Data Governance
Data Retention & Disposal
Effective date: March 15, 2026. This policy describes how Douglas Peters Bookkeeping retains, reviews, deletes, and disposes of financial and operational data.
Scope
This policy applies to Plaid-sourced account and transaction data, bookkeeping records derived from that data, logs and operational metadata, credentials and tokens, backups, and exported records.
Retention Principles
Data is retained only for legitimate operational, bookkeeping, reporting, security, and legal purposes. Unnecessary duplication of raw consumer financial data should be avoided where practical.
Operational Data
Account and transaction data may be retained as long as required to support bookkeeping, reconciliation, reporting, and related recordkeeping. Derived bookkeeping records may be retained longer when needed for tax, accounting, audit, or business record obligations.
Secrets and Credentials
API keys, tokens, and other credentials must be revoked and rotated when no longer needed, after suspected compromise, or after material access changes. Sensitive credentials are not intended to be stored in source control.
Disconnects and Deletion Requests
If connected account access is revoked or a deletion request is made where applicable, unnecessary retained data should be deleted or de-identified unless retention is required for legitimate legal, security, tax, or bookkeeping obligations.
Backups and Disposal
Backups are retained only as needed for recovery and business continuity. Expired backups should be securely deleted or allowed to expire through provider retention controls, and obsolete data should be removed from application-managed or provider-managed storage as appropriate.