Data Retention Policy
Effective Date: May 27, 2026 · Last Updated: May 17, 2026
1. Purpose
This Data Retention Policy explains how long CaratCloud keeps different categories of data and what happens when the retention period ends. It applies to all data processed through the CaratCloud platform.
This policy works alongside our Privacy Policy and our Terms of Service. Where those documents specify a different retention period, the longest applicable period governs.
2. Retention Principles
We retain data only as long as needed to:
- Provide the service you contracted for
- Comply with legal, tax, accounting, and regulatory obligations
- Resolve disputes and enforce our agreements
- Maintain security, prevent fraud, and improve the product
When data is no longer needed for these purposes, we delete it or irreversibly anonymize it. We review this policy and our retention practices at least annually.
3. Retention Schedule
| Data Category | Retention Period | Notes |
|---|---|---|
| Active account data (inventory, customers, transactions, catalogs) | Duration of subscription | See Section 4 for what happens at cancellation |
| Account profile data (name, email, business info) | Subscription + 90 days | 90 days allows recovery from accidental deletion |
| Authentication credentials (password hashes, 2FA) | Duration of subscription | Deleted immediately on account deletion |
| Billing and invoice records | 7 years from invoice date | Required for US tax and accounting purposes (IRS guidance covers the 6-year substantial underreporting window plus a 1-year buffer for bad debt deductions) |
| Subscription payment metadata (last 4 digits, card brand) | Subscription + 7 years | Tied to billing records for tax compliance |
| Customer support tickets and communications | 3 years from ticket closure | For dispute resolution and quality improvement |
| Marketing communications history | 3 years from last interaction | Unsubscribe status retained indefinitely to honor opt-out |
| Application logs (errors, warnings) | 90 days | Rolling deletion |
| Security and access logs (auth, admin actions) | 1 year | Longer if part of an active security investigation |
| Backups | 30 days rolling | Encrypted; used solely for disaster recovery (see Section 7) |
| Analytics data (aggregated/de-identified) | Indefinitely | No longer personal data once irreversibly de-identified |
| Session recordings (Microsoft Clarity) | Per Microsoft's retention (up to 13 months) | Processed by Microsoft as independent data controller |
| Cookies (non-essential) | Max 12 months per cookie | Session cookies expire on browser close |
| Data from terminated trial accounts | 30 days after trial ends | Hard-deleted from production after 30 days |
| Marketplace integration tokens (Amazon, Etsy, Shopify) | Until disconnected or account deleted | Revoked at source on disconnect where possible |
4. What Happens When a Subscription Ends
When you cancel your CaratCloud subscription or your account is closed:
- Immediately: Your access to the platform is disabled.
- For 30 days after cancellation: Your account data is retained in a recoverable state. You can reactivate by contacting support@caratcloud.net and resuming your subscription.
- Day 31 through Day 90: Your business operational data (inventory, customer records, transactions, catalogs) remains available for export. You can request a full data export in CSV or JSON format during this window at no charge.
- After Day 90: Operational data is hard-deleted from production systems. Backups containing this data continue to age out under the 30-day backup retention. Billing records and minimum required identifiers are retained per the schedule above.
If you want immediate deletion before the 30/90-day periods elapse, email privacy@caratcloud.net with the subject line "Immediate Deletion Request" and we will accelerate deletion within 30 days, subject to legal retention requirements (such as billing records required for tax compliance).
5. Deletion Requests
You can request deletion of your personal information at any time by emailing privacy@caratcloud.net. We will:
- Verify your identity
- Identify all locations where your data is stored (production databases, backups, logs, sub-processors)
- Delete or irreversibly anonymize the data within 30 days, except where retention is required by law
- Confirm completion in writing
- Notify sub-processors to do the same
Some data may be retained beyond a deletion request if required by law (e.g., billing records for tax purposes for up to 7 years), if needed to resolve an active legal claim, or if anonymized such that it can no longer be linked to you.
GDPR data subjects: We will complete erasure from live systems within 30 days of a verified request. Backup copies may persist for up to an additional 30 days until they naturally cycle out. If data is restored from a backup, we will re-process outstanding deletion requests.
6. End Buyer Data (Data You Enter About Your Customers)
If you are a CaratCloud Customer, data you enter about your end buyers (your retail customers) is governed by your own retention practices, not ours. You are the data controller for this data; we are the data processor.
We retain end buyer data as long as your account is active. When your account is deleted, end buyer data follows the schedule in Section 4.
We recommend you maintain your own data retention policy for your end buyers, and that you delete end buyer records from CaratCloud when they are no longer needed for your business. If an end buyer contacts you with a deletion request, you can delete their records directly in CaratCloud or contact us for assistance.
7. Backups
Backups are encrypted and stored for 30 days on a rolling basis. We use backups solely for disaster recovery, not for ongoing operational access. If data is deleted from production, it will also age out of backups within 30 days.
We do not selectively delete individual records from backups; instead, we ensure that any restored data is re-processed to honor outstanding deletion requests. This approach is standard practice for encrypted backup systems and is consistent with GDPR guidance on backup-stored personal data.
8. Legal Holds
If we receive a valid legal hold, subpoena, court order, or regulatory request, we may preserve relevant data beyond standard retention periods for the duration of the hold. We will not disclose the content of preserved data except as legally required.
9. Changes to This Policy
We may update this Data Retention Policy. Material changes will be communicated by email or in-app notice at least 30 days before they take effect.
10. Contact
CaratCloud (operated by Viraj International Inc.)
62W 47th St, Suite 310, New York, NY 10036
- Data retention questions: privacy@caratcloud.net
- Data export and deletion requests: privacy@caratcloud.net (use subject line "Data Export Request" or "Deletion Request")