Data Retention Policy

1. General Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. When data is no longer needed, it is securely deleted or anonymized. We apply the principle of data minimization — we do not collect or retain more data than is strictly necessary for the operation of the Service.

2. Account Data

• Active accounts: Data is retained for the entire duration of your Subscription.
• After account closure: Personal data (name, email, phone, company) is deleted within 30 days of account closure, unless a longer retention period is required by law.
• Inactive accounts: Accounts with no login activity for 24 months will receive a reactivation notice. If no action is taken within 30 days, the account and associated data will be permanently deleted.
• Free trial accounts that are not converted to paid subscriptions are deleted 90 days after the trial expires.

3. Financial Data

• Transaction records (expenses, income, transfers): Retained for the duration of the active account plus 30 days for data export after account closure.
• Invoices and billing documents: Retained for 10 years after the end of the fiscal year in which they were issued, as required by Bulgarian commercial and tax law (Article 38 of the Accountancy Act, Article 112 of the VAT Act).
• Payroll records: Retained for 50 years as required by Bulgarian social security legislation for pension and social insurance purposes.
• Uploaded documents and receipts: Retained for the duration of the active account. Deleted within 30 days of account closure unless linked to invoices or payroll records requiring longer retention.

4. Technical and Usage Data

• Server access logs (IP addresses, request data): Retained for 12 months, then permanently deleted.
• Error logs and debugging data: Retained for 6 months.
• Analytics data: Aggregated and anonymized within 30 days of collection. Anonymized data may be retained indefinitely as it cannot identify individuals.
• Session tokens and authentication logs: Automatically expire and are deleted according to their configured lifetime (maximum 10 hours for access tokens, 7 days for refresh tokens).

5. Communication Data

• Customer support tickets and correspondence: Retained for 3 years after resolution for quality assurance and dispute resolution purposes.
• Email marketing data: Retained until you unsubscribe. After unsubscription, your email is moved to a suppression list (retained indefinitely to prevent re-subscription) while all other marketing data is deleted within 30 days.
• Feedback and survey responses: Anonymized within 12 months and retained as aggregated data.

6. Backup and Disaster Recovery

We maintain encrypted backups for disaster recovery purposes. Backups are retained for a maximum of 30 days on a rolling basis. When data is deleted from production systems, it is also purged from backups within the 30-day backup rotation cycle. All backups are stored within the European Union and are subject to the same security measures as production data.

7. Data Deletion Methods

When data reaches the end of its retention period, we apply the following deletion methods: digital records are permanently erased using secure deletion methods that prevent recovery; database records are hard-deleted (not soft-deleted) from all production systems; file attachments are permanently removed from storage; anonymization is used where complete deletion is not possible due to data integrity requirements — all personally identifiable information is irreversibly removed.

8. Your Rights Regarding Data Retention

Under GDPR, you have the right to: request information about how long your specific data categories are retained; request early deletion of your data (subject to legal retention requirements that may override your request); export all your data in machine-readable format (CSV/JSON) at any time through the Service; request restriction of processing while a deletion request is being evaluated. Legal retention obligations (tax, accounting, social security) take precedence over deletion requests. We will inform you if a deletion request cannot be fully fulfilled and explain the legal basis for continued retention.

9. Retention Schedule Summary

10. Changes to This Policy

We may update this Data Retention Policy from time to time. Material changes will be communicated via email or a prominent notice at least 30 days before they take effect.

11. Contact

For questions about data retention or to exercise your rights regarding your stored data, contact us at: