Compliance
Data Retention Policy
We keep personal data only as long as it is needed for the purpose it was collected, and no longer than legal obligations require. This page describes how long each category of data is retained, why, and what happens to it after the retention period. Last updated 2026-04-25.
Principles
- Purpose limitation. Data collected for one purpose is not retained for unrelated purposes.
- Storage limitation. When the purpose ends, the data is deleted, anonymised, or aggregated.
- Legal carve-outs. Where law requires us to keep records (e.g. tax records for 7 years), we retain only the minimum needed and we tell the data subject if they ask.
- Customer-controlled erasure. Studios can anonymise any customer record on request through the admin panel; tickets, payments and finance entries are preserved without identifying information.
Retention table
| Category | Examples | Retention | What happens after | Legal basis |
|---|---|---|---|---|
| Active customer profile | Name, email, phone, address, DOB, ID image, driver’s licence number, notes | Duration of the studio’s subscription + 30 days | Anonymised on the studio’s instruction (GDPR Art. 17 / CCPA delete) or at end of wind-down. Tickets and finance records remain without PII for accounting compliance. | Performance of contract |
| Appointment & ticket records | Ticket number, service, price, deposit, payment type, status, sessions, photos uploaded by the studio | 7 years from ticket completion or cancellation | Deleted in next quarterly purge cycle. | US/EU accounting and tax law |
| Financial records | Payments, refunds, expenses, payroll, commission entries, organisation ledger | 7 years from end of the relevant tax year | Deleted after retention period; cannot be deleted on data subject request before then. | Accounting and tax law |
| Signed waivers (in-app) | Customer signature, waiver template snapshot, health-screening answers, ID image | 7 years from signature | Deleted automatically. | Statute of limitations for bodily-injury claims; legitimate interest in claim defence |
| Imported waivers (Google Drive) | Waiver PDFs synced from a studio’s own Drive folder | Mirror of the studio’s Drive retention; 30 days after subscription ends | Local copy deleted; original remains in studio’s Drive. | Performance of contract |
| Staff account data | Username, hashed password, email, 2FA secret (encrypted), role assignments | Duration of employment as recorded by the studio + 30 days after deactivation | Account anonymised; audit-log references retained for compliance. | Performance of contract |
| Audit log | Actor, resource, action, before/after, IP, user-agent, timestamp | 3 years rolling | Entries older than 3 years are purged in a quarterly maintenance job. | GDPR Art. 5(2) accountability principle; CCPA record-keeping; legitimate interest |
| SMS logs | Phone number, message body, delivery status, timestamp | 12 months | Purged in a monthly maintenance job. | Performance of contract; legitimate interest in deliverability troubleshooting |
| Email delivery logs (AWS SES) | Recipient, subject, status, timestamp | 90 days (held by AWS SES) | Purged by AWS automatically. | Performance of contract |
| Application logs | Request paths, status codes, error stacks, anonymised IP | 30 days | Rotated and deleted. | Legitimate interest in security and operations |
| Backups | Encrypted nightly Postgres snapshots, R2 object versioning | 30 days rolling | Oldest snapshot is overwritten daily. | Legitimate interest in disaster recovery |
| Marketing-site visitor data | Anonymised page-view counts via privacy-friendly analytics; no third-party tracking cookies | 13 months | Aggregated; raw data purged. | Legitimate interest in measuring product fit |
Deletion mechanics
- On-demand erasure. Studio admins can anonymise individual customers in one click from the customer detail screen. PII fields are overwritten; tickets and finance records remain with anonymous references.
- End of subscription. When a studio cancels, raw data export is available for 30 days. After 30 days the entire tenant is anonymised; financial records are retained as required by law.
- Scheduled purges. Quarterly cron jobs delete audit-log entries older than 3 years and waiver records past their retention. SMS logs purge monthly. Application logs rotate every 30 days.
- Backups. Backups follow a rolling 30-day window. A deletion request is reflected in production immediately; the data persists in backups for at most 30 more days, then is overwritten.
Exceptions
Data may be retained beyond the periods above only when (a) there is an active legal hold, (b) the data is required to defend a legal claim, or (c) the data subject has given specific consent for longer retention. Any such exception is documented in the audit log and removed when no longer necessary.
Contact
Wenlar LLC
30 N Gould St, STE R
Sheridan, WY 82801, United States
Retention questions or requests: [email protected].