Data Retention Policy

1. Purpose and Scope

This Data Retention & Destruction Policy ("Policy") describes how long Renji Labs, Inc. ("Renji Labs," "we," "our," or "us") retains each category of personal information processed in connection with Kaiary, and how that information is permanently deleted when it is no longer needed.

This Policy is intended to satisfy our obligations under applicable laws, including the Children's Online Privacy Protection Rule (COPPA), which prohibits indefinite retention of children's personal information; the Illinois Biometric Information Privacy Act (BIPA), which requires a publicly available written retention and destruction schedule for biometric identifiers; and equivalent obligations under state biometric laws (Texas CUBI, Washington RCW 19.375), the California Consumer Privacy Act (as amended by CPRA), and the EU General Data Protection Regulation (GDPR).

Plain summary: Family content stays for as long as your account is active and is deleted within 30 days of account closure. Biometric face data is destroyed when you turn off face recognition, delete the underlying photos, or close your account—whichever comes first—and is in any event destroyed within three years of your last interaction with the feature. Logs and analytics are kept for limited, defined periods. Some financial records are kept longer where tax law requires. We do not retain any data indefinitely.

2. Definitions

Personal Information. As defined in our Privacy Policy.
Family Content. Journal entries, photos, videos, audio recordings, captions, milestones, and other content users create or upload.
Biometric Data. Facial geometry vectors (face embeddings) extracted from photos when a user opts into face recognition. Raw face images are stored as ordinary Family Content; only the embedding is treated as biometric data for purposes of this Policy.
Children's Personal Information. Personal information of any individual under the age of 18, including images, audio, names, dates of birth, and biometric data of minors who appear as subjects in Family Content. Account holders must be 18 or older; this category therefore concerns information about minors that adult users provide.
Active Account. An account that has not been deleted, either by the user or by us pursuant to our terms.
Permanent Deletion. Removal from production systems and all retained backups within the timelines stated in this Policy, in a manner that prevents reconstruction of the data.

3. Retention Principles

Our retention practices are guided by four principles:

Purpose limitation. We retain personal information only for as long as it is needed for the purpose for which it was collected, plus any period required or permitted by law.
No indefinite retention. Every category of personal information has a defined maximum retention period.
User control. Users may delete individual content items, disable optional features, or delete their entire account at any time.
Heightened protection for sensitive categories. Children's Personal Information and Biometric Data are subject to the shortest practical retention windows and the strictest destruction requirements.

4. Retention Schedule

The table below specifies, for each category of personal information, the trigger that starts the retention clock, the maximum retention period, and the basis for that period. Unless otherwise stated, all timelines run from the trigger event.

Data Category

Retention Period

Trigger & Basis

Account information (name, email, phone, authentication credentials, profile)

For the life of the Active Account; deleted within 30 days of account deletion.

Trigger: account deletion. Basis: necessary to provide the service while account is active; reasonable wind-down period after deletion.

Family Content (photos, videos, journal entries, audio recordings, captions, milestones)

For the life of the Active Account, or until the user deletes the item; deleted within 30 days of account deletion.

Trigger: user deletion of item, or account deletion. Basis: core service purpose.

Biometric Data (face embeddings)

Until the earliest of: (a) user disables face recognition, (b) user deletes the associated photos, (c) account deletion, or (d) three (3) years after the user's last interaction with the face-recognition feature. Destroyed within 30 days of any of these triggers.

Trigger: any of (a)–(d). Basis: BIPA (3-year maximum from last interaction), state biometric laws, and our own privacy commitment.

Children's Personal Information (images, audio, names, biographical data, biometric data depicting minors)

Same as the underlying category (Family Content or Biometric Data) but never longer than the user's Active Account; deleted within 30 days of account deletion.

Trigger: user deletion or account deletion. Basis: COPPA prohibition on indefinite retention; principle of data minimization for minors.

Push notification tokens

For the life of the Active Account or until push is disabled; deleted within 30 days.

Trigger: push disabled or account deletion. Basis: necessary to deliver requested notifications.

Precise location data (linked to journal entries)

For the life of the entry, or until the user deletes the entry or revokes location permission. Linked to Family Content retention.

Trigger: entry deletion, permission revocation, or account deletion. Basis: feature functionality.

Subscription, billing, and purchase records

Up to seven (7) years after the transaction or end of subscription.

Trigger: end of transaction or subscription. Basis: U.S. federal and state tax recordkeeping requirements.

Authentication and security audit logs

Up to twelve (12) months.

Trigger: log creation. Basis: security investigations, fraud detection, and incident response.

Application and infrastructure logs (non-security)

Up to 90 days.

Trigger: log creation. Basis: operational debugging.

Crash and performance diagnostic data (Sentry)

Up to 90 days.

Trigger: event capture. Basis: error investigation and product quality.

Product analytics events (PostHog)

Up to twenty-four (24) months.

Trigger: event capture. Basis: longitudinal product analytics; data minimization beyond this window.

Advertising attribution and conversion data shared with advertising partners (Google Ads, Meta, AppsFlyer)

Per each partner's published retention policy (typically 90 days to 540 days). On our systems, conversion event records are retained up to twenty-four (24) months.

Trigger: event capture. Basis: campaign measurement and reporting.

Marketing email lists

Until the user unsubscribes. Email opt-out records are retained indefinitely as required to prevent re-contact.

Trigger: unsubscribe. Basis: CAN-SPAM, GDPR Article 17, and equivalent suppression-list requirements.

Customer support tickets and correspondence

Up to three (3) years after resolution.

Trigger: ticket resolution. Basis: dispute resolution and quality improvement.

Consent records (privacy policy acceptance, biometric consent)

For the life of the Active Account, plus five (5) years after account deletion or consent revocation.

Trigger: account deletion or consent revocation. Basis: legal defensibility of consent under BIPA, GDPR, and state biometric laws.

Account deletion records (the fact that an account was deleted, plus minimal metadata)

Up to twelve (12) months.

Trigger: account deletion. Basis: fraud prevention and audit.

Encrypted backups (database and storage)

Rolling 30-day retention. Deleted user data may persist in backups for up to 30 days after deletion.

Trigger: backup creation. Basis: business continuity, disaster recovery, and the practical limits of "right to be forgotten" obligations.

Aggregated and anonymized data that cannot be linked back to an individual

May be retained indefinitely for analytics, research, and product improvement.

Trigger: anonymization. Basis: data is no longer personal information.

5. Destruction Methods

When a retention period ends, we delete the relevant data using methods appropriate to the storage medium:

Database records. Hard-deleted from the production database. Soft deletion is not used as a final state.
Object storage (photos, videos, audio). Deleted from Amazon S3 such that the objects are no longer retrievable. Versioned object copies are purged on the same schedule.
Biometric embeddings. Deleted from the pgvector index in PostgreSQL.
Cached and content-delivery copies. Invalidated and purged from CloudFront.
Logs. Aged out of log storage according to the retention windows above.
Backups. Encrypted backups containing deleted data are rotated out within the documented backup retention window. Encryption keys for retired backups are also destroyed.
Third-party processors. When data is held by a vendor (e.g., Sentry, PostHog, AppsFlyer, RevenueCat, SendGrid), we propagate deletion requests to the vendor and rely on the vendor's documented deletion process. Vendor retention windows are listed above where they differ from ours.

6. User-Initiated Deletion

6.1 Deleting Individual Content

You may delete individual photos, videos, audio recordings, journal entries, and other items at any time from within the app. Deleted items are removed from active systems immediately and from backups within the standard 30-day backup-rotation window.

6.2 Deleting Biometric Data

You may disable face recognition or delete your facial recognition data at any time from Settings > Account > Face Recognition. Deleting biometric data does not delete the underlying photos. Biometric deletion is propagated within 30 days.

6.3 Deleting Your Account

Account deletion is available from Settings > Account > Delete Account. The deletion flow guides owners through ownership transfer or family deletion decisions and requires explicit confirmation. Once confirmed, all personal information associated with your account—including Family Content, Biometric Data, and account metadata—is deleted from active systems and propagated through backups within 30 days.

You may also request deletion by emailing privacy@kaiary.ai or support@kaiary.ai.

7. Special Provisions for Biometric Data

Consistent with the Illinois Biometric Information Privacy Act (740 ILCS 14/) and analogous state laws, Renji Labs commits to the following with respect to facial geometry data:

Purpose. Biometric data is collected for the sole purpose of automatic face tagging and photo organization within the user's family group.
Retention. Biometric data is retained until the earliest of (a) user disabling face recognition, (b) user deletion of the associated photos, (c) account deletion, or (d) three years from the user's last interaction with the face-recognition feature.
Destruction. Upon any of the foregoing triggers, biometric data is destroyed within 30 days using the methods described in Section 5.
No sale. We do not, and will not, sell, lease, trade, or otherwise profit from biometric data.
No third-party sharing. Biometric data is processed exclusively on Renji Labs' self-hosted infrastructure and is not shared with any third party, including advertising partners, analytics providers, or third-party AI services.
Audit trail. Consent for biometric collection is recorded with timestamp, IP address, user agent, consent source, and the specific acknowledgments provided.

8. Special Provisions for Children's Personal Information

Although Kaiary accounts may only be created by adults aged 18 or older, family content frequently includes images, audio, and biographical data about minors. Consistent with the Children's Online Privacy Protection Rule, we apply the following heightened retention practices:

No indefinite retention. Children's Personal Information is never retained indefinitely. Retention is governed by the Active Account rule above and by user-initiated deletion.
Deletion at parental request. The adult account holder may delete any item depicting their child—or all such items—at any time from within the app. The adult may also request deletion through privacy@kaiary.ai.
No advertising or analytics use. Children's Personal Information is never shared with advertising or analytics partners.
Self-hosted processing only. AI features that process content depicting children—face recognition, captioning, search—operate exclusively on Renji Labs' infrastructure. No third-party AI service receives images, audio, or video depicting children.

9. Legal Hold Exception

If we are required by law to preserve data—for example, in response to a valid subpoena, court order, or regulatory request—the affected data may be retained beyond the periods stated in this Policy for the duration of the legal hold. We minimize the scope of any legal hold and resume normal deletion as soon as the obligation ends.

10. Backups and the "Right to Be Forgotten"

Encrypted backups are essential to disaster recovery. When you delete data or close your account, that data is removed from active systems immediately, but copies may remain in routine backups for up to 30 days. Backups are encrypted, access-controlled, and used only for recovery operations. We do not restore deleted user data from backups except in the case of a documented disaster-recovery incident, and any data restored is re-deleted as soon as the incident is resolved.

11. International Data Transfers

Data is stored in the United States. If we transfer data outside its country of origin, we do so using lawful transfer mechanisms (such as Standard Contractual Clauses for transfers from the European Economic Area). The retention periods in this Policy apply regardless of where data is stored.

12. Policy Review and Revision

This Policy is reviewed at least annually and updated when there is a material change to our processing activities, infrastructure, vendor relationships, or applicable law. The "Last Updated" date at the top of this document reflects the most recent review. Material changes are summarized in our Privacy Policy and may be communicated to users through the app or by email.

13. Contact

For questions about this Policy or to exercise your rights to delete your data, please contact:

Privacy

Renji Labs, Inc.

2093 Philadelphia Pike #6689

Claymont, DE 19703

Email: privacy@kaiary.ai