Legal

Data Retention Policy

Last updated: July 7, 2026

This policy describes how long Quoining (operated by Bolt Systems, LLC) retains data and what happens when an account is closed. The Service is currently offered only in the United States and all production data is hosted in AWS us-east-1. For the broader privacy framework, see our Privacy Policy and Data Processing Agreement.

1. While Your Account Is Active

We retain all data needed to provide the Service: financial records, transactions, journal entries, documents, uploaded statements, budgets, forecasts, saved model settings, and the audit trail. Generated exports are processed as needed to deliver the requested file unless you save or upload a copy back into the Service.

2. Closing a Company Account — Three Stages

Closing a company account proceeds in three stages so accidental closure does not destroy data. The timeline below matches the scheduled jobs that run nightly.

Stage 1 — Grace period (Days 0–30)

  • Closure is initiated by an authorized admin via a multi-step confirmation flow that requires re-authentication, the typed company name, the literal keyword “DELETE,” and an out-of-band email one-time code.
  • On confirmation we pause the Stripe subscription, revoke write access, and email all admins.
  • Any admin can self-service restore the account during this window.

Stage 2 — Retention (Days 30–120)

  • If the grace window expires, a scheduled job sets the company to a soft-deleted state and cancels the Stripe subscription.
  • Self-service restore is no longer available; you may contact support@quoining.com to request administrator-mediated recovery during this 90-day retention window.

Stage 3 — Permanent deletion (Day 120+)

  • A scheduled job hard-deletes company-scoped records via schema discovery against the database.
  • Immutable audit-log rows are retained with personal identifiers redacted (the foreign-key reference to the deleted company is nulled; the denormalized actor name and email survive for forensic integrity).
  • Once hard purge runs, restoration is no longer possible from production storage. Backups created before the purge expire according to the AWS RDS backup-retention window in effect at the time.

3. Individual Account Deletion

A natural-person user may delete their personal Quoining user record from Settings → Account → Delete my account. The flow requires re-authentication, typed “DELETE” confirmation, and an email one-time code. On confirmation, the user record, authentication credentials, sessions, 2FA secrets, trusted devices, password-reset tokens, and company memberships are removed via database cascade. Attribution on records the user created (bills, invoices, journal entries) is anonymized via database-level SET NULL; the records themselves remain under the company owner's custody. Audit-log rows preserve denormalized actor name and email so the audit trail itself survives. Erasure is blocked by the Service if the user is the sole administrator of any non-closed company; the user must transfer administration or close those companies first.

4. Legal Retention Requirements

Certain data is retained beyond the stages above when required by law or appropriate business records principles:

  • Financial records and tax-related data:Retained for the periods required by IRS recordkeeping under IRC § 6001 (typically a minimum of 7 years from the applicable tax year, depending on the record type).
  • Audit logs: Retained on an indefinite, immutable basis for forensic integrity and to support any required investigations or audits. Personal identifiers in audit rows are redacted on company-account deletion.
  • Billing records: Retained for 7 years after the end of the subscription for tax and accounting purposes.
  • Legal hold: Data subject to litigation hold or regulatory preservation order is retained until the hold is released.

5. Backups

The production database is backed up automatically with point-in-time recovery. Backups are encrypted at rest. The active backup-retention window reflects current operating posture and may change as the Service matures; any change is reflected in our overall security posture rather than in this page. Data that has been hard-purged from production storage will age out of backups as those backups expire.

6. Data Export

You may export your data at any time from Settings → Account. The full data export includes profile, company configuration, chart of accounts, entity data, and accounting records in JSON. Most in-app tables also expose CSV and PDF export from the UI, supported planning and reporting surfaces may expose Excel workbook exports, and the Public API exposes structured JSON access. Exported files, including `.xlsx` workbooks, are controlled by you after download and are not deleted from your devices or third-party tools when Quoining data is deleted. We recommend exporting any data you wish to retain before initiating account closure.

7. Consumer Deletion Requests

Where US state privacy law gives you a right to deletion, email privacy@quoining.com. We will acknowledge within 10 business days and respond substantively within 45 calendar days (extendable by an additional 45 days with notice), subject to the legal retention requirements above. See the Privacy Policy for the full list of consumer rights.

8. Automated Token & Session Cleanup

The following data is purged automatically:

  • Rate-limit entries: purged after 24 hours.
  • Password-reset tokens: expire after 1 hour.
  • Email-verification tokens: expire after 24 hours.
  • Two-factor verification sessions: expire after 10 minutes.
  • Internal impersonation cookies: expire after 5 minutes.
  • Authenticated sessions: invalidated on password change and on user-initiated sign-out.

9. Policy Review

This policy is reviewed periodically. Material changes will be communicated by email to active account admins at least 30 days before they take effect.

Contact

For questions about data retention, contact privacy@quoining.com.