Data Retention and Deletion Policy
Owner: Fluent Terrain LLC Security and Engineering. Effective: May 11, 2026. Last updated: May 18, 2026.
This policy is the authoritative retention schedule for GlacialBooks customer account, bookkeeping, financial provider, support, security, backup, and audit data.
Retention principles
GlacialBooks keeps financial records long enough to support bookkeeping, audit proof, tax review, payment disputes, fraud investigation, and customer export needs. The values below are the operating source of truth for the product unless a written legal hold overrides them.
Deletion request handling
A self-service account deletion request starts a fixed 30-calendar-day grace period. The request can be cancelled from account settings before the scheduled deletion date. After the grace period, the deletion processor runs daily and completes normal personal account deletion within 31 calendar days of the original request.
Financial record preservation
Posted journal entries are immutable. Corrections are made through reversing or adjusting entries, not historical edits. Accounting records and the source evidence behind those records are retained for 7 years after organization closure or contract termination so the audit trail remains complete.
Legal holds
Deletion is paused only for a documented legal hold, fraud investigation, security investigation, payment dispute, tax obligation, court order, or regulatory request. Legal holds are reviewed every 90 days until removed.
Review cadence
This policy is reviewed every 12 months by May 31 and within 30 days after a material product, infrastructure, provider, or legal requirement change.
Retention schedule
Account deletion grace period
30 calendar days after the user submits the request. The request can be cancelled until the scheduled deletion date.
Normal account deletion completion
The deletion processor runs daily. Personal account deletion is completed within 31 calendar days of the request unless a documented legal hold applies.
User profile identifiers after deletion
Email, display name, password hash, marketing preferences, and organization memberships are removed or anonymized at deletion execution.
Bookkeeping and accounting records
7 years after organization closure or contract termination, including journal entries, journal lines, source events, invoices, bills, receipts, payroll postings, reconciliations, allocations, and report evidence.
Application audit logs tied to financial records
7 years after organization closure or contract termination.
Financial provider data used as source evidence
7 years after organization closure or contract termination, including normalized transactions, provider event IDs, and raw provider payloads required for audit lineage.
Transient provider webhook payloads not used as accounting evidence
30 days after receipt.
Disconnected provider connections
Future sync stops immediately. Provider credentials are disabled or deleted within 24 hours. Historical accounting evidence follows the 7-year accounting retention period.
Uploaded receipts and source documents
7 years after organization closure or contract termination when attached to accounting records. User-deleted unattached documents are removed from active storage immediately and remain recoverable only through storage soft delete for up to 30 days.
Support tickets and support chat transcripts
3 years after ticket closure, unless the ticket is linked to a security incident, billing dispute, or accounting audit record.
Security events and authentication history
365 days in the application database. Production operational telemetry is retained for 90 days.
Marketing preferences and suppression records
3 years after opt out or account deletion, only to honor the suppression request.
Incomplete signup and subscription abandonment records
30 days after the last user action when no account or paid subscription is created.
Production PostgreSQL point-in-time backups
35 days.
Production blob soft delete
30 days.
Production Key Vault soft delete
90 days.
Nonproduction operational logs
30 days.
This policy supplements the Privacy Policy and does not limit customer rights available under applicable privacy laws.