Secure Storage

GDPR Compliant

Clear Timelines

Data Retention Policy

Transparency in how we store, manage, and protect your information

Last Updated: January 2025

1. Purpose and Scope

1.1 Purpose

Ovr Finance™ (operated by JRM Creative Ventures LLC) retains personal data only for as long as necessary to:

Fulfill the purposes for which it was collected
Meet legal, contractual, and regulatory obligations
Support legitimate business requirements (security, fraud prevention, dispute resolution)
Provide Services you've requested

1.2 Principles

We adhere to data minimization and storage limitation principles:

Collect only what's necessary

Keep only as long as needed

Delete when no longer required

Secure during entire lifecycle

1.3 Scope

This Data Retention Policy applies to:

All personal data collected through Ovr Finance™ Services
Data processed on behalf of users
Data stored by third-party processors (Plaid, Stripe, etc.)
Data in production systems, backups, and archives

2. Legal Framework

2.1 Compliance

Our retention practices comply with:

International

• GDPR Article 5(1)(e) - Storage limitation principle (EU/EEA)
• UK GDPR - Data protection and retention (United Kingdom)
• PIPEDA - Retention and disposal (Canada)

United States Federal

• FTC Safeguards Rule (16 CFR Part 314) - Secure data disposal
• Gramm-Leach-Bliley Act (GLBA) - Financial privacy
• IRS 26 U.S.C. §6001 - Financial record retention (7 years)
• NACHA Operating Rules - Payment authorization records (2 years)

United States State

• CCPA/CPRA §1798.105 - Right to deletion (California)
• VCDPA - Data deletion rights (Virginia)
• CPA - Retention and deletion (Colorado)
• Connecticut, Utah, and other state privacy laws

3. Types of Data We Collect and Retain

3.1 Account Information

Full name
Email address
Password (encrypted hash)
Phone number (if provided)
Profile photo (if uploaded)
Account creation date and status

Purpose: Provide access to Services, communicate with you, verify identity, fraud prevention

3.2 Financial Data

Linked bank account identifiers (tokenized via Plaid)
Credit card account identifiers (last 4 digits)
Account balances and credit limits
Transaction history and payment records
Debt payoff goals and projections
Payment authorizations and consent records

Purpose: Calculate debt payoff strategies, process ACH payments, maintain payment authorization records

Important: We do NOT store: Full credit card numbers, CVV codes, bank login credentials, or Social Security Numbers

3.3 Technical Data

Device type, model, and operating system
IP address and general location
Browser type and version
App version and installation date
Unique device identifiers

Purpose: Provide and optimize Services, detect fraud, debug technical issues, security monitoring

3.4 Usage Data

Pages/screens viewed and features used
Time spent in app and frequency
Interaction patterns
Error logs and crash reports
Performance metrics

Purpose: Improve user experience, develop features, identify bugs, optimize performance

3.5 Support Communications

Support tickets and messages
Screenshots or attachments
Feedback and survey responses
Resolution notes and timestamps

Purpose: Provide customer support, track issue resolution, improve Services, legal defense

3.6 Payment Transaction Records

Payment amount, date, and destination
Payment authorization records
Transaction status
Processing fees
Stripe transaction IDs
User consent records

Purpose: NACHA compliance (2-year), tax reporting (IRS 7-year), dispute resolution, fraud prevention

4. Retention Periods by Data Type

Data Type	Retention Period	Legal/Business Reason
Account & Profile Data	Active + 30 days	Account continuity, support
Financial Transaction Records	7 years	IRS requirements (26 U.S.C. §6001)
Payment Authorization Records	2 years	NACHA Operating Rules
Add-On Purchase Records	7 years	IRS requirements (26 U.S.C. §6001)
AI Recalibration Usage Logs	3 years	Feature improvement, abuse detection
Autopay Authorization Records	2 years	NACHA Operating Rules
Overage Charge Records	7 years	IRS requirements, dispute resolution
Subscription/Billing Data	7 years	Tax and accounting compliance
Support Communications	3 years	Legal defense, quality improvement
Usage & Analytics Data	18 months	Product optimization
Technical/Device Data	12 months	Security monitoring
System Backups (Encrypted)	90 days	Disaster recovery
Audit Logs	2 years	Security compliance
Marketing Consent Records	3 years	CAN-SPAM, GDPR compliance
Anonymized Data	Indefinite	Non-identifiable

5. Data Deletion Process

5.1 How to Request Deletion

⚠IMPORTANT: Active Autopay Transactions

If you have autopay enabled, scheduled payments within the next 7 days may still process even after deletion request.

We recommend disabling autopay in Settings before requesting account deletion to avoid unintended transactions.

In-App

1. Navigate to Settings → Account → Privacy & Security
2. Select "Delete My Account"
3. Confirm deletion and verify identity
4. Receive confirmation email

By Email

1. Send email to: support@ovrfinance.io
2. Subject: "Account Deletion Request"
3. Include: Full name, email, account details
4. Deletion processed within 30 days

5.2 Deletion Timeline

Day 0-1

Request received and verified

Identity verification completed, deletion queued, confirmation email sent

Day 1-7

Account deactivation

Account status changed to 'pending deletion', login access disabled, 30-day grace period begins

Day 8-30

Grace period

Data flagged for deletion but still recoverable, user can reactivate by contacting support

Day 31-60

Permanent deletion

Personal data erased from production databases, account cannot be recovered

Day 61-90

Backup purging

Data removed from encrypted backups, system logs scrubbed of personal identifiers

After Day 90

Complete erasure

All traces of personal data removed, only anonymized analytics remain

6. Legal Compliance and Exceptions

We may retain data longer than standard retention periods when required by:

Legal Obligations

Tax records: IRS requires 7 years (26 U.S.C. §6001)
Financial regulations: Payment records for audits and compliance
Court orders: Data subject to subpoena or legal hold
Regulatory inquiries: SEC, FINRA, state regulators, FTC

Isolated Retention

When data must be retained for legal reasons after a deletion request, it is isolated in a secure, access-restricted archive, no longer used for operational purposes, and deleted as soon as the legal obligation expires.

7. Third-Party Storage and Processing

Ovr Finance™ uses trusted third-party processors. Each has its own retention schedule consistent with GDPR, CCPA, and industry standards.

Service Provider	Purpose	DPA
Plaid Inc.	Financial account linking	Yes
Stripe, Inc.	Payment processing	Yes
Google Cloud / Firebase	Cloud hosting, authentication	Yes
Amazon Web Services	Cloud hosting, backups	Yes
Apple Inc.	App distribution, subscriptions	Standard
Google LLC	App distribution, subscriptions	Standard

Third-Party Deletion Requests

When you request deletion, we instruct all processors to delete your data. You may also contact them directly:

• Plaid: https://my.plaid.com
• Stripe: privacy@stripe.com
• Google: https://support.google.com/accounts/answer/3024190
• Apple: https://privacy.apple.com

8. Data Security During Retention

Encryption

AES-256 encryption for all stored data
TLS 1.3 for all data transmission
Encrypted backups with separate keys
Keys rotated quarterly

Access Controls

Principle of least privilege
Multi-factor authentication required
Role-based access controls
Quarterly access reviews

Security Monitoring

Intrusion detection systems
Anomaly detection for unusual access
All data access logged
2-year audit trail retention

Secure Deletion

Cryptographic erasure (keys destroyed)
DoD 5220.22-M overwriting standard
Physical destruction of drives
Backup deletion on schedule

9. Your Rights

Right to Information

Know what data we retain, how long, why, and when it will be deleted

privacy@ovrfinance.io

Right to Deletion

Request deletion of your personal data (subject to legal exceptions)

support@ovrfinance.io

Right to Restrict Processing

Request that we stop processing your data while retaining it

privacy@ovrfinance.io

Right to Data Portability

Request a copy of your data in a portable format (CSV, JSON)

privacy@ovrfinance.io

Right to Object

Object to retention for certain purposes (marketing, legitimate interests)

privacy@ovrfinance.io

Right to Lodge Complaint

File complaint with supervisory authority (ICO, California AG, state AG)

10. International Compliance

GDPR (EU/EEA)

Storage limitation (Article 5(1)(e))
Right to erasure (Article 17)
Periodic review of retention necessity
Automated deletion where possible

UK GDPR

Similar to EU GDPR with UK-specific adaptations
ICO guidance followed
UK data protection laws supersede where stricter

CCPA/CPRA (California)

Right to Delete (§1798.105)
45-day response time
Maintain records of deletion requests
Annual metrics published

Canada (PIPEDA)

Retain only as long as necessary (Principle 5)
Secure destruction when no longer needed
User may request deletion

11. Automated Deletion

We use automated systems to ensure timely deletion:

Daily

Delete accounts past 30-day grace period
Remove expired session tokens
Purge old error logs

Weekly

Delete old usage analytics (18+ months)
Remove expired support tickets (3+ years)
Scrub personal identifiers from anonymized data

Monthly

Delete old system logs (12+ months)
Purge encrypted backups (90+ days)
Archive financial records to long-term storage

Quarterly

Comprehensive retention audit
Deletion of inactive accounts (2+ years)
Encryption key rotation

12. Data Retention Audits

Quarterly Audits (Every 90 days)

1Data inventory: Catalog all data in production and backups
2Age analysis: Identify data exceeding retention periods
3Legal review: Confirm no legal holds prevent deletion
4Deletion execution: Purge data eligible for deletion
5Documentation: Record audit findings and actions taken
6Reporting: Report to management and compliance team

Independent Audits

SOC 2 Type II audits (annually)
Security assessments (penetration testing)
Privacy compliance reviews (as needed)

13. Policy Updates

We may update this Data Retention Policy to reflect changes in legal requirements, new features, or improvements to retention practices.

Material Changes

• Email notification to all active users
• In-app notification upon next login
• Prominent notice on website
• At least 30 days' advance notice

Minor Changes

• Updated "Last Updated" date
• Notice on website
• No individual notification required

14. Contact Us

Data Retention Questions

Email: privacy@ovrfinance.io

Subject: "Data Retention Inquiry"

Response: 5 business days

Deletion Requests

Email: support@ovrfinance.io

Subject: "Account Deletion Request"

Response: 30 days maximum

Data Retention Reports

Email: privacy@ovrfinance.io

Subject: "Data Retention Report Request"

Response: 30 days

Legal and Compliance

Email: legal@ovrfinance.io

Subject: "Legal/Compliance Inquiry"

Mailing Address

JRM Creative Ventures LLC
Attn: Data Protection Officer
111 Town Square Pl Ste 1238 PMB 877216
Jersey City, NJ 07310-1810
United States

Quick Reference Summary

Data Type	How Long	Why
Active account data	While active	Provide Services
After deletion	30 days	Allow reactivation
Financial transactions	7 years	Tax law (IRS)
Payment authorizations	2 years	NACHA rules
Support tickets	3 years	Quality & legal
Usage analytics	18 months	Product improvement
Backups (encrypted)	90 days	Disaster recovery
Anonymized data	Indefinite	Non-identifiable

How to Delete Your Data

1. In-app: Settings → Account → Delete Account
2. Email: support@ovrfinance.io
3. Wait: 30-day grace period (can reactivate)
4. Confirmed: Permanent deletion after 30 days

Last Updated: January 2025 | Effective Date: January 2025

Ovr Finance™ is a trademark of JRM Creative Ventures LLC.