Data Retention Policy
Last Updated: January 2026
Overview
This policy explains how Conto retains and deletes your data. We retain information only as long as necessary to provide our services and comply with legal obligations. We follow data minimization principles—collecting and keeping only what we need.
Information We Collect
Conto collects the following categories of information:
- Account information — Email address, name, and contact details
- Financial documents — Bank statements, invoices, receipts, and tax forms you upload
- Transaction data — Financial transactions extracted from your documents
- Usage information — How you interact with our service
How Long We Keep Your Data
| Category | Retention Period |
|---|---|
| Account identity (email, name) | 30 days after account closure |
| Financial documents and records | 7 years from document date |
| Transaction data | 7 years from transaction date |
| Activity logs | 90 days |
| Document processing (third-party) | 24 hours (then permanently deleted) |
| Accounting integration logs (third-party) | 15 days (operational logs only) |
Why We Keep Financial Records for 7 Years
We retain financial documents and transaction data for 7 years to comply with:
- IRS requirements — The IRS recommends keeping tax records for 7 years (statute of limitations for substantial understatement)
- State tax authorities — Various states require retention of up to 7 years
- Standard accounting practices — Aligns with professional bookkeeping standards
Third-Party Integration Data
When you connect accounting software (such as QuickBooks Desktop), our integration providers temporarily retain API request logs for operational purposes (typically 15 days), then permanently delete them. These logs do not contain the full contents of your accounting data—only metadata about sync requests. Your actual accounting data is not permanently stored by our integration providers.
Your Rights
You have the right to:
- Access — Request a copy of your personal data
- Correction — Request correction of inaccurate information
- Deletion — Request deletion of your data
We honor deletion requests from all users, regardless of location. When you request deletion:
- Personal data not subject to legal retention requirements is deleted within 45 days
- Financial records required for tax and accounting compliance are restricted—removed from active product features but retained for up to 7 years
- Restricted data is automatically deleted when the retention period expires
How to Request Deletion
To request deletion of your data, email support@helloconto.com. We will verify your identity and respond within 45 days. Complex requests may require an additional 45-day extension.
After processing your request, we'll confirm what data was deleted and explain any data retained for legal compliance.
Security
We protect your data with:
- Encryption in transit — All data transmitted over TLS 1.2+
- Encryption at rest — All stored data encrypted using AES-256
- Access controls — Role-based access limits who can view your data
- Regular reviews — We periodically review our security practices
Legal Basis
Our retention practices comply with federal and state requirements, including CCPA/CPRA (California), and other state privacy frameworks. We monitor regulatory developments and update our practices accordingly.
Contact
For questions about this policy or to exercise your data rights:
- Email: support@helloconto.com
- Response time: Within 30 days (up to 45 days for complex requests)