Trust

Data Retention & Disposal Policy

Last reviewed May 24, 2026. Reviewed at least annually and on any material change to applicable data privacy law.

Bella collects and processes data on behalf of the salons we serve and their guests. This policy defines how long each category of data is retained, how it is securely disposed of, and who is responsible. It applies to all production systems Bella operates (application servers, databases, object storage, backups, log archives) and all third-party processors we use.

1. Scope

This policy covers personal data, financial data, and operational data processed by Bella, including:

  • Tenant business data — company profile, owner contact, billing contact, subscription state.
  • Tenant user accounts — staff logins, role assignments, permissions, MFA secrets.
  • Guest / client records — salon clients' names, contact information, appointment history, TCPA consent state.
  • Financial data — bank transactions ingested via Plaid, QuickBooks Online entries proposed and posted by Bella, expense classifications, deposits.
  • Integration credentials — encrypted OAuth tokens for QuickBooks Online, Plaid access tokens, third-party API keys.
  • Audit and provenance records — every state change to financial and account data, who made it, when, and why.
  • Messaging records — outbound SMS / voice / email content, delivery state, recipient phone numbers, consent records.
  • Logs and telemetry — application logs, request logs, error reports, security events.
  • Backups — database snapshots, object-storage replicas.

2. Retention Periods by Data Category

Retention is measured from the date the data is no longer needed for the purpose for which it was collected (typically the end of an active subscription or revocation of consent). Where a regulation requires a longer retention period than our default, the regulatory period prevails.

2.1 While the subscription is active

  • All tenant data is retained for the duration of the active subscription so the platform can deliver service.
  • Audit and provenance records are written append-only and never modified. They are read-only after the originating event.

2.2 After cancellation or account closure

  • Primary storage: 30 days. During this window, the OWNER may request a full export of all tenant data at no cost.
  • Backups and replicas: aged out within 90 days of the primary deletion.
  • Audit log and provenance entries: retained for 7 years after the originating event to support tax-record retention obligations (IRS Publication 583) and Sarbanes-Oxley-style traceability of financial mutations Bella made on behalf of the tenant. These entries do not include personal contact information beyond the user_id of the actor; they reference data that has otherwise been deleted.
  • Encrypted integration tokens: revoked at the upstream provider (Intuit, Plaid) within 24 hours of disconnect, and the encrypted ciphertext is deleted from primary storage. Backup ciphertext ages out per the backup retention schedule.
  • Plaid-sourced bank transaction data: on disconnect, ingested transactions are deleted from primary storage within 30 days. On Plaid consent expiration or user-initiated revocation, Bella instructs Plaid to remove the Item, stops further sync, and deletes the local transaction copy on the same 30-day window. Where Plaid's contractual requirements specify a shorter window for deletion of Plaid-sourced data, the contractual window prevails.

2.3 Specific regulatory retention

  • TCPA consent records: 4 years from the date consent was last revoked, per FCC TCPA recordkeeping guidance.
  • Tax and financial source documents (bank statements ingested, QBO entities posted by Bella, expense classifications): 7 years from the close of the calendar year, per IRS guidance for business financial records.
  • Authentication logs (login attempts, MFA events, session issuance): 1 year for live tenants, retained per audit retention rules after cancellation.
  • Security incident records: 5 years from incident closure.

2.4 Logs and telemetry

  • Application logs: 30 days hot, 90 days cold archive, then deleted.
  • Request logs (nginx, application access): 30 days, then deleted.
  • Error reports and crash dumps: 90 days, then deleted.

3. Disposal Methods

  • Primary database: hard DELETE statements with cascading foreign keys. Disposal is verified by a post-deletion query confirming zero rows match the tenant_id.
  • Encrypted columns: on disposal, the encrypted column value is hard-deleted from primary storage; backup ciphertext ages out on the standard backup retention schedule. Tenant-scoped key derivation and cryptographic-shredding via per-tenant key rotation are on the SOC 2 readiness roadmap; once implemented, key rotation will be the additional disposal mechanism within 90 days of tenant disposal.
  • Backups: backups are encrypted at rest and age out automatically per the backup retention schedule. There is no manual restore path that resurrects data older than the live retention window.
  • Object storage (file uploads, generated exports, PDF / CSV / ZIP audit packs): explicit DELETE on the storage object. Versioning is disabled for personal-data buckets.
  • Logs: log rotation enforces age-out. Archived logs are permanently deleted at the end of the retention window.
  • Physical media: not applicable. Bella operates exclusively on cloud infrastructure.

4. Exceptions

Data otherwise subject to deletion will be retained beyond the standard retention period in the following cases:

  • Legal hold: on receipt of a written legal hold notice from counsel, the affected data is excluded from automated deletion until the hold is lifted.
  • Active dispute or chargeback: transactional and audit data tied to an active billing dispute is preserved through resolution plus 90 days.
  • Regulatory or contractual obligation: any data we are required to retain by statute, contract, or regulator order is kept for the required period, even after a deletion request.
  • Aggregated and anonymized data: data that has been irreversibly aggregated or anonymized so it no longer identifies any individual or tenant is outside the scope of this policy.

5. User Rights and Requests

Depending on your jurisdiction, you may have rights to access, correct, port, or delete your data under GDPR, CCPA / CPRA, or similar laws.

  • OWNER-role users can initiate a full tenant data export from Settings → Integrations → Offboarding at any time, including while still an active customer.
  • End users (salon guests whose data is processed by a tenant) should direct rights requests to the tenant they have a relationship with. We will assist any tenant fulfilling such a request.
  • All other requests may be sent to [email protected]. We respond within 30 days.

6. Roles and Responsibilities

  • Policy owner: Bella platform engineering lead.
  • Operational enforcement: automated retention jobs run on a scheduled cron. Quarterly verification confirms each job is healthy and is meeting its retention target.
  • Annual review: the platform engineering lead reviews this policy at least once per calendar year and on any material change to applicable data privacy law (GDPR amendments, CPRA expansion, new state privacy laws). Updates are committed to version control alongside the corresponding code changes.
  • Incident escalation: any deviation from this policy — failed deletion, retention mismatch, unauthorized access — triggers a SEV1 incident review and is logged in the security incident record.

7. Contact

Questions about this policy or about how a specific category of data is handled can be sent to [email protected].

Related policies: Privacy Policy · Security · Terms of Service.