Data Retention Policy
This policy describes how long IBC Tool keeps your data, how we delete it when you ask, and where the limits of "deletion" are. We have written it to be specific. If you only have a minute, the short version is: we keep your data while your account is active, we delete it on request, and our hosting providers' backup retention windows are the only thing that legitimately delays a full erase.
1. Active accounts
While your account is active, we retain everything needed to operate it — your account information, your policies, snapshots, loans and payments, PUA contributions, budget categories, allocations, uploaded documents, and the third-party tokens you have authorized. We don't time-bomb data while you are using the service; an envelope of historical snapshots is the value of the tool.
2. Account deletion
You can delete your account at any time from the settings page in the app. The flow asks you to retype your email address and re-enter your current password before proceeding. Once you confirm, IBC Tool removes:
- Your user record, including account information, encrypted third-party integration tokens, and active sessions.
- Every policy on your account, along with its snapshots, loans, payments, PUA contributions, and uploaded documents.
- Your budget categories and monthly allocations.
- Provider identifiers we held for any third-party integrations you authorized.
The deletion runs immediately. Database rows are removed in the same request that handled the confirmation; uploaded documents are queued for purge from object storage as part of the same destroy. Backup snapshots roll forward as described in section 4 — copies in those snapshots age out on the hosting provider's standard window.
If you cannot reach the settings page — for example, if you have lost access to your account — email privacy@ibctool.app from your account address and we will run the same deletion on your behalf within thirty days.
3. Retention by data category
The table below describes what we keep while you are active and what happens when you delete your account. "After deletion" reflects the end-state once the in-app destroy described in section 2 has run.
| Category | While active | After deletion |
|---|---|---|
| Account info (email, name, timezone, password hash) | Retained | Deleted from primary database; aged out of backups on the hosting backup window |
| Policies, snapshots, loans, payments, PUA contributions, budgets, allocations | Retained | Deleted from primary database; aged out of backups on the hosting backup window |
| Uploaded documents (PDFs) | Retained until you delete the document or close your account | Deleted from object storage; aged out of object-storage versioning if enabled |
| Third-party integration tokens and provider identifiers (encrypted at rest) | Retained while the integration is connected | Deleted on disconnect or account deletion, whichever is sooner |
| Auth sessions, password-reset tokens | Sessions: retained until you sign out or expire. Reset tokens: 15 minutes | Deleted with account |
| Application logs (request metadata, IP, error traces) | Per the hosting platform's default retention | Aged out on the same window |
| Email records (password resets, service notices) | Headers and delivery metadata per the email provider's default retention, used for abuse prevention | Aged out on the same window |
| Waitlist entries (pre-signup) | Retained until you become an account or ask us to remove you | Deleted on request |
4. Backups
Our PostgreSQL database is backed up by our hosting provider on the provider's default schedule. Backup snapshots are encrypted at rest and are retained for the provider's standard window. When we delete your data from the live database, copies may persist in those backup snapshots until they age out. We do not selectively edit backup snapshots; we let them roll forward. If a restore from backup ever becomes necessary, we re-apply pending deletion requests after the restore completes so that data you asked us to delete is not silently revived.
Object storage for uploaded documents may use versioning depending on configuration. Where versioning is enabled, deleted versions age out on the storage provider's schedule.
5. Third-party connections
When you disconnect a third-party integration, or when you delete your account, we delete the corresponding access tokens and provider identifiers from our systems immediately. Data those services already returned and that we have stored in your account (transactions, budgets, and the like) is treated as your account data: kept while your account is active, deleted with the rest of your account.
We do not control retention inside the third-party service itself. Each service maintains its own data lifecycle. To delete data within a connected service, follow that service's own process; we are happy to help you find the right path.
6. Anonymized aggregates
We may keep de-identified aggregate metrics — for example, the total number of accounts and other operational or product-quality statistics that cannot be linked back to you. These are used to operate and improve the service and do not contain personal data. We retain aggregates indefinitely.
7. Legal holds
If we are required by law to preserve specific records — for example, in response to a subpoena or a regulatory inquiry — we may retain those records beyond the windows in this policy until the obligation ends. If a legal hold affects you and we are permitted to tell you, we will.
8. Roadmap
One improvement to this policy is on the near roadmap:
- Self-serve data export. A way to download a machine-readable copy of your account data without contacting us first.
We will update this policy when it ships.
9. Contact
Deletion requests, retention questions, or anything else covered here can go to privacy@ibctool.app. Postal mail reaches us at {{LEGAL_ENTITY_NAME}}, {{CONTACT_ADDRESS}}.