This Data Retention and Disposal Policy ("Retention Policy") explains how cleanScheduler retains, archives, and disposes of information processed through the Service. It supplements our Privacy Policy and Terms of Service. Capitalized terms not defined here have the meanings given in those documents.
1. Purpose and scope
This policy applies to:
- Data we store in our production systems (primarily Supabase Postgres and Storage);
- Data processed on our behalf by subprocessors listed in our Privacy Policy;
- Tenant workspace data (customer records, schedules, quotes, invoices, campaigns, and related files) that cleaning businesses upload or generate through the Service.
Tenants remain responsible for their own legal obligations to their customers, including notice and retention rules that may differ from this platform schedule.
2. Principles
- Purpose limitation: we retain data only as long as needed to operate the Service, meet contractual commitments, resolve disputes, or satisfy legal obligations.
- Data minimization: we avoid storing full payment card numbers, government ID images, or other sensitive categories outside integrated providers (for example, Stripe handles card data).
- Secure disposal: deletion means removing records from active databases and storage buckets; where immediate physical erasure from all backups is not technically feasible, we rely on backup rotation as described in Section 8.
3. Retention schedule
The table below summarizes default retention periods under normal operations. We may retain specific records longer when required by law, litigation hold, fraud investigation, or an explicit written agreement.
| Category | Examples | Retention period | Disposition | Notes |
|---|---|---|---|---|
| Workspace and tenant configuration | Company profile, slug, branding, operational settings, compensation rules, service plans | While the workspace is active; 30 days after free trial ends if never subscribed; up to 90 days after voluntary owner closure on activated workspaces | Secure deletion | Never-activated trial workspaces are hard-deleted automatically 30 days after trial_ends_at (see lib/billing/tenantPurge.ts). Voluntary owner deletion allows time to export data and complete billing wind-down. Hard delete cascades to tenant-scoped tables where database constraints are configured with ON DELETE CASCADE. |
| Tenant user accounts (staff and owners) | Profiles, memberships, roles, employee avatars | While the user remains a member of a workspace; auth records until account deletion is confirmed | Secure deletion | Removing a user from a workspace does not always delete the underlying Supabase Auth user if they belong to other workspaces. Full auth deletion requires an explicit account deletion request. |
| Customer and operations records | Customers, properties, schedules, visits, quotes, line items, invoices, payments, support threads | While the tenant workspace is active | Secure deletion | Deleted when the tenant workspace is deleted, subject to legal hold or billing record exceptions below. |
| Platform billing and Stripe mirrors | tenant_billing_accounts, subscription status, Connect account metadata, mirrored charges, refunds, disputes, payouts | 7 years after the transaction or tax-relevant period ends | Archived (restricted access) | Supports tax, accounting, and chargeback obligations. Stripe also retains payment data under its own policies. |
| Generated reports (cache) | report_runs rows and PDF objects in report_exports storage | 1 hour from generation (cache TTL) | Secure deletion | Automatic expiry via expires_at; PDFs in storage may persist until overwritten or manual cleanup. |
| Webhook idempotency logs | stripe_webhook_events, resend_webhook_events | Up to 90 days after successful processing | Secure deletion | Used only to prevent duplicate processing. Failed events may be deleted sooner on retry; operational purge may run periodically. |
| Email campaigns and suppressions | Campaigns, recipients, delivery metrics, tenant_email_suppressions, Resend message metadata we store | While the workspace is active; suppressions until removed by a tenant admin | Secure deletion | Resend retains message logs under its policy independently. Bounced addresses may remain suppressed to honor opt-out. |
| Transactional email content | Quote, invoice, trial-ending, dispute, and invite emails sent via Resend | Not stored in full in our database after send | Provider retention | We retain recipient metadata and status in app tables where applicable; message bodies live with Resend for a limited provider retention window. |
| Portal and employee invites | customer_portal_invites, employee_invites | Until accepted, revoked, or 30 days after expires_at (whichever is first) | Secure deletion | — |
| Marketing and sales inquiries | marketing_inquiries from the public contact form | 3 years from submission | Secure deletion | — |
| Founder admin audit and masquerade | audit_log_entries, masquerade_sessions | 3 years from event timestamp | Archived (restricted access) | Supports security investigations and access reviews. |
| Application and hosting logs | Vercel request logs, runtime errors, cron execution output | 30–90 days (per hosting provider configuration) | Provider retention | — |
| Database backups | Supabase point-in-time recovery and daily backups | Per Supabase project backup policy (typically up to 7–30 days rolling) | Provider retention | Backups may contain deleted data until backup rotation completes; we do not restore deleted tenant data except for disaster recovery. |
| Planned: bank reconciliation (Plaid) | bank_links, imported transactions (when feature is enabled) | While connection is active, plus 90 days after disconnect | Secure deletion | Not yet active in production application code; schedule applies when enabled. |
| Planned: SMS (Twilio) | Outbound SMS logs and delivery metadata (when feature is enabled) | While workspace is active; message bodies per Twilio retention (typically up to 400 days) | Provider retention | Not yet active in production application code. |
4. Workspace lifecycle
Active workspace
While a tenant workspace is active and in good standing, operational data is retained so tenants can run scheduling, billing, reporting, and customer portals without interruption.
Trial expiration or subscription lapse
When a free trial ends without conversion, or a platform subscription lapses, we may restrict access to paid features. Data generally remains stored for a reasonable reactivation window (typically aligned with the 90-day post-closure period in Section 3) unless the tenant requests earlier deletion.
Workspace closure
When a tenant requests workspace closure or we terminate for cause:
- We confirm the request with an authorized workspace owner and offer a data export window where technically available.
- We disable sign-in for that workspace and stop processing new customer-facing actions (email campaigns, new charges, etc.).
- Within 90 days, we delete or anonymize tenant-scoped operational data in our primary database and application storage, except categories marked "Archived" or "Provider-controlled" in Section 3.
- Billing, tax, and fraud-related records may be retained for up to 7 years as described in the schedule.
5. Individual user and customer requests
Tenant users (staff and owners)
Users may update profile fields in workspace settings. To delete an authentication account entirely, contact legal@712int.com. If the user belongs to multiple workspaces, we delete only what you authorize; membership removal from a single workspace does not automatically erase global auth credentials.
Customer portal users
End customers of a cleaning business should direct access, correction, and deletion requests to their service provider first. We will assist the provider on verified instructions. Customer identity records may link a person to multiple tenant workspaces; deletion in one workspace does not automatically remove historical records another provider holds.
6. Disposal methods
Depending on the data type, disposal means one or more of the following:
- Hard delete: removing rows via application or database operations, including cascade deletes configured on tenant-scoped foreign keys.
- Storage object delete: removing files from Supabase Storage buckets (for example, tenant logos, employee avatars, cached report PDFs).
- Anonymization: replacing direct identifiers with irreversible placeholders while retaining aggregate statistics (used sparingly).
- Provider deletion requests: instructing subprocessors to delete or export data they control, subject to their APIs and legal requirements.
We do not sell discarded storage media; cloud providers handle physical media destruction under their security programs.
7. Subprocessor retention
Each active subprocessor maintains its own retention practices. We select providers with reasonable security commitments and limit data shared to what the integration requires. Current active providers:
- Supabase: Database, authentication (email/password and OAuth), file storage (logos, avatars, report exports), and scheduled database jobs. Privacy policy
- Stripe: Platform subscriptions (Starter, Business, Pro), Stripe Connect Express onboarding and payouts for tenants, customer invoice and subscription checkout, refunds, disputes, and payout reconciliation. Privacy policy
- Resend: Transactional email (quotes, invoices, trial reminders, employee invites, dispute alerts) and tenant email campaigns with delivery analytics webhooks. Privacy policy
- Google: Optional “Sign in with Google” through Supabase Auth (OAuth). Google does not receive your cleanScheduler workspace data directly. Privacy policy
- Vercel: Application hosting, preview deployments, and scheduled cron jobs that invoke internal maintenance routes. Privacy policy
- Twilio: Pro plan transactional SMS — quote notifications, visit reminders, and team alerts via Twilio when configured. Privacy policy
Payment card and bank account details entered through Stripe or (when enabled) Plaid are retained under those providers' schedules even after we delete workspace mirrors. Email content and delivery logs at Resend follow Resend's retention. Authentication events at Supabase Auth follow Supabase's documentation.
8. Backups, logs, and residual data
- Backups: point-in-time and periodic backups may contain deleted records until those backups age out. We do not use backups to serve live product features or to restore deleted tenant data on request unless required for disaster recovery.
- Application logs: hosting and error logs typically roll off within 30–90 days and may include IP addresses, URLs, and error stack traces.
- Cached artifacts: report PDFs and report run JSON expire on a short TTL (see schedule); regenerating a report creates new cache rows.
9. Legal hold and exceptions
We may suspend routine deletion when we believe preservation is required to comply with law, respond to lawful process, investigate abuse, or defend legal claims. When a hold ends, normal disposal resumes for data no longer required.
10. Security of retained data
Data retained under this policy is subject to the security measures described in our Privacy Policy, including encryption in transit, access controls, row-level security, and separation of production and non-production environments.
11. Changes to this policy
We may update retention periods or disposal practices as the product or law evolves. We will post changes on this page and update the "Last updated" date. Material reductions in retention (favorable to users) may apply prospectively; extensions will be communicated where appropriate.
12. Contact
Retention or deletion questions: legal@712int.com. You may also use our contact form.