How long we keep it, and how we let go.

This policy defines how long Carlo Finance (“Carlo”) retains each category of user data and how that data is disposed of when it is no longer needed. It applies to all data collected through the Carlo application, including data received from third-party services like Plaid.

The goals are straightforward: keep data only as long as it serves a legitimate purpose, dispose of it securely when that purpose ends, and give users clear control over their own data.

The following table summarizes retention periods for each category of data we handle:

You have the right to request deletion of your data at any time. Here is how it works:

How to request deletion

• In-app— use the account settings page to request account deletion directly (available at launch).
• Email— send a request to privacy@carlo.finance from the email address associated with your account.

What happens next

• We verify your identity and acknowledge the request within 5 business days.
• All personal and financial data is deleted from production systems within 30 days of the verified request.
• Plaid access tokens are revoked immediately, severing the connection to your financial institutions.
• Backups containing your data are purged within 30 days of the deletion request (see Backup Retention below).
• The natural-language prompts and AI-generated responses tied to your account are deleted within 30 days. AI Gateway requests are sent with zero data retention enforcement, so Gateway and routed model infrastructure process inference payloads transiently rather than retaining them on an external cycle.
• We send you a confirmation email once deletion is complete.

What we cannot delete

Aggregate, de-identified data that has been stripped of all personal identifiers and cannot be linked back to you may be retained for product analytics. This data cannot identify you.

When you close your Carlo account:

1. Immediate— your account is deactivated. You can no longer log in or access simulations.
2. Immediate— all Plaid access tokens are revoked. Your financial institutions are disconnected from Carlo.
3. Within 30 days— all personal data, financial data, projections, and profile information are deleted from production databases.
4. Within 30 days— your data is purged from backup systems as backup rotation completes.
5. Confirmation— you receive an email confirming that account closure and data deletion are complete.

Database backups are an essential part of our disaster recovery plan. Here is how they interact with data deletion:

• Backup schedule— production databases are backed up daily. Backups are encrypted at rest using the same encryption standard as the production database.
• Backup rotation— backups are retained on a rolling basis. Older backups are automatically replaced as new ones are created.
• Deletion requests— when a user requests data deletion, their data is purged from backups within 30 days as the backup rotation cycle completes. We do not selectively delete individual records from encrypted backups; instead, we rely on the rotation cycle to ensure complete removal.
• Restoration safeguard — if a backup containing deleted user data must be restored for disaster recovery purposes, we re-apply pending deletion requests immediately after restoration.

The retention periods above describe data Carlo holds. Carlo uses Vercel AI Gateway as its AI provider layer for natural-language features. Carlo configures every Gateway request with zero data retention enforcement, the strongest privacy posture available for our AI inference path.

• ZDR enforcement— AI Gateway requests are sent with zero data retention enabled. If a requested model has no ZDR-compliant route, the request fails instead of routing through non-ZDR model infrastructure.
• Gateway deletion— Vercel states that AI Gateway does not retain prompts, outputs, or sensitive data, and deletes user data after requests complete.
• Gateway routing eligibility — Vercel identifies which model routes are eligible for ZDR routing through AI Gateway, and excludes non-ZDR routes when the option is enabled.

When you delete your Carlo account, Carlo deletes stored prompts and AI-generated responses from Carlo-controlled systems according to the schedule above. Gateway-routed model handling for new AI requests is transient under ZDR enforcement and is not retained outside Carlo-controlled storage.

For Gateway ZDR references, see our Privacy Policy.

In limited circumstances, we may retain data beyond the periods listed above:

• Legal holds— if we receive a legal preservation request (litigation hold, government investigation), we will retain relevant data for the duration of the hold, even if it exceeds our standard retention period.
• Regulatory requirements — certain financial regulations may require us to retain specific categories of data for longer than our standard periods. If this applies, we will retain only the minimum data required and delete it as soon as the regulatory obligation ends.
• Fraud prevention— data associated with accounts flagged for fraud or abuse may be retained for up to 3 years after account closure to support fraud prevention and investigation.

In all exception cases, we apply the same security controls to retained data as we do during normal retention.

This Data Retention & Disposal Policy is reviewed at least annually. Reviews assess:

• Whether retention periods remain appropriate for current product functionality and regulatory requirements.
• Whether disposal methods remain adequate given current data storage technologies.
• Whether new data categories have been introduced that need retention schedules.
• Whether any regulatory changes require adjustments to retention or disposal practices.

The next scheduled review is April 2027.

• Policy owner— the CTO is responsible for maintaining this policy and ensuring that retention and disposal practices are implemented as described.
• Implementation— automated purge jobs for analytics data and server logs are managed by the engineering team. Manual deletion processes (support communications) are tracked and executed by the responsible team member.
• Compliance verification — retention compliance is verified during the annual policy review. As the team grows, this will be incorporated into our planned SOC 2 audit cycle.

Questions about this policy or requests related to data retention and deletion: