Data Retention and Disposal Policy
- Version
- 1.0
- Effective
- June 16, 2026
- Owner
- Cajetan Rodrigues, sole developer and operator
- Review Cadence
- Annually; on material change to data model or scope
1. Scope
Project Millionaire is a single-user, owner-operated personal net-worth tracking application. The sole data subject is the operator. This policy describes the categories of data retained, the periods for which they are retained, and the procedures by which they are disposed of.
2. Data categories and retention periods
| Category | Source | Retention |
|---|---|---|
| Encrypted Plaid access tokens | Plaid item-exchange response | Until the linked item is removed, or operator-initiated deletion |
| Account records (name, type, mask, balance) | /accounts/balance/get | Indefinite; until operator-initiated deletion |
| Holding records (security, quantity, value) | /investments/holdings/get | Indefinite; until operator-initiated deletion |
| Securities catalog (ticker, name, type) | Plaid securities response | Indefinite (shared reference data; no user identifiers) |
| Account balance snapshots | Application-generated, biweekly Thursdays, append-only | Indefinite; until operator-initiated deletion |
| Holding snapshots | Application-generated, biweekly Thursdays, append-only | Indefinite; until operator-initiated deletion |
| Manual asset / liability entries | User-supplied via dashboard | Indefinite; until operator-initiated deletion |
No transaction-level data is retained. No personally identifiable information beyond the operator's own Plaid-issued account metadata is collected.
3. Disposal procedures
3.1 Operator-initiated deletion
The application exposes an authenticated DELETE /api/plaid/items endpoint accessible only via a shared bearer token held by the operator. Invocation performs an immediate, irreversible hard-delete of:
- All Plaid items belonging to the operator
- Encrypted access tokens
- Account records linked to those items
- Holding records linked to those accounts
- All account-balance and holding snapshot rows tied to those accounts
Deletion uses SQL DELETE at the database layer. No soft-delete tombstones or recovery window exists for Plaid-sourced records.
3.2 Database-level disposal
The Postgres database is hosted on Neon. On project termination, Neon's standard disposal applies (full-disk wipe with encryption-key destruction). See Neon's published procedures at neon.tech/privacy-policy.
4. Backups
Neon performs automated database backups with point-in-time recovery within a 7-day window. Backups inherit the same access controls and encryption-at-rest as the live database. Operator-initiated deletion removes data from the live database immediately; the same data ages out of backups within the standard 7-day retention window, after which it is also disposed of.
5. Access controls
Only the operator has access to the production data. Enforcement:
- Neon database credentials require TLS 1.2+ with SCRAM channel binding
- All administrative dashboards (Render, Vercel, Neon, GitHub, Plaid) require multi-factor authentication
- Plaid access tokens are encrypted at rest with AES-128 (Fernet); decryption keys held only in Render-managed environment variables, never in source control or logs
No third party other than Plaid (data source) and Neon (storage processor) has access to the data.
6. Review
This policy is reviewed:
- Annually
- Upon any material change to the application's data model or Plaid product set
- Upon any change to the application's user scope (e.g., admitting any third-party user)
Material updates are versioned, dated, and committed to the application's source repository.
7. Contact
Cajetan Rodrigues
cajetanrodrigues88@gmail.com