Data Retention Schedule
Last Updated: April 20, 2026
This schedule describes how long LVRS FRVR retains different categories of personal information, what triggers deletion, and the legal basis for retention. It supplements our Privacy Policy.
We hold data only as long as we need to. When the retention window expires or you ask us to delete your information, we remove it from active systems within 30 days and from backups within 90 days.
Retention Table
| Category | Description | Retention Window | Deletion Trigger | Legal Basis |
|---|---|---|---|---|
| Account Identifiers | Email, name, phone, OAuth IDs, hashed password | Lifetime of account, then 30 days after deletion request | Account deletion request via in-app or email | Contract performance, legitimate interests, legal obligation |
| Date of Birth | Age verification record | Lifetime of account, then 30 days after deletion | Account deletion request | Legal obligation (18+ gate) |
| Partner Connection | Couple links, invite codes, partner emails | Lifetime of account, then 30 days after deletion. Note: partner records require partner confirmation per Disconnection Protocol. | Couple disconnection or both accounts deleted | Contract performance, legitimate interests |
| Daily Activity (Sparks, Streaks, LXP) | Completion records, badges, freeze tokens | Lifetime of account, then 30 days after deletion | Account deletion request | Contract performance |
| Journal Entries | Personal reflections, weekly check-in responses | Lifetime of account, then 30 days after deletion. Encrypted at rest. | Account deletion request or specific entry deletion | Contract performance, explicit consent for sensitive personal information |
| Pulse Check / Drift Check Responses | Relationship assessment answers and computed scores | Lifetime of account, then 30 days after deletion | Account deletion request | Contract performance, explicit consent |
| Consent Records | Three-tier consent decisions, version history, audit trail | 7 years after last activity (audit and litigation hold) | Time-based purge | Legal obligation, statute of limitations |
| Privacy Opt-Out Requests | Do Not Sell, Do Not Share, Limit SPI requests | 7 years after request closure | Time-based purge | Legal obligation (CCPA/CPRA recordkeeping) |
| Payment and Billing | Stripe customer ID, subscription status, transaction IDs | 7 years after last transaction | Time-based purge | Legal obligation (tax, IRS) |
| Email Delivery Logs | Open events, click events, bounce status (Resend) | 12 months after send | Time-based purge by Resend | Legitimate interests (deliverability) |
| SMS Delivery Logs | Phone, message body, delivery status (Twilio) | 13 months after send | Time-based purge by Twilio | Legitimate interests (carrier compliance) |
| Server / Application Logs | IP address, user agent, request paths, error traces | 30 days hot, 90 days cold archive | Time-based rotation | Security, legitimate interests |
| Analytics Events (GA4, Meta Pixel) | Anonymized usage events, feature engagement (consent-gated, GPC-respected) | 14 months (GA4 default), Meta Pixel per Meta retention | Time-based purge | Legitimate interests (product improvement) |
| Backups | Database backups | Up to 90 days after deletion is performed in production | Backup rotation | Disaster recovery (legitimate interests) |
| Anonymized Aggregate Research Data | Statistics, trend data, derived metrics with no PII | Indefinite (cannot be linked back to individuals) | Not applicable | Tier 2 consent at point of collection; data fully de-identified after aggregation |
How to Request Earlier Deletion
You can request deletion at any time:
- In the app: Settings, Account, Delete Account
- By email: privacy@lvrsfrvr.com with subject line "Deletion Request"
- Through the partner-aware Disconnection Protocol if both partners are involved
Some categories must be retained for legal reasons (consent records, payment records, opt-out records). For those categories, we will mark the records as restricted from any further processing rather than delete them, except where the law requires deletion.
Backup and Recovery
Daily backups of the production database are retained for up to 90 days for disaster recovery. After a deletion request is processed in production, your data may persist in backups until those backups age out. We do not restore deleted personal information from backups except in the event of a verified data loss incident, and we re-apply pending deletion requests immediately after any restore.
Anonymized Aggregate Data
Aggregate statistics, trend lines, and other derived metrics that have been irreversibly de-identified are not subject to a retention window. Once aggregated to a level that satisfies our 50-couple k-anonymity threshold, the data cannot be linked back to any individual and is retained for ongoing research purposes. Withdrawing your Tier 2 consent removes your individual contributions from any future aggregation, but cannot recall published aggregates.
Review Cadence
We review this schedule annually and whenever new data categories or processing activities are introduced. The "Last Updated" date reflects the most recent review.