Data Retention Policy

Last Updated: December 2025

Overview

This policy explains how Piko retains and deletes your data. We retain information only as long as necessary to provide our services and comply with legal obligations. We follow data minimization principles—collecting and keeping only what we need.

Information We Collect

Piko collects the following categories of information:

  • Account information — Email address, name, and contact details
  • Financial documents — Bank statements, invoices, receipts, and tax forms you upload
  • Transaction data — Financial transactions extracted from your documents
  • Usage information — How you interact with our service

How Long We Keep Your Data

Category Retention Period
Account identity (email, name) 30 days after account closure
Financial documents and records 7 years from document date
Transaction data 7 years from transaction date
Activity logs 90 days

Why We Keep Financial Records for 7 Years

We retain financial documents and transaction data for 7 years to comply with:

  • IRS requirements — The IRS recommends keeping tax records for 7 years (statute of limitations for substantial understatement)
  • State tax authorities — Various states require retention of up to 7 years
  • Standard accounting practices — Aligns with professional bookkeeping standards

Your Rights

You have the right to:

  • Access — Request a copy of your personal data
  • Correction — Request correction of inaccurate information
  • Deletion — Request deletion of your data

We honor deletion requests from all users, regardless of location. When you request deletion:

  • Personal data not subject to legal retention requirements is deleted within 45 days
  • Financial records required for tax and accounting compliance are restricted—removed from active product features but retained for up to 7 years
  • Restricted data is automatically deleted when the retention period expires

How to Request Deletion

To request deletion of your data, email [email protected]. We will verify your identity and respond within 45 days. Complex requests may require an additional 45-day extension.

After processing your request, we'll confirm what data was deleted and explain any data retained for legal compliance.

Security

We protect your data with:

  • Encryption in transit — All data transmitted over TLS 1.2+
  • Encryption at rest — All stored data encrypted using AES-256
  • Access controls — Role-based access limits who can view your data
  • Regular reviews — We periodically review our security practices

Legal Basis

Our retention practices comply with federal and state requirements, including CCPA/CPRA (California), and other state privacy frameworks. We monitor regulatory developments and update our practices accordingly.

Contact

For questions about this policy or to exercise your data rights:

  • Email: [email protected]
  • Response time: Within 30 days (up to 45 days for complex requests)