PiggyPocketData Retention & Deletion Policy
Effective date: 12 June 2026 Last updated: 12 June 2026 Owner: Founder & Security Lead, BMRTECKBUSINESS LLC Review cadence: at least annually.
This policy explains what data BMRTECKBUSINESS LLC ("we") retains for the Piggy application ("the App"), how long we keep it, and how it is deleted. It is designed to comply with applicable data-protection laws (including GDPR and CCPA/CPRA) and the principle of data minimization.
1. Core principle: we retain as little as possible
We do not store users' bank transactions, balances, incomes, or expenses on our servers. That financial data is retrieved from our providers on demand and delivered to the user's device; it is not persisted in our database. As a result, there is very little sensitive financial data to retain or delete.
2. What we retain and for how long
| Data category | Stored? | Retention period |
|---|---|---|
| Bank transactions / balances / income / expenses | No — never persisted server-side | N/A |
| Online banking username / password | No — never seen by us | N/A |
| Bank access token / item ID (encrypted, AES-256-GCM) | Yes | Until the user disconnects the bank, deletes their account, or the subscription lapses — then deleted/revoked (see §3) |
| Institution name/ID & connection status | Yes | Same lifecycle as the connection; soft-deleted on disconnect |
| Account identifier (e.g. email / sign-in ID) | Yes | For the life of the account; deleted on account deletion (subject to §4) |
| Subscription / purchase events | Yes | For the life of the account plus the period required for financial/tax and dispute records |
| Device push tokens | Yes | Until the token becomes invalid or the user disables notifications / deletes the account |
| Server & access logs | Yes | Short operational window (e.g. up to 90 days), then deleted or rotated |
Specific timeframes may be adjusted to meet legal, tax, fraud-prevention, or accounting obligations.
3. Deletion triggers
User data is removed when any of the following occurs:
- User disconnects a bank — we call the provider's item-removal endpoint (e.g. Plaid
/item/remove) to revoke access at the source, then soft-delete the connection record and its encrypted token locally. - Subscription lapses or is cancelled/refunded — connections that require an active subscription are disconnected and removed via the same cascade.
- User deletes their account — we revoke all connections and delete associated personal data (subject to §4).
- Inactivity / safety cleanup — automated jobs disconnect and clean up stale connections.
4. Legal and operational holds
We may retain certain records for longer where required to:
- Comply with tax, accounting, and financial-record laws (typically purchase/subscription records);
- Resolve disputes, prevent fraud, or enforce our agreements;
- Meet other legal obligations.
Such retained data is minimized and access-restricted, and is deleted once the obligation ends.
5. How deletion is performed
- Credentials: the encrypted access token is deleted from the database and access is revoked at the provider, so it can no longer be used to retrieve data.
- Records: connection records are soft-deleted and then purged in line with this schedule.
- Backups: deleted data is removed from active systems immediately and ages out of backups according to the backup rotation cycle.
6. User rights
Users may request access to, correction of, or deletion of their personal data, and may disconnect any bank connection at any time directly in the App. Requests can also be sent to contact@bmrteck.com. See our Privacy Policy for the full list of rights.
7. Review
This policy is reviewed at least annually and updated when our data practices, providers, or legal obligations change.
Contact: contact@bmrteck.com · BMRTECKBUSINESS LLC