Data Retention Policy
Effective as of January 2025
This policy defines how long we retain different categories of data. It supports our Privacy Policy.
1. User Account Data
- Active account: Retained until account deletion
- Deleted account: PII anonymized; identifiers retained up to 7 years for legal/fraud prevention
- Email/password reset tokens: 24 hours / 1 hour (auto-expire)
2. Transaction & Financial Data
- Completed transactions, refunds, payouts: 7 years (tax, accounting, disputes)
3. Booking Data
- Booking records: 7 years
- Cancelled bookings: 3 years
4. Security & Audit
- Security logs: 90 days (up to 1 year for incidents)
- Admin activity logs: 1 year
- Consent logs: 7 years
5. Communications & Support
- Support tickets, contact forms: 2 years
For the full policy and exceptions, see the internal document docs/DATA_RETENTION_POLICY.md.