Data Retention Policy

Effective Date: May 13, 2026 · Version 1.2

Note on Identity-Verification Document Coverage (Version 1.2) Version 1.2 adds explicit retention coverage for uploaded IRS EIN-confirmation documents (Section 2.2). Paid accounts may be asked, from inside the dashboard, to upload a copy of an IRS-issued EIN-confirmation document (CP 575, SS-4, or Letter 147C) before certain payment-processing features are enabled. Those documents are encrypted at rest and deleted 90 days after account closure — not retained for 7 years like financial records, because they exist only to verify the account holder for payment processing. This change is a disclosure clarification only; the underlying retention practice has been in place since the EIN-document feature was introduced.

Note on Entity Correction (Version 1.1) Version 1.1 corrected the legal-entity name disclosed in prior versions of this Policy. The retention practices described herein are operated by Emmber, Inc., a Delaware corporation qualified to do business in the State of Florida. Prior version 1.0 incorrectly referenced “Pluse, Inc.” as the controller; the controller has been Emmber, Inc. throughout. “Pluse” is the consumer brand and product name under which Emmber, Inc. provides the platform.

This Data Retention Policy describes how Emmber, Inc. (“Emmber,” “Pluse,” “we,” “us”) retains, archives, and deletes data collected through the Pluse platform. This policy supplements Section 4 (Data Retention) of our Privacy Policy with operational detail on retention periods, deletion procedures, and legal bases.

Retention Principles
Retention Schedule
Banking & Financial Integration Data
Account Deletion Process
Retention Exceptions
Data Disposal Methods
Policy Review
Contact

1. Retention Principles

Pluse retains data only as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to protect our legitimate interests. Our retention practices are guided by the following principles:

Purpose limitation. Data is retained only for the purpose it was collected. When the purpose is fulfilled, data is deleted or anonymized.
Minimization. We retain the minimum data necessary to meet each retention requirement.
Legal compliance. Certain data must be retained to comply with U.S. tax law (IRS requirements under IRC § 6501), state financial record-keeping laws, and applicable privacy regulations.
User control. Users may request account deletion at any time. Deletion proceeds automatically after a 30-day grace period, subject to legal retention obligations.

2. Retention Schedule

2.1 Account & Authentication Data

Data Category	Retention Period	Legal Basis
Account profile (name, email, business info)	Active account + 30 days after deletion request	Contract performance; 30-day grace period for accidental deletion
Authentication credentials (hashed passwords)	Active account + 30 days	Contract performance
Biometric login tokens (Face ID / Touch ID)	90 days from issuance (auto-expires)	Contract performance
Session tokens, CSRF tokens	Session duration (expires on logout or inactivity)	Security; contract performance
Password reset tokens	1 hour from issuance (auto-expires)	Contract performance
OAuth tokens (Google, Apple sign-in)	Active account + 30 days	Contract performance
Push notification subscriptions	90 days of inactivity, then auto-pruned	Legitimate interest

2.2 Business & Financial Records

Data Category	Retention Period	Legal Basis
Invoices and invoice line items	7 years after account closure	IRS record-keeping (IRC § 6501); state tax requirements
Expenses and expense receipts	7 years after account closure	IRS record-keeping (IRC § 6501)
Sales and revenue records	7 years after account closure	IRS record-keeping (IRC § 6501)
Client and vendor records	7 years after account closure	Supporting documentation for financial records
Employee records, time entries, pay history	7 years after account closure	IRS employment record requirements; FLSA (29 USC § 211(c))
Products, services, and pricing	Active account + 30 days	Contract performance
Projects and job costing data	7 years after account closure	Supporting documentation for financial records
Identity / business-verification documents (uploaded IRS EIN-confirmation document — CP 575, SS-4, or Letter 147C; `/uploads/ein-documents/`); related `users.document_status` and `users.document_grace_period_end` fields	Until account closure + 90 days, then securely deleted (file is removed from disk; status fields are nulled). If the account is closed before a document is uploaded, no document is created. Documents are encrypted at rest with AES-256-GCM while retained.	Fraud-prevention and payment-processing gating; supporting documentation for chargeback and card-network disputes. We do not retain these documents for IRS record-keeping — they exist solely to verify the account holder’s identity for payment processing.

Why 7 Years? The IRS generally has 3 years to audit a tax return, but this extends to 6 years if gross income is understated by more than 25%, and there is no statute of limitations for fraudulent returns. Pluse retains business and financial records for 7 years to ensure users have access to records that may be needed for tax audits, disputes, or legal proceedings. This is the industry-standard retention period for U.S. small business financial records. Identity / business-verification documents are an exception — they are deleted 90 days after account closure rather than retained for 7 years, since they exist only to verify the account holder for payment processing and have no IRS record-keeping basis.

2.3 Payment Processing Data

Data Category	Retention Period	Legal Basis
Stripe payment records and transaction logs	7 years after transaction date	IRS record-keeping; PCI DSS requirements; Stripe’s data retention policies
Stripe Connect account identifiers	Active account + 30 days	Contract performance
Credit card numbers	Not stored. Handled entirely by Stripe (PCI DSS Level 1)	N/A

2.4 AI Assistant Data

Data Category	Retention Period	Legal Basis
AI conversation history (prompts and responses)	Active account; deleted within 30 days of account closure	Contract performance; user experience
AI usage statistics	Active account + 30 days	Subscription usage tracking
AI-generated insights and recommendations	Active account; deleted within 30 days of account closure	Contract performance

2.5 Logs & Security Data

Data Category	Retention Period	Legal Basis
Server access logs (IP, timestamps, HTTP status)	90 days	Security monitoring; incident response
Security events (failed logins, suspicious activity)	30 days	Security monitoring; fraud prevention
Security audit results	90 days	Compliance; security monitoring
Application error logs	90 days	Service reliability; debugging
API request logs	90 days	Security monitoring; debugging

2.6 Legal & Compliance Records

Data Category	Retention Period	Legal Basis
Terms of Service / Privacy Policy acceptance records	7 years after account closure	Legal obligation; proof of consent (GDPR Art. 7(1); CCPA/CPRA; M.G.L. c. 93A)
Data subject access / deletion request records	3 years from request date	Demonstrating compliance with privacy rights requests
Support communications	3 years from last interaction	Service quality; dispute resolution

3. Banking & Financial Integration Data

Pluse integrates with third-party financial data providers to offer bank account connectivity and transaction synchronization. This section describes retention practices specific to data received through these integrations.

3.1 Bank Connection Data

Data Category	Retention Period	Legal Basis
Access tokens (encrypted at rest via AES-256-GCM)	Active connection; deleted immediately on disconnect or account closure	Contract performance
Institution identifiers and metadata	Active connection + 30 days	Contract performance
Account identifiers, names, and last-four mask	Active connection + 30 days	Contract performance
Account balances	Active connection; overwritten on each sync	Contract performance

3.2 Bank Transaction Data

Data Category	Retention Period	Legal Basis
Transaction records (amount, date, merchant, category)	7 years after transaction date	IRS record-keeping; bank reconciliation; supporting documentation for expenses and revenue
Transaction-to-expense / transaction-to-sale matching records	7 years after transaction date	Financial audit trail; IRS record-keeping
User categorization and notes on transactions	7 years after transaction date	Supporting documentation for financial records

3.3 Integration Audit Logs

Data Category	Retention Period	Legal Basis
Sync operation logs (sync type, status, transaction counts)	90 days	Debugging; service reliability
Webhook event logs	90 days	Debugging; event replay capability

3.4 Token Security

All access tokens for financial integrations are encrypted at rest using AES-256-GCM with authenticated encryption. Tokens are encrypted immediately upon receipt and are never stored or logged in plaintext. Encryption keys are stored in environment configuration files outside the web root with restricted file-system permissions, separate from the application codebase.

When a user disconnects a bank connection or deletes their account, the associated access tokens are revoked with the financial data provider and permanently deleted from our systems.

4. Account Deletion Process

4.1 User-Initiated Deletion

Users may request account deletion at any time through the application. The deletion process works as follows:

Request. The user initiates a deletion request through their account settings. Password verification is required to confirm the request.
Grace period. A 30-day grace period begins. During this period, the account is flagged for deletion but remains accessible. The user may cancel the request at any time during the grace period.
Notification. The user receives an email confirming the deletion request and the date on which permanent deletion will occur.
Permanent deletion. After the 30-day grace period, a daily automated process permanently deletes the account and all associated data, except for records subject to legal retention requirements (see Section 5).
Confirmation. A final email is sent confirming that the account has been permanently deleted.

4.2 Data Deleted on Account Closure

The following data is permanently deleted within 30 days of the grace period expiring:

Account profile and authentication credentials
All authentication tokens (biometric, device, session, OAuth)
Notification preferences and notification history
Subscription metadata and usage tracking
AI conversation history, settings, and usage data
Push notification subscriptions
Bank connection tokens and account metadata
Products, services, and pricing data

4.3 Data Retained After Account Closure

The following data is retained after account closure for the periods specified in Section 2, then permanently deleted:

7 years: Invoices, expenses, sales, client records, employee records, time entries, payment records, bank transaction records, and legal acceptance logs. These records are retained in compliance with IRS record-keeping requirements and are not accessible to the former user after account closure.
3 years: Support communications and data subject request records.

Retained financial records are stored in a read-only state and are not processed for any purpose other than legal compliance and dispute resolution.

5. Retention Exceptions

Data may be retained beyond the standard retention period in the following circumstances:

Legal hold. If Pluse receives a valid legal preservation order, litigation hold, or subpoena, affected data will be preserved until the legal obligation is resolved, regardless of the standard retention period.
Active disputes. Data related to an ongoing dispute (billing, service, or legal) will be retained until the dispute is fully resolved.
Fraud prevention. If an account is terminated due to suspected fraud or abuse, associated data may be retained for up to 7 years to prevent re-registration and to support potential legal proceedings.
Regulatory audit. If Pluse is subject to a regulatory audit or investigation, relevant data will be retained until the audit or investigation is concluded.

6. Data Disposal Methods

When data reaches the end of its retention period, it is permanently destroyed using the following methods:

Database records. Permanently deleted via SQL DELETE operations. Deleted records are not recoverable from the database.
Encrypted tokens. Encryption keys are destroyed, rendering the encrypted data unrecoverable, followed by deletion of the encrypted ciphertext.
Log files. Overwritten through log rotation on a rolling basis.
Backups. Database backups are overwritten on a 90-day rolling cycle. Deleted data is purged from backups within 90 days of deletion from the primary database.

All disposal methods comply with M.G.L. c. 93I, § 2 (Massachusetts data disposal requirements) and render personal information incapable of being practicably read or reconstructed. For full disposal procedures, see Section 16 (Data Disposal) of our Privacy Policy.

7. Policy Review

This Data Retention Policy is reviewed and updated at least annually, or whenever there is a material change to our data processing practices, legal obligations, or business operations. Changes are communicated through our Privacy Policy update process.

The retention schedule in Section 2 is the operative schedule. In the event of a conflict between this policy and the summary retention periods in our Privacy Policy, this Data Retention Policy controls.

8. Contact

For questions about this Data Retention Policy or to submit a data deletion request:

Email: support@pluse.to
Privacy/Legal: legal@pluse.to
Website: pluse.to

Emmber, Inc. is a Delaware corporation qualified to do business in the State of Florida and operates the Pluse platform at pluse.to.