Legal
Data Retention Policy
Last updated: April 2026
1. Purpose
This Written Data Retention Policy documents specific timeframes for which DaySteps LLC retains personal information collected through the DaySteps application, the business justifications for each period, and the processes by which data is deleted. Maintained in compliance with 16 CFR §312.10 (COPPA 2025 amendment, effective April 22, 2026), Quebec's Law 25, and PIPEDA.
Before parental consent, only minimal information is collected — the parent's email address and the child's nickname. No behavioral or activity data is collected prior to consent.
No data governed by this policy is collected before parental consent. Guest classroom session participants generate no data at all — nothing to retain.
2. Retention Schedule
| Data Category | Retention | Deletion Trigger | Enforcement Method | Justification |
|---|---|---|---|---|
| Active child profile and account data | Account duration + 30 days after deletion request | Parent deletion request or account deletion | Manual deletion via delete_account RPC. Fulfilled within 30 days of request. | 30-day grace period allows recovery from accidental deletion. |
| Routine completion and step data | 24 months | Rolling — older than 24 months | Automated daily pg_cron job at 02:00 UTC. | Longitudinal clinical insight value; 24 months captures meaningful developmental patterns. |
| Mood and reflection entries | 24 months | Rolling — older than 24 months | Automated daily pg_cron job at 02:00 UTC. | Mood-routine correlation requires longitudinal data. |
| Inactive account (all data categories) | 12 months of inactivity, then deleted | Inactivity threshold crossed | Warning email at 11 months. Hard delete at 12 months via automated pg_cron job at 03:00 UTC daily. | Industry standard (ClassDojo, Remind both use 12 months). COPPA 2025 requires defined threshold. |
| Consent records and audit logs | 7 years | No automatic deletion — manual review required | Excluded from cascade deletion by design. Append-only table. | FTC enforcement horizon. Regulatory requirement to demonstrate compliance. |
| Crash and error reports (Sentry) | 90 days | Sentry platform auto-purge | Configured in Sentry dashboard — no DaySteps action required. | Crash data has no value beyond 90 days. Reports are anonymized — no PII. |
| Authentication tokens (Apple/Google) | Not retained by DaySteps | N/A | Managed by Apple and Google respectively. | DaySteps stores no credentials. |
| Guest classroom session data | Not retained | N/A — nothing collected | N/A | COPPA-invisible. No data exists to retain. |
3. Deletion Processes and Enforcement
3.1 Automated Deletion — Daily Jobs
The following pg_cron jobs run automatically in the Supabase CA project every day without manual intervention:
| Job | Schedule (UTC) | What It Does |
|---|---|---|
| Rolling data deletion | 02:00 daily | Identifies completion records, step completion records, mood entries, and reflection events older than 24 months. Hard deletes those records while preserving the account and recent data. |
| Inactivity warning | 03:00 daily | Identifies active accounts with no activity in the preceding 11 months. Sends a warning email to the parent email address. Logs the warning event. |
| Inactivity deletion | 03:00 daily | Identifies active accounts with no activity in the preceding 12 months (and where a warning was sent at 11 months). Calls delete_account() RPC. Cascades to all associated child data. Logs deletion to deletion_audit table. |
Note: All automated deletions are logged to an internal deletion_audit table. Log entries record: deletion timestamp, trigger type, count of records deleted. Deletion audit logs are retained for 7 years.
3.2 Parent-Initiated Deletion
Parents may delete their account and all associated child data at any time. The process:
- Parent navigates to Settings > Delete Account in the DaySteps app
- Confirmation dialog: 'This will permanently delete [Child Name]'s account and all associated data. This cannot be undone.'
- Parent confirms → delete_account() Supabase RPC executes server-side
- Deletion completes on the server before the app returns success — no split-brain state
- Parent is signed out automatically
Parent deletion requests are fulfilled within 30 days. For requests received via email (privacy@daysteps.app), DaySteps will confirm completion in writing.
Consent records and audit logs associated with the account are retained for 7 years — these records contain no routine or behavioral data, only the fact and timestamp of consent events.
3.3 Revoked Connection Data
When a parent revokes a Care Team member's or teacher's access:
- The connection is immediately marked as revoked. Access terminates without delay.
- Historical data the authorized party previously viewed is not deleted from the parent's account — the parent retains it.
- The authorized party loses all access to the child's data immediately and permanently.
4. Data Residency
All DaySteps user data is stored in Canada (AWS ca-central-1, Montreal region) via Supabase Inc. No personal information is transferred outside Canada for primary storage.
Ancillary flows outside Canada (anonymized technical data only):
- Sentry: anonymized crash reports. No PII.
- Apple/Google: authentication tokens only. Not retained by DaySteps.
- Google Calendar: read-only metadata if parent enables integration. Not stored by DaySteps.
5. Parental Rights
Deletion requests fulfilled within 30 days. Revoke consent — all child data deleted within 48 hours. Contact: privacy@daysteps.app.
6. Policy Updates
Material changes to this policy will be communicated to parents through the app with 30 days' advance notice. The effective date above will be updated.