Data Retention and Disposal Policy

1. Purpose

This Data Retention and Disposal Policy defines how Summer Slice LLC retains, archives, and securely disposes of data processed through OurBarakah and Zaqat (collectively, the "Service"). The purpose is to ensure data is kept only as long as necessary for business, legal, security, and contractual requirements, including obligations related to Plaid integrations.

2. Scope

This policy applies to:

• All Summer Slice LLC personnel and authorized third parties handling Service data.
• All systems and environments storing or processing Service data (production and non-production).
• All data categories, including customer records, financial/account metadata, authentication data, application logs, support records, and backups.

3. Policy Principles

Summer Slice LLC follows these retention and disposal principles:

• Data Minimization: Retain only data required for legitimate business, legal, security, and operational purposes.
• Retention by Purpose: Define retention periods by data category and use case.
• Secure Disposal: Permanently delete or de-identify data when retention periods expire and no legal hold applies.
• Controlled Access: Limit access to retained data according to least privilege.
• Traceability: Maintain records of retention decisions and disposal actions where feasible.

4. Data Categories and Retention Standards

Retention periods may vary based on legal, regulatory, contractual, and operational requirements. Unless stricter requirements apply, the following baseline standards are used:

• Customer Account Profile Data: Retained while account is active and for up to 24 months after account closure or deletion request completion, unless a longer period is legally required.
• Financial and Transaction-Related Data: Retained while needed to provide services and for audit/support needs, typically 24 to 84 months depending on business and legal obligations.
• Authentication and Security Logs: Retained for security monitoring and incident investigation, generally 12 to 24 months unless extended for investigations.
• Application/Operational Logs: Retained for troubleshooting and reliability needs, generally 3 to 12 months.
• Support and Communications Records: Retained for customer support, dispute handling, and quality assurance, generally 24 to 36 months.
• Backups and Snapshots: Retained according to backup lifecycle settings and overwritten or deleted on scheduled rotation.

When multiple retention requirements apply, the longest valid requirement governs.

5. Retention Triggers

Retention periods are measured from one or more of the following events, as applicable:

• Date of data creation or collection.
• Date of customer account closure or inactivity threshold.
• Date a support ticket, investigation, or dispute is resolved.
• End of contractual relationship with a customer or partner.

6. Legal Hold and Investigation Hold

• If litigation, regulatory inquiry, audit, or investigation is pending or reasonably anticipated, relevant data may be placed on legal hold.
• Data under hold is preserved beyond normal retention schedules until release is authorized.
• Legal hold decisions are coordinated by authorized leadership and documented.

7. Data Disposal and Deletion Methods

Summer Slice LLC uses secure disposal methods appropriate to data type and storage medium:

• Logical Deletion: Removal from active systems and user-accessible interfaces.
• Cryptographic/Provider-Supported Deletion: Use of platform and cloud-provider controls for secure removal where available.
• Backup Expiration: Data in backups is removed through scheduled rotation and lifecycle expiration.
• De-Identification: Where deletion is not immediately feasible, data is de-identified or anonymized when suitable.

Disposal methods are designed to prevent unauthorized recovery of sensitive data.

8. Customer Requests and Account Deletion

• Summer Slice LLC supports customer data deletion requests in accordance with applicable law and contractual commitments.
• Data required for legal, fraud prevention, security, tax, accounting, or dispute-resolution purposes may be retained for the required duration.
• Upon completion, customer-accessible data is removed from active systems, with residual copies removed through backup lifecycle expiration.

9. Third-Party and Vendor Data Handling

• Vendors that process or store Service data are expected to support retention and deletion obligations contractually.
• Data shared with third parties is limited to approved purposes and subject to confidentiality/security controls.
• Vendor offboarding includes data return or deletion confirmations where applicable.

10. Monitoring, Validation, and Evidence

• Retention and deletion controls are reviewed periodically by responsible personnel.
• Where feasible, deletion events, lifecycle jobs, and administrative actions are logged.
• Exceptions and control failures are tracked and remediated in a timely manner.

11. Policy Maintenance

This policy is reviewed at least annually and updated as needed to reflect legal/regulatory obligations, contractual commitments, and operational changes.