1. Purpose
This policy sets out how long budgii retains different categories of Personal Data, when and how data is deleted, and the circumstances in which retention periods may be extended or shortened. It is designed to meet the storage-limitation requirements of UK GDPR Article 5(1)(e), the EU GDPR, Australian Privacy Principle 11.2, New Zealand Information Privacy Principle 9, and the deletion and retention provisions of applicable US state consumer privacy laws.
2. Principles
Our retention practices follow these principles:
- We retain Personal Data only for as long as necessary for the purposes for which it was collected.
- Retention periods are set by reference to the nature of the data and the legal, operational, or security reasons for keeping it.
- When retention expires, data is deleted or anonymised to the point it can no longer identify a natural person.
- We delete Personal Data earlier on valid user request, subject to any retention required by law.
- We keep the minimum data necessary for the shortest reasonable period.
3. Retention schedule
The following table sets out standard retention periods by data category. Where a jurisdictional variation applies, the longer statutory period controls.
| Term | Meaning |
|---|---|
| Account profile data (adult) | Name, email, login credentials, preferences. Retained for the life of the account, then deleted within 60 days of account closure (120 days from backups). |
| Child profile data | First name or nickname, age or age bracket, avatar, development goals. Retained while the Child is on the account. On removal, deleted within 60 days (120 days from backups). |
| Activity data (to-dos, Coins, Chain, rewards) | Retained for the life of the account to allow longitudinal analysis and historical reports. Deleted within 60 days of account closure (120 days from backups). |
| Nest Reports | Monthly reports retained for the life of the account, available to the adult account holder. Deleted with the account on closure. |
| Nest Report prompt and response logs | The prompt sent to the AI provider and the response returned are retained for up to 30 days for operational debugging, then deleted. Not linked to the Child's profile by name. |
| Billing and subscription data | Retained for the life of the account plus 7 years from the end of the financial year in which the transaction occurred, to satisfy tax and accounting obligations in Australia (Income Tax Assessment Act 1936, GST Act) and equivalent obligations in other jurisdictions. |
| Payment card data | Not stored by budgii. Processed by Stripe as a separate Controller; refer to Stripe's retention policies. |
| Server access logs and security logs | Retained for up to 90 days for security investigation purposes, then deleted. May be retained longer where required for an active investigation or legal hold. |
| Support and customer service correspondence | Retained for up to 3 years after the last interaction, then deleted. Tickets relating to disputes or complaints may be retained longer. |
| Marketing and newsletter subscriptions | Retained until the user unsubscribes. Unsubscribe records retained for 2 years to prevent re-enrolment in error. |
| Consent records | Retained for the life of the account plus 6 years after account closure, as a defensive record of the lawful basis of processing. |
| IP addresses | Retained for security monitoring for up to 90 days, separate from user profile data. |
| Cookies and analytics data | Retained for the period set out in the Privacy Policy's cookies section. First-party analytics data is retained for up to 13 months and then aggregated or deleted. |
| Device identifiers | Retained for the period a device remains linked to the account. Deleted when the device is unlinked or the account is closed. |
4. What happens on account closure
An account is considered closed when:
- The adult account holder requests deletion through the in-app settings or by email.
- A subscription is cancelled and is not reactivated within 180 days.
- We terminate the account for a material breach of the Terms of Service or this policy.
On account closure we:
- Disable login immediately.
- Retain the data for 30 days in a recovery-eligible state, during which the adult account holder may reactivate.
- After 30 days, delete the data from active systems within 60 days total.
- Purge residual data from backup systems within 120 days total.
- Send the account holder a written confirmation of deletion within 7 days of active-system deletion completing.
5. Backup retention
Backups are retained for up to 120 days to meet business continuity and disaster recovery objectives. Backups are encrypted, access-controlled, and not used for any purpose other than recovery.
When data is deleted from active systems, it remains in backups until the backup expires in the ordinary course. We do not selectively restore deleted data from backups.
6. Legal holds
A standard retention period may be extended for specific records that are subject to:
- A court order, subpoena, or similar legal process.
- An active investigation by a regulator or law enforcement agency.
- A pending or reasonably anticipated legal claim.
- A request to preserve records from a party with a legitimate interest in the matter.
When a legal hold is placed, only the specific records relevant to the matter are retained, and only for as long as the hold applies. Routine data of uninvolved users is not affected.
7. Children's data
Children’s data is subject to the same schedule as set out in Section 3, with the following additional protections:
- Where a Parent removes a Child from a household, the Child's data is deleted from active systems within 30 days (earlier than the default 60-day window).
- No Children's data is retained for marketing purposes, profiling, or any secondary use beyond providing the Services.
- Under COPPA, we retain Children's data only so long as reasonably necessary to fulfil the purpose for which it was collected, as required by 16 CFR § 312.10.
- A Parent may request deletion of any part of a Child's data at any time by emailing legal@budgii.io, and we will comply within the timeframes set out in Section 8.
8. Requesting deletion early
You can request deletion of your data earlier than the schedule above at any time:
- From within the app, through the Admin settings (close account or remove a Child).
- By emailing legal@budgii.io with your request.
Response times to deletion requests:
| Term | Meaning |
|---|---|
| Australia (Privacy Act) | Within 30 days of the request. |
| New Zealand (Privacy Act 2020) | Within 20 working days. |
| UK / EU (UK GDPR, GDPR) | Within one month, extendable by a further two months for complex requests with notice. |
| United States (CCPA and similar) | Within 45 days, extendable by 45 days with notice. |
We will confirm completion of the deletion and provide the date on which each system was cleared.
9. Anonymised data
We may retain aggregated or anonymised data derived from use of the Services, provided that such data cannot reasonably be used to identify any natural person. Anonymised data may be retained indefinitely for purposes including service improvement, research, and reporting.
10. Review
This policy is reviewed at least annually and updated to reflect changes in data use, technology, or law. The current effective date is at the top of this page.
11. Contact
Questions about retention or deletion:
Budgii PTY LTD
ABN 50 696 945 169 | ACN 696 945 169
Sydney, New South Wales, Australia