasure | | Profile information | Name, email, phone | Account lifetime + 7 years | Database deletion | | Investor profile | Risk score, preferences | Account lifetime + 7 years | Database deletion | | Financial goals | Target amounts, timelines | Account lifetime + 7 years | Database deletion |

4.2 Connected Account Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Provider credentials | Plaid/SnapTrade tokens | Until disconnection + 30 days | Cryptographic erasure | | Account metadata | Institution name, account mask | Account lifetime + 7 years | Database deletion | | Account balances | Current/available balance | 7 years from sync date | Database deletion |

4.3 Investment Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Holdings snapshots | Positions, quantities, values | 7 years | Database deletion | | Tax lots | Cost basis, purchase date | 7 years after lot closed | Database deletion | | Realized gains/losses | Proceeds, gain/loss amount | 7 years from tax year | Database deletion | | Dividends received | Amount, date, reinvestment | 7 years from tax year | Database deletion |

4.4 Transaction Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Investment transactions | Buys, sells, transfers | 7 years | Database deletion | | Banking transactions | Deposits, withdrawals | 7 years | Database deletion | | Wash sale records | Disallowed loss adjustments | 7 years after final lot closed | Database deletion |

4.5 AI and Conversation Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Chat sessions | User messages, AI responses | 3 years | Database deletion | | Client memory | Extracted personal facts | Account lifetime + 90 days | Database deletion | | IC Memos | AI-generated research | 3 years | Database deletion | | Agent orchestration logs | Step execution, tool calls | 1 year | Database deletion |

4.6 System and Audit Data

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Audit logs | User actions, resource access | 7 years | Archive then delete | | API usage logs | Endpoint calls, response times | 1 year | Database deletion | | Sync job history | Sync status, error details | 1 year | Database deletion | | Security events | Failed logins, permission denials | 3 years | Archive then delete |

4.7 Legal and Estate Documents

| Data Type | Examples | Retention Period | Disposal Method | |-----------|----------|------------------|-----------------| | Uploaded documents | Wills, trusts, POA | Account lifetime + 7 years | Secure file deletion | | Beneficiary records | Designations, percentages | Account lifetime + 7 years | Database deletion | | Family member data | Names, relationships, DOB | Account lifetime + 7 years | Database deletion |

5. Retention Period Triggers

5.1 Start of Retention Period

| Event | Retention Starts | |-------|------------------| | Account creation | Date of first login | | Transaction recorded | Transaction date | | Tax lot opened | Purchase date | | Tax lot closed | Sale date | | Document uploaded | Upload date | | Chat session | Session end date |

5.2 End of Retention Period

Retention periods are calculated from:

Account data: Date of account closure or deletion request
Tax-related data: End of the tax year in which the data was relevant
Transactional data: Transaction settlement date
Audit data: Date of log entry

6. Data Disposal Procedures

6.1 Cryptographic Erasure

For encrypted data (credentials, sensitive PII):

Delete encryption keys from key management system
Overwrite encrypted data blocks with random data
Delete database records
Verify deletion in audit log

-- Example: Dispose of provider credentials
UPDATE provider_credentials
SET plaid_access_token = NULL,
    snaptrade_user_secret = NULL,
    is_active = false,
    disposed_at = NOW(),
    disposed_reason = 'retention_policy'
WHERE id = $1;

-- After 30-day grace period
DELETE FROM provider_credentials WHERE disposed_at < NOW() - INTERVAL '30 days';

6.2 Database Deletion

For non-encrypted structured data:

Soft delete with deleted_at timestamp
Maintain 30-day grace period for recovery
Hard delete after grace period
Log deletion in audit trail

-- Soft delete
UPDATE connected_accounts SET deleted_at = NOW() WHERE id = $1;

-- Hard delete (run via scheduled job)
DELETE FROM connected_accounts WHERE deleted_at < NOW() - INTERVAL '30 days';

6.3 Secure File Deletion

For uploaded documents and files:

Remove file from storage (S3/Supabase Storage)
Delete all cached/CDN copies
Remove database references
Verify deletion via storage audit

6.4 Archive Before Deletion

For audit and compliance data:

Export to encrypted archive format
Store in cold storage (S3 Glacier)
Delete from primary database
Maintain archive index for legal discovery

7. User-Initiated Deletion

7.1 Account Deletion Request

When a user requests account deletion:

Immediate Actions (within 24 hours):
- Revoke all active sessions
- Disconnect all provider connections (Plaid, SnapTrade)
- Remove from AI client memory
- Disable login
30-Day Grace Period:
- Data retained but inaccessible
- User can request reactivation
- Automated emails at day 7, 14, 25
Final Deletion (after 30 days):
- Delete user authentication record
- Delete profile and investor data
- Archive audit logs (7-year retention)
- Delete chat history

7.2 Data Portability

Before deletion, users may request export of:

Transaction history (CSV)
Holdings history (CSV)
Tax lot data (CSV)
Chat transcripts (JSON)
Uploaded documents (original format)

7.3 Retention Exceptions

Data may be retained beyond user deletion request for:

Active legal hold or litigation
Regulatory audit or investigation
Tax documentation requirements (7 years)
Fraud investigation

User must be notified of any retention exception.

8. Third-Party Data

8.1 Provider Data (Plaid, SnapTrade)

| Provider | Their Retention | Our Retention | Sync | |----------|-----------------|---------------|------| | Plaid | Per their policy | Matches our policy | On disconnect: revoke token | | SnapTrade | Per their policy | Matches our policy | On disconnect: delete user | | Coinbase | Per their policy | Matches our policy | On disconnect: revoke OAuth |

On account disconnection:

Revoke access tokens immediately
Mark account as disconnected
Retain historical data per retention schedule
Stop future syncs

8.2 AI Provider Data (Anthropic)

Conversation data sent to Claude API
Anthropic retention: per their data policy
AIPWM does not control third-party retention
Users informed in privacy policy

9. Backup Data

9.1 Backup Retention

| Backup Type | Retention | Disposal | |-------------|-----------|----------| | Daily database backup | 30 days | Automatic expiration | | Weekly database backup | 90 days | Automatic expiration | | Monthly database backup | 1 year | Manual deletion | | Point-in-time recovery | 7 days | Automatic |

9.2 Backup Disposal

Backups automatically expire per schedule
User deletion requests apply to backups
Deleted data removed from next backup cycle
Cannot selectively delete from existing backups

10. Implementation

10.1 Automated Disposal Jobs

// Scheduled job: Run daily at 2 AM UTC
async function runDataDisposal() {
  // 1. Hard delete soft-deleted records past grace period
  await hardDeleteExpiredRecords();

  // 2. Archive audit logs older than active retention
  await archiveOldAuditLogs();

  // 3. Delete expired chat sessions
  await deleteExpiredChatSessions();

  // 4. Clean up orphaned provider credentials
  await cleanupOrphanedCredentials();

  // 5. Log disposal run
  await logDisposalRun();
}

10.2 Database Schema Support

Required columns for retention management:

-- Add to all retained tables
ALTER TABLE connected_accounts ADD COLUMN deleted_at TIMESTAMPTZ;
ALTER TABLE connected_accounts ADD COLUMN retention_expires_at TIMESTAMPTZ;
ALTER TABLE connected_accounts ADD COLUMN legal_hold BOOLEAN DEFAULT false;

-- Index for disposal queries
CREATE INDEX idx_retention_expires ON connected_accounts(retention_expires_at)
  WHERE deleted_at IS NOT NULL AND legal_hold = false;

10.3 Legal Hold Process

When legal hold is required:

Compliance officer flags affected records
legal_hold = true prevents automated deletion
Hold reviewed quarterly
Released only by compliance officer

-- Apply legal hold
UPDATE audit_log SET legal_hold = true
WHERE family_id = $1 AND created_at BETWEEN $2 AND $3;

11. Monitoring and Compliance

11.1 Disposal Audit Trail

All disposals logged to disposal_log table:

CREATE TABLE disposal_log (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  table_name TEXT NOT NULL,
  record_count INTEGER NOT NULL,
  disposal_type TEXT NOT NULL, -- 'soft_delete', 'hard_delete', 'archive', 'crypto_erase'
  disposal_reason TEXT NOT NULL, -- 'retention_policy', 'user_request', 'legal_requirement'
  executed_at TIMESTAMPTZ DEFAULT NOW(),
  executed_by TEXT -- 'system' or user_id
);

11.2 Compliance Reporting

Monthly report includes:

Records disposed by category
Records retained past standard period (with reason)
Active legal holds
User deletion requests processed
Exceptions and anomalies

11.3 Annual Review

This policy reviewed annually for:

Regulatory changes
New data categories
Process improvements
Incident learnings

12. Exceptions

12.1 Extended Retention

Data may be retained beyond standard periods for:

Ongoing legal proceedings
Regulatory examination
Internal investigation
User request (documented consent)

12.2 Early Deletion

Data may be deleted before retention period for:

Erroneous or duplicate data
Test/sandbox data
Data quality issues (with documentation)

All exceptions require:

Written justification
Compliance approval
Audit trail entry

13. Responsibilities

| Role | Responsibility | |------|----------------| | Engineering | Implement disposal automation, maintain schemas | | Compliance | Review policy, approve exceptions, manage legal holds | | Operations | Monitor disposal jobs, handle user requests | | Security | Verify cryptographic erasure, audit access |

14. Related Documents

Revision History

| Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-01-09 | AIPWM | Initial policy |

This policy is subject to change. Users will be notified of material changes via email.