Data Retention and Disposal Policy
Last updated: Apr 17, 2026
Softserve Software LLCThis Data Retention and Disposal Policy describes how Softserve Software LLC (“we,” “our,” or “us”) retains, archives, and securely disposes of data processed by the car storage facility management software and related services (the “Service”).
This policy applies to all customer data, account data, system logs, backups, and operational records held by us or by the third-party providers we use to deliver the Service.
It should be read together with our Privacy Policy, Information Security Policy, Access Controls Policy, and Terms of Service.
- Retain only what is needed. We keep data for only as long as it is necessary to deliver the Service, meet legal or contractual obligations, resolve disputes, and enforce our agreements.
- Purpose limitation. Data is retained for the purposes for which it was collected, as described in our Privacy Policy.
- Customer control. Customers can request export or deletion of their data at any time, subject to legal holds and the exceptions described below.
- Secure disposal. When data is no longer required, it is deleted or irreversibly anonymized using controls appropriate to its sensitivity.
The following table summarizes how long each category of data is retained. Where a provider imposes a minimum or maximum retention window, that window also applies.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Customer account and profile data | Life of the account, plus up to 90 days after termination | Provide the Service; allow reactivation; complete offboarding |
| Vehicle records, photos, inspections, and facility operational data | Life of the account, plus up to 90 days after termination (longer on customer request) | Deliver the Service; support customer record-keeping; resolve disputes |
| Contracts, invoices, and other financial records | At least 7 years from creation | Tax, accounting, and audit |
| Payment tokens and transaction metadata | As required to reconcile payments; card/bank numbers are stored by the PCI-compliant payment processor, not by us | Transaction reconciliation; chargeback defense |
| Customer communications (emails, SMS, voicemails, call recordings/transcripts where enabled) | Life of the account, plus up to 90 days after termination | Customer record-keeping; support; dispute resolution |
| Authentication data (session tokens, magic-link tokens) | Short-lived; magic links expire within minutes; sessions expire on a rolling basis | Sign-in security |
| Application, request, and access logs | Up to 90 days, in line with our providers' default retention windows | Operational troubleshooting; security investigation |
| Error and exception reports | Up to 90 days | Diagnose and remediate application issues |
| Database backups (point-in-time recovery window) | Rolling window per the managed database provider (typically up to 30 days) | Disaster recovery; accidental-deletion recovery |
| Aggregated or anonymized analytics | Indefinitely | Service improvement; does not identify individuals |
| Marketing subscribers | Until the subscriber unsubscribes or requests deletion | Product updates and marketing communications |
Where a customer contract or applicable law specifies a different retention period, that period controls.
- Customers may request an export of their data at any time during the life of the account.
- On account termination, we retain the customer's data for up to 90 days to allow reactivation and final export, unless the customer requests earlier deletion.
- After the 90-day post-termination window, customer data is deleted from the primary application database and object storage, subject to the legal-hold, backup, and record-keeping exceptions described below.
- Data in encrypted backup snapshots is overwritten as those snapshots age out of the provider's rolling retention window.
- Individuals may request deletion of their personal information by contacting us at the email address below or, where the request relates to data held by a customer (for example, a facility's record of its own customer), directly through that customer.
- We will verify the identity of the requester and respond within the time required by applicable law.
- We may decline or limit a deletion request where retention is required for legal, accounting, tax, fraud-prevention, security, or dispute-resolution purposes, or where the data is held by us on behalf of a customer who has not authorized the deletion.
We may retain data beyond the standard periods described above where doing so is necessary to:
- Comply with legal, tax, accounting, or regulatory obligations.
- Preserve information subject to a litigation hold, subpoena, or government request.
- Resolve disputes, defend claims, or enforce our agreements.
- Investigate or prevent fraud, security incidents, or abuse of the Service.
Data subject to a legal hold is preserved until the hold is released, after which it is disposed of under this policy.
Structured Data
- Records in the managed Postgres database are deleted through application operations or database commands. The underlying storage is reclaimed by the managed provider.
- Where appropriate, sensitive fields are overwritten with null values or anonymized tokens before row deletion to reduce exposure in interim backups.
Files and Media (Object Storage)
- Photos, documents, and other uploaded files are deleted from our managed object storage provider. The provider reclaims the underlying storage and destroys the encryption keys associated with deleted objects.
- References to the deleted files are removed from the database.
Cache and Ephemeral Storage
Short-lived data in our managed key-value cache is automatically expired based on time-to-live settings and is not used as a system of record.
Backups
Encrypted database backups are retained within the managed provider's rolling recovery window. Individual records are not selectively removed from historical backups; instead, deleted data is overwritten naturally as older backups age out of the window. Restoration from backup is performed only when necessary, and any deletion requests honored before restoration are re-applied afterward.
Third-Party Provider Data
Data held by third-party providers (for example, email, SMS and voice, payments, AI, and error monitoring) is disposed of in accordance with those providers' published retention and deletion practices. We configure those providers to retain only what is necessary to deliver the Service.
Physical Media and Endpoints
We do not operate on-premise servers. Personnel devices used to access production systems are protected by full-disk encryption. When a device is retired, storage is wiped using the operating system's secure-erase facility or the device is physically destroyed.
- Automated deletion events performed through the application and its providers are reflected in application and provider logs.
- For customer-initiated bulk deletion or account closure, we can provide written confirmation to the customer on request.
Any exception to this policy must be approved in writing by Softserve Software LLC management and documented with a justification. Violations may result in revocation of access, termination of the relationship, and legal action where appropriate.
This Data Retention and Disposal Policy is reviewed at least annually and updated when material changes are made to the Service, our providers, or applicable law. The “Last updated” date at the top of this page indicates when it was most recently revised.
To request export or deletion of your data, or to ask questions about this policy, contact:
Softserve Software LLC
Email: matt@softservesoftware.com
Address: 3343 Port Royale Dr S, Fort Lauderdale, FL 33308
Powered by carstoragesoftware.com