Data Retention Policy
Last updated: 6 June 2026
This policy sets out how long POIscore keeps each category of data and what happens when you delete your account. It complements our Privacy Policy. We keep personal data only as long as needed for the purpose it was collected, or as required by law.
| Data category | Retention period | Legal basis | On account deletion |
|---|---|---|---|
| Account (name, email, password hash) | Until account deletion | Contract | Erased immediately |
| Two-factor secrets & backup codes | Until 2FA disabled or account deletion | Contract / security | Erased (FK cascade) |
| API keys | Until revoked or account deletion | Contract | Erased (FK cascade) |
| Scoring profiles | Until deleted or account deletion | Contract | Erased (FK cascade) |
| Usage events (request logs) | 90 days rolling | Legitimate interest | Erased (FK cascade) |
| Subscriptions | Until account deletion; Stripe sub cancelled | Contract | Erased; Stripe subscription cancelled |
| Invoices | Up to 7 years | Legal (tax/accounting) | Retained where legally required |
| Server / security logs | 30 days | Legitimate interest (security) | Rotated out automatically |
| Stripe customer & payment data | Per Stripe's retention policy | Contract / legal | Customer cancelled; Stripe retains per their policy |
Account deletion
You can delete your account at any time from the Account page ("Danger zone"). Deletion is immediate and irreversible: your account, API keys, scoring profiles, usage events, and subscription records are erased via cascading deletion, all sessions are invalidated, and any active Stripe subscription is cancelled. Invoice records may be retained where tax/accounting law requires.
Backups
Encrypted database backups are retained on a rolling 30-day cycle. Data deleted from the live system is purged from backups as those backups age out of the cycle.
Questions
Email privacy@poiscore.com for any data-retention or deletion request.