Compliance

Data Retention Policy

We keep personal data only as long as it is needed for the purpose it was collected, and no longer than legal obligations require. This page describes how long each category of data is retained, why, and what happens to it after the retention period. Last updated 2026-04-25.

Principles

  • Purpose limitation. Data collected for one purpose is not retained for unrelated purposes.
  • Storage limitation. When the purpose ends, the data is deleted, anonymised, or aggregated.
  • Legal carve-outs. Where law requires us to keep records (e.g. tax records for 7 years), we retain only the minimum needed and we tell the data subject if they ask.
  • Customer-controlled erasure. Studios can anonymise any customer record on request through the admin panel; tickets, payments and finance entries are preserved without identifying information.

Retention table

CategoryExamplesRetentionWhat happens afterLegal basis
Active customer profileName, email, phone, address, DOB, ID image, driver’s licence number, notesDuration of the studio’s subscription + 30 daysAnonymised on the studio’s instruction (GDPR Art. 17 / CCPA delete) or at end of wind-down. Tickets and finance records remain without PII for accounting compliance.Performance of contract
Appointment & ticket recordsTicket number, service, price, deposit, payment type, status, sessions, photos uploaded by the studio7 years from ticket completion or cancellationDeleted in next quarterly purge cycle.US/EU accounting and tax law
Financial recordsPayments, refunds, expenses, payroll, commission entries, organisation ledger7 years from end of the relevant tax yearDeleted after retention period; cannot be deleted on data subject request before then.Accounting and tax law
Signed waivers (in-app)Customer signature, waiver template snapshot, health-screening answers, ID image7 years from signatureDeleted automatically.Statute of limitations for bodily-injury claims; legitimate interest in claim defence
Imported waivers (Google Drive)Waiver PDFs synced from a studio’s own Drive folderMirror of the studio’s Drive retention; 30 days after subscription endsLocal copy deleted; original remains in studio’s Drive.Performance of contract
Staff account dataUsername, hashed password, email, 2FA secret (encrypted), role assignmentsDuration of employment as recorded by the studio + 30 days after deactivationAccount anonymised; audit-log references retained for compliance.Performance of contract
Audit logActor, resource, action, before/after, IP, user-agent, timestamp3 years rollingEntries older than 3 years are purged in a quarterly maintenance job.GDPR Art. 5(2) accountability principle; CCPA record-keeping; legitimate interest
SMS logsPhone number, message body, delivery status, timestamp12 monthsPurged in a monthly maintenance job.Performance of contract; legitimate interest in deliverability troubleshooting
Email delivery logs (AWS SES)Recipient, subject, status, timestamp90 days (held by AWS SES)Purged by AWS automatically.Performance of contract
Application logsRequest paths, status codes, error stacks, anonymised IP30 daysRotated and deleted.Legitimate interest in security and operations
BackupsEncrypted nightly Postgres snapshots, R2 object versioning30 days rollingOldest snapshot is overwritten daily.Legitimate interest in disaster recovery
Marketing-site visitor dataAnonymised page-view counts via privacy-friendly analytics; no third-party tracking cookies13 monthsAggregated; raw data purged.Legitimate interest in measuring product fit

Deletion mechanics

  • On-demand erasure. Studio admins can anonymise individual customers in one click from the customer detail screen. PII fields are overwritten; tickets and finance records remain with anonymous references.
  • End of subscription. When a studio cancels, raw data export is available for 30 days. After 30 days the entire tenant is anonymised; financial records are retained as required by law.
  • Scheduled purges. Quarterly cron jobs delete audit-log entries older than 3 years and waiver records past their retention. SMS logs purge monthly. Application logs rotate every 30 days.
  • Backups. Backups follow a rolling 30-day window. A deletion request is reflected in production immediately; the data persists in backups for at most 30 more days, then is overwritten.

Exceptions

Data may be retained beyond the periods above only when (a) there is an active legal hold, (b) the data is required to defend a legal claim, or (c) the data subject has given specific consent for longer retention. Any such exception is documented in the audit log and removed when no longer necessary.

Contact

Wenlar LLC
30 N Gould St, STE R
Sheridan, WY 82801, United States
Retention questions or requests: [email protected].