Data Retention and Disposal Policy
1. Purpose
This policy defines how Mali collects, retains, and disposes of user data, including financial data retrieved from Plaid and other sources, in compliance with applicable data privacy laws (CCPA, GDPR where applicable).
2. Data We Collect
| Data Type | Source | Storage Location |
|---|---|---|
| Authentication identity (name, email) | Google Sign-In | Firebase Auth |
| Chat conversation history | User-generated | Firebase Firestore (per-user isolation) |
| Uploaded financial documents (extracted text) | User upload | AES-256-GCM encrypted blob in Firestore + local IndexedDB |
| Bank transaction data | Plaid API | AES-256-GCM encrypted blob in Firestore + local IndexedDB |
| Subscription status | Stripe | Firebase Firestore |
| Usage counters | System-generated | Firebase Firestore |
3. Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Authentication identity | Duration of account + 30 days after deletion | Service delivery |
| Conversation history | Duration of account; user can clear at any time | Service delivery / user control |
| Uploaded financial documents | Duration of account; user can delete at any time | Service delivery / user control |
| Plaid transaction data | Duration of active Plaid connection; deleted on disconnect | Service delivery / user control |
| Encrypted vault blob | Duration of account; deleted on account deletion | Service delivery |
| Subscription/billing records | 7 years | Legal / tax compliance |
| Audit logs | 12 months | Security / compliance |
4. User-Initiated Deletion
Users may delete all their data at any time via Settings → "Delete all my data." This action permanently removes:
- All conversation history from Firestore
- All uploaded document content and encrypted vault blobs
- All Plaid connection credentials and retrieved transaction data
- Usage counters and subscription metadata
Deletion is executed immediately and is irreversible. Billing records are retained per Section 3.
5. Automated Disposal
- Plaid access tokens are revoked and deleted upon user disconnection of a bank account.
- Inactive accounts (no login for 24 months) are flagged for deletion review.
- Audit logs are purged after 12 months via automated Firestore TTL rules.
6. Encryption and Disposal Method
All financial data (uploaded documents and Plaid transaction data) is encrypted client-side using AES-256-GCM before storage. Upon deletion, both the encrypted blob and the PBKDF2 salt used for key derivation are deleted, rendering any residual data cryptographically unrecoverable.
7. Third-Party Data Processors
| Processor | Purpose | Data Shared |
|---|---|---|
| Google Firebase / GCP | Infrastructure, auth, database | Encrypted blobs, auth tokens |
| xAI (Grok) | Primary AI chat and voice processing | Decrypted financial context (per-request, not stored) |
| OpenAI | Standby fallback AI text-chat processing | Decrypted financial context (per-request, not stored) |
| Plaid | Bank account connectivity | User-authorized bank data |
| Stripe | Payment processing | Billing information |
8. Policy Review
This policy is reviewed annually and updated as required by changes in applicable law or business practices. Users are notified of material changes via email or in-app notice.
9. Contact
For data deletion requests or questions: privacy@toddbsmith.com