Payout Close Data Retention and Handling Standard

Version: 1.0
Effective date: March 28, 2026
Owner: Erythreia

1. Objective

This standard defines the minimum operational rules for retaining, deleting, sanitizing, and securing personal data and protected customer data used by Payout Close.

2. Core rules

1. Process only the minimum data required for payout reconciliation and merchant-deliverable close outputs.
2. Do not request or store name, email, phone, or address fields unless a separately reviewed feature makes them strictly necessary.
3. Keep production data and development/test data separate.
4. Do not commit raw live merchant captures to Git-tracked paths intended for long-term retention.
5. Use sanitized or synthetic fixtures for long-lived automated tests wherever feasible.
6. Encrypt production data in transit and at rest.
7. Restrict access to personal data to authorized personnel only.

3. Retention schedule

3.1 App session records

• Retain while required for app operation.
• Delete after uninstall or after a limited inactive period, unless longer retention is strictly required for security or legal reasons.

3.2 Generated payout outputs

• Generate on demand.
• Do not persist by default after delivery to the merchant.
• If temporary storage or caching is necessary, delete promptly after successful delivery or operational expiry.

3.3 Temporary diagnostic captures

• Allowed only when reasonably necessary for merchant-authorized support, debugging, validation, or reconciliation investigation.
• Store only the minimum subset required to investigate the issue.
• Delete or sanitize within 30 days of capture, and sooner when no longer needed.
• Never keep temporary captures indefinitely.

3.4 Test fixtures

• Long-lived fixtures must be sanitized or synthetic.
• Direct production/live merchant data must not remain in long-lived test fixtures without explicit documented necessity and a defined sanitization plan.

3.5 Support records

• Retain only as long as reasonably necessary to resolve the issue, maintain support history, or comply with legal obligations.
• Standard target retention: 24 months maximum, unless a shorter period is sufficient.

3.6 Compliance and legal records

• Retain only for as long as reasonably necessary to document legal compliance, security actions, or dispute handling.

4. Deletion and sanitization requirements

When data reaches the end of its retention period, one of the following actions must occur:

• delete it permanently
• anonymize it so it can no longer reasonably identify or relate to a person
• sanitize it for test use by removing or replacing live identifiers and reducing the data to the minimum structure needed for testing

5. Security requirements

• Use TLS or equivalent encryption for data in transit.
• Use infrastructure with encryption at rest for production data stores.
• Apply least-privilege access.
• Restrict access to authorized personnel.
• Keep logs sufficient to investigate access and security events.

6. Review

This standard must be reviewed whenever:

• the app begins processing additional protected customer fields
• a new storage system is introduced
• a new support/debug workflow stores merchant data
• Shopify requirements materially change
• a security or privacy incident occurs