Data Retention and Disposal Policy

Last updated: Apr 17, 2026

Softserve Software LLC
Purpose and Scope

This Data Retention and Disposal Policy describes how Softserve Software LLC (“we,” “our,” or “us”) retains, archives, and securely disposes of data processed by the car storage facility management software and related services (the “Service”).

This policy applies to all customer data, account data, system logs, backups, and operational records held by us or by the third-party providers we use to deliver the Service.

It should be read together with our Privacy Policy, Information Security Policy, Access Controls Policy, and Terms of Service.

Guiding Principles
  • Retain only what is needed. We keep data for only as long as it is necessary to deliver the Service, meet legal or contractual obligations, resolve disputes, and enforce our agreements.
  • Purpose limitation. Data is retained for the purposes for which it was collected, as described in our Privacy Policy.
  • Customer control. Customers can request export or deletion of their data at any time, subject to legal holds and the exceptions described below.
  • Secure disposal. When data is no longer required, it is deleted or irreversibly anonymized using controls appropriate to its sensitivity.
Retention Schedule

The following table summarizes how long each category of data is retained. Where a provider imposes a minimum or maximum retention window, that window also applies.

Data CategoryRetention PeriodRationale
Customer account and profile dataLife of the account, plus up to 90 days after terminationProvide the Service; allow reactivation; complete offboarding
Vehicle records, photos, inspections, and facility operational dataLife of the account, plus up to 90 days after termination (longer on customer request)Deliver the Service; support customer record-keeping; resolve disputes
Contracts, invoices, and other financial recordsAt least 7 years from creationTax, accounting, and audit
Payment tokens and transaction metadataAs required to reconcile payments; card/bank numbers are stored by the PCI-compliant payment processor, not by usTransaction reconciliation; chargeback defense
Customer communications (emails, SMS, voicemails, call recordings/transcripts where enabled)Life of the account, plus up to 90 days after terminationCustomer record-keeping; support; dispute resolution
Authentication data (session tokens, magic-link tokens)Short-lived; magic links expire within minutes; sessions expire on a rolling basisSign-in security
Application, request, and access logsUp to 90 days, in line with our providers' default retention windowsOperational troubleshooting; security investigation
Error and exception reportsUp to 90 daysDiagnose and remediate application issues
Database backups (point-in-time recovery window)Rolling window per the managed database provider (typically up to 30 days)Disaster recovery; accidental-deletion recovery
Aggregated or anonymized analyticsIndefinitelyService improvement; does not identify individuals
Marketing subscribersUntil the subscriber unsubscribes or requests deletionProduct updates and marketing communications

Where a customer contract or applicable law specifies a different retention period, that period controls.

Account Termination and Data Export
  • Customers may request an export of their data at any time during the life of the account.
  • On account termination, we retain the customer's data for up to 90 days to allow reactivation and final export, unless the customer requests earlier deletion.
  • After the 90-day post-termination window, customer data is deleted from the primary application database and object storage, subject to the legal-hold, backup, and record-keeping exceptions described below.
  • Data in encrypted backup snapshots is overwritten as those snapshots age out of the provider's rolling retention window.
Individual Deletion Requests
  • Individuals may request deletion of their personal information by contacting us at the email address below or, where the request relates to data held by a customer (for example, a facility's record of its own customer), directly through that customer.
  • We will verify the identity of the requester and respond within the time required by applicable law.
  • We may decline or limit a deletion request where retention is required for legal, accounting, tax, fraud-prevention, security, or dispute-resolution purposes, or where the data is held by us on behalf of a customer who has not authorized the deletion.
Legal Holds and Retention Exceptions

We may retain data beyond the standard periods described above where doing so is necessary to:

  • Comply with legal, tax, accounting, or regulatory obligations.
  • Preserve information subject to a litigation hold, subpoena, or government request.
  • Resolve disputes, defend claims, or enforce our agreements.
  • Investigate or prevent fraud, security incidents, or abuse of the Service.

Data subject to a legal hold is preserved until the hold is released, after which it is disposed of under this policy.

Disposal Methods

Structured Data

  • Records in the managed Postgres database are deleted through application operations or database commands. The underlying storage is reclaimed by the managed provider.
  • Where appropriate, sensitive fields are overwritten with null values or anonymized tokens before row deletion to reduce exposure in interim backups.

Files and Media (Object Storage)

  • Photos, documents, and other uploaded files are deleted from our managed object storage provider. The provider reclaims the underlying storage and destroys the encryption keys associated with deleted objects.
  • References to the deleted files are removed from the database.

Cache and Ephemeral Storage

Short-lived data in our managed key-value cache is automatically expired based on time-to-live settings and is not used as a system of record.

Backups

Encrypted database backups are retained within the managed provider's rolling recovery window. Individual records are not selectively removed from historical backups; instead, deleted data is overwritten naturally as older backups age out of the window. Restoration from backup is performed only when necessary, and any deletion requests honored before restoration are re-applied afterward.

Third-Party Provider Data

Data held by third-party providers (for example, email, SMS and voice, payments, AI, and error monitoring) is disposed of in accordance with those providers' published retention and deletion practices. We configure those providers to retain only what is necessary to deliver the Service.

Physical Media and Endpoints

We do not operate on-premise servers. Personnel devices used to access production systems are protected by full-disk encryption. When a device is retired, storage is wiped using the operating system's secure-erase facility or the device is physically destroyed.

Records of Disposal
  • Automated deletion events performed through the application and its providers are reflected in application and provider logs.
  • For customer-initiated bulk deletion or account closure, we can provide written confirmation to the customer on request.
Exceptions and Enforcement

Any exception to this policy must be approved in writing by Softserve Software LLC management and documented with a justification. Violations may result in revocation of access, termination of the relationship, and legal action where appropriate.

Review and Updates

This Data Retention and Disposal Policy is reviewed at least annually and updated when material changes are made to the Service, our providers, or applicable law. The “Last updated” date at the top of this page indicates when it was most recently revised.

Contact Us

To request export or deletion of your data, or to ask questions about this policy, contact:

Softserve Software LLC

Email: matt@softservesoftware.com

Address: 3343 Port Royale Dr S, Fort Lauderdale, FL 33308

View Privacy Policy →View Information Security Policy →View Access Controls Policy →