Data Retention and Disposal Policy
Last updated: May 7, 2026
Introduction
This Data Retention and Disposal Policy ("Retention Policy") describes how Stratford Oak LLC, doing business as Nexus ("Company," "we," "us"), determines how long we keep personal and customer data, how we delete or anonymize it when no longer needed, and how we handle backups and exceptions. It supplements our Privacy Policy and should be read together with our Terms of Service.
Industry practice for SaaS products is to publish retention rules that match real product behavior, automate deletion where feasible, and document legal exceptions (for example tax or regulatory holds). This policy reflects how the Nexus application is designed today.
1. Roles & applicability
This policy applies to personal information and customer content processed through the Nexus service (the "Service"). Where an organization uses workspaces for its users, the organization may have additional obligations; our Privacy Policy describes controller/processor roles.
2. Retention schedule (summary)
The following summaries are operational targets. Exact timing may vary slightly due to job schedules, propagation in backups, or technical retries.
| Category | Retention | Disposal / notes |
|---|---|---|
| Account & profile | While the account is active | On verified account deletion, profile fields are anonymized and user-owned records are deleted or de-attributed as described in Section 4. |
| Finance & Plaid connection data | While the connection exists and the account is active | Users may disconnect a bank link in the product; Plaid access tokens are revoked and local connection records removed. Full finance deletion occurs with account deletion (Section 4). Long-lived tokens are encrypted at rest before storage. |
| Workspace content in Trash | Tier-based automatic purge | Deleted documents and tasks are purged automatically after a retention window that depends on your subscription tier (for example, shorter on Free, longer on paid tiers). Workspace administrators may have additional controls where the plan allows (Settings → Security → Data retention). |
| Trash metadata table | Limited window (server-enforced) | A scheduled job removes aged trash records from our trash store after a fixed maximum window so items do not linger indefinitely server-side. |
| Payment & billing records | Minimum periods required for tax and accounting | We retain billing-related records as described in our Privacy Policy (typically multi-year where required). Payment card data is handled by Stripe. |
| Audit & security logs | Limited retention for security and accountability | Significant security and account events may be retained for at least twelve months or longer if required by law or legitimate security needs. |
| Terms & privacy acceptance records | Long-term proof of consent | Evidence of agreement to legal terms may be retained to demonstrate compliance. Account deletion removes associated acceptance rows where our systems store them for the user. |
| Backups | Rolling backup cycles | Backup copies may persist for a limited period after deletion from production databases; those copies roll off according to our cloud provider's backup lifecycle (see Privacy Policy). |
3. Methods of disposal
- Deletion: Rows are removed from primary databases where the Service performs erasure (for example user-owned finance records and certain engagement data).
- Anonymization: Where content must remain in a shared workspace for continuity, we remove identifiers tied to the departing user (for example authorship fields) rather than deleting collaborative documents outright.
- Revocation: Financial institution connections use provider APIs to revoke access tokens when you disconnect or when we delete connection rows.
- Cryptographic protection: Sensitive tokens (such as Plaid access tokens) are encrypted before persistence; deletion removes ciphertext keys from active databases.
4. Account deletion & data export
Users may request a machine-readable export of their data and may delete their account from Settings → Privacy & Data. Account deletion triggers server-side processing that anonymizes the profile, deletes user-scoped finance and related records (including Plaid connection rows), removes certain consent records, and anonymizes or deletes collaborative content according to our deletion pipeline.
Password-based accounts require password confirmation before deletion; OAuth-only accounts follow the same flow without a Nexus password where applicable.
5. Automated jobs & consistency
We use scheduled maintenance tasks (for example subscription maintenance and trash cleanup jobs) so retention windows are enforced even if a user does not open the app. These jobs align tier-based limits with workspace subscription state.
6. Exceptions & legal holds
We may retain specific information beyond ordinary schedules when necessary to comply with law, respond to valid legal process, resolve disputes, enforce our agreements, or protect security. When a hold ends, we dispose of data according to this policy where permitted.
7. Policy review
We review this Retention Policy periodically (at least annually) and whenever we materially change data processing—for example new financial features, new subprocessors, or changes required by privacy laws. Updates are posted with a new "Last updated" date; material changes are communicated as described in our Privacy Policy.
8. Contact
Questions about retention or disposal: privacy@nexusdocs.app. Legal inquiries: legal@nexusdocs.app.