Data Retention and Disposal Policy

Effective Date: April 14, 2026 | Organization: Flayr LLC (BigBux)

This Data Retention and Disposal Policy establishes the protocols Flayr LLC enforces regarding the lifecycle of consumer data collected, processed, and stored within the BigBux application. This policy applies to all infrastructure, including Google Cloud (Firestore/Firebase Authentication) and our Plaid integration.

1. Data Retention Schedule

        Active Accounts: Consumer data, including encrypted financial transactions and connected institution metadata, is retained only as long as the user maintains an active account to fulfill the core budgeting and net-worth tracking services.
    

Financial Data: Transaction history, account balances, and daily net-worth summaries are retained continuously while the account is active.
Authentication Data: Email addresses and secure authentication identifiers are retained until the user explicitly revokes access or deletes their account.
System Logs: Non-personally identifiable server logs (e.g., webhook triggers) are retained for a maximum of 90 days for security auditing and diagnostic purposes before automated deletion.

2. Data Disposal and Deletion Mechanisms

Flayr LLC enforces a strict programmatic deletion policy utilizing our Firebase backend infrastructure.

User-Initiated Deletion: Users have direct access to a "Delete Account" function within the Profile View of the BigBux iOS application. Initiating this action immediately revokes the user's active session.
Plaid Token Revocation: Upon account deletion, the system is programmed to sever the connection with Plaid. All `access_tokens` and `item_ids` stored in our secure backend architecture are permanently purged.
Firestore Record Eradication: The deletion protocol systematically removes the user's core document and all nested collections (including `transactions`, `accounts`, and `daily_summaries`) from the Firestore database.

3. Disposal Timeframe

Once a deletion request is executed by the consumer, all active database records are wiped immediately. Complete data eradication, including removal from encrypted cloud backups and disaster recovery snapshots, is guaranteed to conclude within 30 days of the initial request.

4. Policy Enforcement and Review

This Data Retention and Disposal Policy is strictly enforced by the Flayr LLC engineering team. The policy and its associated programmatic mechanisms are reviewed annually to ensure sustained compliance with all applicable state and federal data privacy laws, as well as third-party vendor security requirements.

5. Contact Information

For inquiries regarding data retention schedules or to manually request data disposal, contact the Flayr LLC Data Privacy Officer at flayr.data@gmail.com.