Pane

Data Retention & Disposal Policy

Last updated: February 2026

Introduction

This policy describes how Pane retains, manages, and disposes of user data. Pane is a hosted MCP server connecting financial data to AI tools at pane.money. Our data retention practices are designed to balance service functionality with your privacy.

Data is retained only as long as necessary to provide the service. When you unlink institutions or delete your account, data is permanently removed immediately.

Data Categories and Retention Periods

User Account Data

  • Email, name, profile image
  • Account creation and update timestamps

Retention: Duration of active account

On deletion: Deleted immediately via cascading database delete

Authentication Data

OAuth provider tokens (Google)

Access tokens, refresh tokens, ID tokens. Retained while account is active. Deleted on account deletion.

Session tokens

JWE-encrypted cookies. Expire based on Auth.js configuration (default 30 days). Expired sessions cleaned automatically.

Magic link verification tokens

Expire after use or after their set expiration timestamp. Short-lived by design.

WebAuthn/passkey credentials

Retained while account is active. Deleted on account deletion via cascading delete.

Financial Data (Plaid)

Plaid access tokens

Encrypted (AES-256-GCM) and retained while the institution link is active. Deleted immediately when you unlink the institution or delete your account. Token is also revoked at Plaid API on deletion.

Financial accounts

Names, types, balances. Retained while associated Plaid item is linked. Deleted immediately on unlink or account deletion.

Transactions

Synced via cursor-based approach, up to 730 days of history from Plaid. Retained while associated account is linked. Deleted immediately on unlink or account deletion.

Recurring transactions

Retained while associated account is linked. Deleted immediately on unlink or account deletion.

Investment holdings

NOT persisted to database. Fetched live from Plaid API. Cached in Redis for 15 minutes, then automatically evicted.

Liability details

NOT persisted to database. Fetched live from Plaid API. Cached in Redis for 1 hour, then automatically evicted.

Balance cache flag

Redis key with 4-hour TTL. Automatically evicted.

Transaction sync cursor

Retained with the Plaid item. Deleted on unlink.

Billing Data (Stripe)

  • Stripe customer ID and subscription ID
  • Subscription status and plan
  • Payment details (card numbers, billing address) are NOT stored by Pane. Managed entirely by Stripe.

Retention: While account is active. Deleted on account deletion.

API Keys (MCP)

  • API key hashes (bcrypt)
  • Key usage metadata (lastUsedAt)
  • Creation and revocation timestamps

Retention: Until revoked by you or account is deleted. Revoked keys remain in database with revokedAt timestamp (soft delete) for audit purposes. Hard-deleted on account deletion.

Analytics Data (PostHog, Optional)

When enabled, analytics data is sent to PostHog's servers and retained per PostHog's own retention policies. Pane does not store analytics data locally.

Error Tracking Data (Sentry, Optional)

When enabled, error reports are sent to Sentry's servers. Request bodies are scrubbed before sending. Pane does not store error tracking data locally. Sentry retains data per their own retention policies.

Temporary Data & Caching

Some data is cached temporarily in Redis for performance. All cached data is automatically evicted after its TTL expires.

Data TypeTTLStorage
Balance refresh flag4 hoursRedis key balances:{userId}
Investment holdings15 minutesRedis key investments:{userId} or investments:{userId}:{accountId}
Liability details1 hourRedis key liabilities:{userId}:{type}
MCP session data30-minute idle timeoutRedis, cleaned every 5 minutes
MCP transport eventsSession lifetimeRedis event store for SSE replay
Rate limit counters1 minute / 1 dayRedis counters per user

Cache is explicitly invalidated when Plaid webhooks indicate data has changed. MCP idle sessions are cleaned every 5 minutes with a 30-minute inactivity threshold.

Data Disposal Procedures

When You Unlink a Financial Institution

  1. All transactions for accounts in this Plaid item are permanently deleted
  2. All recurring transactions for accounts in this Plaid item are permanently deleted
  3. All financial account records for this Plaid item are permanently deleted
  4. The Plaid item record (including encrypted access token) is permanently deleted
  5. Redis cache for investments, liabilities, and balances is invalidated
  6. The Plaid access token is revoked at the Plaid API

This is immediate and irreversible.

When You Delete Your Account

  1. All Plaid access tokens are revoked at the Plaid API for each linked institution
  2. All transactions for the user are permanently deleted
  3. All recurring transactions for the user are permanently deleted
  4. All financial accounts for the user are permanently deleted
  5. All Plaid items for the user are permanently deleted
  6. All API keys for the user are permanently deleted
  7. All sessions for the user are permanently deleted
  8. All OAuth provider links for the user are permanently deleted
  9. All WebAuthn/passkey credentials for the user are permanently deleted
  10. All Redis cache entries for the user are invalidated
  11. The user record itself is permanently deleted

Database cascade deletes ensure no orphaned data remains. This is immediate and irreversible.

When a Subscription Is Canceled

  1. You lose access to subscription-gated features immediately
  2. Data is retained for 30 days (grace period for reactivation)
  3. After 30 days, all user data is purged following the account deletion procedure above

This 30-day window allows you to resubscribe without losing your data.

Encryption at Rest

  • Plaid access tokens: AES-256-GCM with unique IV and auth tag per token
  • API keys: Bcrypt hashed (cost factor 12). Plaintext never stored.
  • Session tokens: JWE encrypted (AES-256-CBC-HS512) with HKDF-derived key from AUTH_SECRET
  • Database: PostgreSQL within private Kubernetes cluster network. Encrypted backup storage.

Encryption Key Management

  • ENCRYPTION_MASTER_KEY: 32-byte hex key for AES-256-GCM. Stored in Kubernetes sealed-secret. Rotation requires re-encryption of all Plaid tokens.
  • AUTH_SECRET: Minimum 32-character secret for JWE. Stored in Kubernetes sealed-secret. Pinned to Auth.js version.
  • Keys are never logged, committed to version control, or exposed in error messages.

Database Backups

  • Daily automated backups of PostgreSQL
  • Point-in-time recovery capability
  • Encrypted backup storage
  • Backups follow the same retention schedule as the data they contain

Your Rights Regarding Data Retention

  • Unlink individual financial institutions at any time (immediate data deletion for that institution)
  • Revoke individual API keys at any time (immediate invalidation)
  • Delete your entire account at any time (immediate and complete data purge)
  • Adjust privacy scope per institution to control what data AI tools can access
  • Contact [email protected] for data retention inquiries

Compliance and Review

This policy is reviewed and updated as data practices change. Changes are posted at this URL with an updated "Last updated" date.

Contact

Email: [email protected]

See also: Privacy Policy