Data Retention Policy
Last updated: February 2026
Overview
PayProof retains your data only as long as necessary to provide our services, comply with legal obligations, and resolve disputes. This policy outlines what we keep, how long we keep it, and what happens when data is deleted.
Retention Schedule
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service delivery |
| CV / Resume files | Until deactivated or account deletion | Job matching service |
| Messages | 1 year from last activity | Communication history |
| Job offers & responses | 2 years from creation | Service history, dispute resolution |
| Wallet transactions | 7 years | Financial regulations (EU directive 2006/112/EC) |
| Salary submissions | Anonymized after account deletion; aggregate data kept indefinitely | Market transparency |
| Bid war history | 2 years | Audit trail, dispute resolution |
| In-app notifications | 30 days (read), 90 days (unread) | User experience |
| Authentication tokens | Access: 15 minutes, Refresh: 30 days | Security |
| Server logs | 90 days | Security monitoring, debugging |
What Happens When You Delete Your Account
When you request account deletion via Settings → Delete Account, we process your request within 48 hours. Here is what happens:
Immediately deleted: Profile data, CV files, messages, notifications, job offers, responses, refresh tokens, bid war configurations.
Anonymized: Salary submissions (userId replaced with “deleted_user”, marked anonymous). This preserves aggregate market data while removing your identity.
Retained for legal compliance: Wallet transactions are anonymized but retained for 7 years per EU financial record-keeping requirements.
Your Rights
Under GDPR (Articles 15-20), you have the right to:
Access: Download all your data at any time via Settings → Export My Data.
Rectification: Update your profile, CV, and preferences at any time.
Erasure: Request full account deletion via Settings → Delete Account.
Portability: Export your data in machine-readable JSON format.
Object: Contact us to object to specific processing activities.
Automated Data Cleanup
We run automated cleanup processes to minimize data retention. Read notifications older than 30 days are automatically deleted. Expired authentication tokens are purged daily. Stale magic link tokens are cleaned every 24 hours. These processes run without manual intervention to ensure compliance by default.
Questions or Requests
For data retention questions or special deletion requests, contact our Data Protection Officer at privacy@payproof.co. We respond to all requests within 30 days as required by GDPR Article 12.