← Oktra · Privacy Policy · Service Disclaimer
Version 1.0 · Effective 2026-07-06 · Reviewed annually · Contact: privacy@oktra.ai
Oktra retains personal and financial data only as long as it is needed to provide the service or to meet a legal obligation, and disposes of it by defined, verifiable means. The customer's accounting platform remains the system of record; Oktra can re-derive its working state, so retention here is deliberately short.
| Data class | Where held | Retained | Disposal trigger |
|---|---|---|---|
| Connection credentials (OAuth tokens, API keys) | Per-connection encrypted vault | While the connection is active | Disconnection or offboarding: token revoked at the provider AND the connection's vault purged, in that order |
| Financial data retrieved via connected providers (transactions, balances, account metadata) | Production database | While the customer account is active | Erased within 30 days of customer offboarding or verified erasure request |
| Connection directory and metadata (tenant-connection binding, company names, external identifiers) | Production database | While the customer account is active | Erased with the customer account (same window as above) |
| Customer account data (users, settings) | Production database | While the customer account is active | Erased on offboarding, subject to §3 legal holds |
| Audit records of writes to customer financial systems | Append-only audit store | 7 years (statutory financial-records window, §3) | Aged out on schedule; retained independently of customer offboarding |
| Security/operational logs (vault access, sign-in, service logs) | Platform log stores | Per platform diagnostic retention settings, reviewed annually | Aged out automatically; contain no secrets by design |
| Backups | Platform backup schedules; image backups (on-premises) | Backup retention window only | Deleted data ages out of backups with the backup cycle; backups are not a retrieval path for erased customer data |
Where a statutory obligation requires retention beyond the table above, the specific records are retained for the statutory period and erased when it lapses. The 7-year audit-record window is anchored on financial-records obligations in both operating regions (EU bookkeeping-retention law and US tax record-keeping guidance). A legal hold suspends disposal for affected records only and is recorded with its lifting condition.
One process for everyone: verified erasure requests are honored within the 30-day window of §2 regardless of the requester's residency - account data, financial data, metadata, and connection secrets are disposed of per §4, and completion is recorded. Audit records and legally-held records are excluded per §3 and the requester is informed of the exclusion and its basis.
Jurisdictional mapping (the same process satisfies each regime):