Kynarix Data Retention and Disposal Policy

Effective Date: January 1, 2026
Last Updated: January 1, 2026

1. Purpose

This Data Retention and Disposal Policy establishes guidelines for the retention, review, and secure disposal of data collected, processed, or stored by Kynarix, Inc. (“Kynarix”).

This policy is designed to:

• Protect consumer financial information
• Limit data retention to what is necessary
• Comply with applicable data privacy laws
• Align with industry security best practices

2. Scope

This policy applies to:

• Consumer financial data obtained via Plaid API
• Account registration data
• Transaction history and financial analytics data
• Internal system logs and operational data
• Backup and archived data

3. Data Retention Principles

• Data minimization — Only necessary data is retained
• Purpose limitation — Data is retained solely for defined business purposes
• Time limitation — Data is retained only as long as required
• Secure disposal — Data is securely destroyed when no longer needed

4. Retention Periods

A. Consumer Financial Data (via Plaid)

• Retained while the user maintains an active account
• Deleted within 30 days of verified account deletion request
• Retention may extend where legally required

Kynarix does not store consumer banking credentials.

B. Account & Profile Information

• Retained during the active account lifecycle
• Deleted upon verified account closure request

C. Transaction & Analytics Data

• Retained to provide historical reporting functionality
• Deleted when the account is permanently closed

D. Security Logs & Audit Logs

• Retained for a minimum of 12 months
• Retained longer if required for investigations or regulatory purposes

E. Backup Data

• Retained for operational continuity
• Deleted or overwritten in accordance with automated lifecycle schedules

5. Data Deletion Process

Consumers may request data deletion by contacting:

privacy@kynarixapp.com

Upon verified request:

• Account access is revoked
• Active production data is deleted within 30 days
• Backup copies are purged according to system lifecycle schedules

6. Secure Disposal Methods

• Cryptographic erasure where applicable
• Secure deletion of cloud storage objects
• Automated database record deletion
• Access token revocation
• Vendor-compliant destruction protocols

7. Third-Party Data Processors

Kynarix relies on secure infrastructure providers and Plaid for data processing. Vendors are required to:

• Maintain industry-standard security controls
• Limit retention to contractual necessity
• Securely dispose of data upon termination

8. Legal & Regulatory Compliance

Kynarix retains data as required to:

• Comply with applicable financial and privacy regulations
• Prevent fraud or misuse
• Resolve disputes
• Enforce contractual agreements

9. Policy Review

This policy is reviewed at least annually or upon material changes in business operations, regulatory requirements, or security posture.

10. Contact

Kynarix, Inc.
Email: privacy@kynarixapp.com
Website: https://kynarixapp.com