Data Deletion and Retention Policy
Last Updated: 2026-01-05
1. Purpose
This policy defines the standards for the retention and deletion of data handled by Honeybee. It ensures compliance with applicable US data privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
2. Scope
This policy applies to all personal and financial data collected, processed, and stored by Honeybee within the United States.
3. Data Categories & Retention Periods
| Data Category | Description | Retention Period |
|---|---|---|
| Account Information | Username, password hash, created_at. | Retained as long as account is active. |
| Financial Transactions | Date, description, amount, account name, hash. | 7 years from the date of transaction (IRS/Audit best practice). |
| Account Metadata | Taxonomy configurations, settings. | Retained as long as account is active. |
| Inferred Data | AI classification results, certainty scores, embeddings. | Retained as long as the underlying transaction is retained. |
| System Logs | API usage logs, classification job history. | 1 year from the date of creation. |
4. Deletion upon Request
In accordance with CCPA/CPRA, Honeybee provides users with the "Right to Deletion."
- Users may request the deletion of their entire account and all associated data through the application interface.
- Upon such request, Honeybee will permanently delete all associated data within 45 days.
5. Inactive Account Termination
To minimize data risk, accounts that have not been accessed for more than 2 years will be considered "inactive."
- Inactive accounts and all associated data will be flagged for deletion.
- In compliance with the FTC Safeguards Rule, data no longer necessary for legitimate business purposes or legal requirements will be securely disposed of.
6. Secure Disposal
When data reaches the end of its retention period or a deletion request is processed, it will be securely disposed of:
- Database records will be permanently deleted using standard SQL
DELETEoperations. - Backup data will be overwritten or purged according to backup rotation schedules.
7. Policy Review
This policy is reviewed annually to ensure continued compliance with evolving US state and federal privacy regulations.