Pocket Piggy - Data Retention & Deletion Policy

Confidential

1. Purpose

This policy defines how Pocket Piggy collects, retains, and deletes user data across all systems. It ensures compliance with applicable data privacy laws and reflects our commitment to data minimization and user control.

Pocket Piggy is a privacy-first application. Its foundational principle is that financial data never leaves the user's device. This policy covers both on-device and server-side data.

2. Data Inventory & Retention Schedule

Data Category	Storage Location	Retention Period	Deletion Trigger
HIGH Transactions (Plaid & manual)	Device only (AES-256 Hive)	Until user action	App uninstall or account deletion
HIGH Budget data	Device only (AES-256 Hive)	Until user action	App uninstall or account deletion
HIGH Account balances	Device only (AES-256 Hive)	Until user action	App uninstall or account deletion
HIGH Plaid access tokens	Server (Firestore, Google KMS)	Until user action	Bank disconnect or account deletion
User profile (name, email)	Cloud Firestore	Until user action	Account deletion request
Gamification progress (XP, achievements)	Cloud Firestore	Until user action	Account deletion request
User preferences & settings	Device (SharedPreferences) + Firestore	Until user action	App uninstall (device) or account deletion (server)
Subscription status	Cloud Firestore + RevenueCat	Until user action	Account deletion request
Vendor category memory (learned associations)	Device only (AES-256 Hive)	Until user action	App uninstall or account deletion
Analytics events (non-PII)	Firebase Analytics	14 months (automatic)	Automatic expiration (anonymized)
Cloud Function logs	Google Cloud Logging	30 days (automatic)	Automatic expiration
Crash reports	Firebase Crashlytics	90 days (automatic)	Automatic expiration

3. User-Initiated Data Deletion

3.1 Account Deletion (Full)

Users can delete their entire account through Settings > Account > Delete Account. This triggers:

Plaid disconnection: All Plaid access tokens are revoked via the Plaid API (server-to-server call), permanently severing the bank connection
Firestore deletion: All user documents and subcollections are deleted from Cloud Firestore (profile, gamification data, subscription records, institution metadata)
Firebase Auth deletion: The user's authentication record is removed from Firebase Auth
Local data wipe: All encrypted Hive boxes on the device are cleared (transactions, budgets, vendor memory, staging data)
RevenueCat: Anonymous user ID disassociated (subscription continues through App Store/Play Store until period ends, but is no longer linked to the app)

Account deletion is immediate and irreversible. Users are warned with a confirmation dialog before proceeding.

3.2 Bank Disconnection

Users can disconnect their bank without deleting their account through Settings > Bank Sync. This triggers:

Plaid access token revoked via Plaid API
Institution metadata removed from Firestore
Previously imported transactions remain on-device (user can delete individually)

3.3 Individual Data Deletion

Transactions: Users can delete individual transactions from the transaction detail screen
Budget categories: Users can remove budget categories from the budget management screen
App uninstall: Removes all local encrypted data (Hive boxes, SharedPreferences, cached files)

4. Data Export

Before deletion, users can export their data in two formats (Pro feature):

Excel (.xlsx): Summary sheet, full transaction list, budget breakdown by category
PDF: Formatted report with expense breakdown, category analysis, and monthly summary

Export files are generated on-device and saved to the user's device storage. No export data is transmitted to any server.

5. Data Minimization Practices

Financial data is device-only: Transaction amounts, account balances, budget data, and spending history are never transmitted to or stored on any server
AI receives vendor names only: When AI categorization is used, only merchant/vendor names are sent to OpenAI — no amounts, no account numbers, no PII
No advertising or tracking: No advertising SDKs, no third-party tracking pixels, no data brokers
Minimal server-side data: Only non-financial data stored in Firestore (profile, gamification, subscription status)
No data sharing or selling: Consumer data is never sold, shared with third parties, or used for purposes beyond the app's core functionality
Plaid tokens server-side only: Plaid access tokens are exchanged and stored server-side — they never exist on the user's device

6. Third-Party Data Handling

Provider	Data Shared	Provider's Retention	Deletion Process
Plaid	Access tokens (server-side)	Per Plaid's policy	Token revoked on disconnect or account deletion
Firebase / GCP	User profiles, non-financial data	Until deleted	Cascading delete on account deletion
RevenueCat	Anonymous user ID, purchase receipts	Per RevenueCat's policy	User ID disassociated on account deletion
OpenAI	Vendor names only (no PII)	Not retained (API usage, zero data retention)	No persistent data to delete
Firebase Analytics	Non-PII usage events	14 months (anonymized)	Automatic expiration

7. Compliance

Users have full control over their data at all times (view, export, delete)
Account deletion is available in-app without requiring email or support contact
No data is retained after account deletion except anonymized analytics (automatic 14-month expiry) and Cloud Function logs (automatic 30-day expiry)
Privacy Policy is available in-app and at a published URL, disclosing all data practices
The app complies with Google Play and Apple App Store data deletion requirements

8. Policy Review

This policy is reviewed and updated at minimum annually, or whenever significant changes are made to data handling practices, third-party integrations, or storage architecture.