retention & destruction
Data Retention & Destruction Policy
how long each category of data is kept, and how it's destroyed when it's no longer needed.
retention & destruction
how long each category of data is kept, and how it's destroyed when it's no longer needed.
Last Updated: May 4, 2026
This Data Retention & Destruction Policy ("Policy") describes how long Renji Labs, Inc. ("Renji Labs," "we," "our," or "us") retains each category of personal information processed in connection with Kaiary, and how that information is permanently deleted when it is no longer needed.
This Policy is intended to satisfy our obligations under applicable laws, including the Children's Online Privacy Protection Rule (COPPA), which prohibits indefinite retention of children's personal information; the Illinois Biometric Information Privacy Act (BIPA), which requires a publicly available written retention and destruction schedule for biometric identifiers; and equivalent obligations under state biometric laws (Texas CUBI, Washington RCW 19.375), the California Consumer Privacy Act (as amended by CPRA), and the EU General Data Protection Regulation (GDPR).
Plain summary: Family content stays for as long as your account is active and is deleted within 30 days of account closure. Biometric face data is destroyed when you turn off face recognition, delete the underlying photos, or close your account—whichever comes first—and is in any event destroyed within three years of your last interaction with the feature. Logs and analytics are kept for limited, defined periods. Some financial records are kept longer where tax law requires. We do not retain any data indefinitely.
Personal Information. As defined in our Privacy Policy.
Family Content. Journal entries, photos, videos, audio recordings, captions, milestones, and other content users create or upload.
Biometric Data. Facial geometry vectors (face embeddings) extracted from photos when a user opts into face recognition. Raw face images are stored as ordinary Family Content; only the embedding is treated as biometric data for purposes of this Policy.
Children's Personal Information. Personal information of any individual under the age of 18, including images, audio, names, dates of birth, and biometric data of minors who appear as subjects in Family Content. Account holders must be 18 or older; this category therefore concerns information about minors that adult users provide.
Active Account. An account that has not been deleted, either by the user or by us pursuant to our terms.
Permanent Deletion. Removal from production systems and all retained backups within the timelines stated in this Policy, in a manner that prevents reconstruction of the data.
Our retention practices are guided by four principles:
The table below specifies, for each category of personal information, the trigger that starts the retention clock, the maximum retention period, and the basis for that period. Unless otherwise stated, all timelines run from the trigger event.
| Data Category | Retention Period | Trigger & Basis |
|---|---|---|
| Account information (name, email, phone, authentication credentials, profile) | For the life of the Active Account; deleted within 30 days of account deletion. | Trigger: account deletion. Basis: necessary to provide the service while account is active; reasonable wind-down period after deletion. |
| Family Content (photos, videos, journal entries, audio recordings, captions, milestones) | For the life of the Active Account, or until the user deletes the item; deleted within 30 days of account deletion. | Trigger: user deletion of item, or account deletion. Basis: core service purpose. |
| Biometric Data (face embeddings) | Until the earliest of: (a) user disables face recognition, (b) user deletes the associated photos, (c) account deletion, or (d) three (3) years after the user's last interaction with the face-recognition feature. Destroyed within 30 days of any of these triggers. | Trigger: any of (a)–(d). Basis: BIPA (3-year maximum from last interaction), state biometric laws, and our own privacy commitment. |
| Children's Personal Information (images, audio, names, biographical data, biometric data depicting minors) | Same as the underlying category (Family Content or Biometric Data) but never longer than the user's Active Account; deleted within 30 days of account deletion. | Trigger: user deletion or account deletion. Basis: COPPA prohibition on indefinite retention; principle of data minimization for minors. |
| Push notification tokens | For the life of the Active Account or until push is disabled; deleted within 30 days. | Trigger: push disabled or account deletion. Basis: necessary to deliver requested notifications. |
| Precise location data (linked to journal entries) | For the life of the entry, or until the user deletes the entry or revokes location permission. Linked to Family Content retention. | Trigger: entry deletion, permission revocation, or account deletion. Basis: feature functionality. |
| Subscription, billing, and purchase records | Up to seven (7) years after the transaction or end of subscription. | Trigger: end of transaction or subscription. Basis: U.S. federal and state tax recordkeeping requirements. |
| Authentication and security audit logs | Up to twelve (12) months. | Trigger: log creation. Basis: security investigations, fraud detection, and incident response. |
| Application and infrastructure logs (non-security) | Up to 90 days. | Trigger: log creation. Basis: operational debugging. |
| Crash and performance diagnostic data (Sentry) | Up to 90 days. | Trigger: event capture. Basis: error investigation and product quality. |
| Product analytics events (PostHog) | Up to twenty-four (24) months. | Trigger: event capture. Basis: longitudinal product analytics; data minimization beyond this window. |
| Advertising attribution and conversion data shared with advertising partners (Google Ads, Meta, AppsFlyer) | Per each partner's published retention policy (typically 90 days to 540 days). On our systems, conversion event records are retained up to twenty-four (24) months. | Trigger: event capture. Basis: campaign measurement and reporting. |
| Marketing email lists | Until the user unsubscribes. Email opt-out records are retained indefinitely as required to prevent re-contact. | Trigger: unsubscribe. Basis: CAN-SPAM, GDPR Article 17, and equivalent suppression-list requirements. |
| Customer support tickets and correspondence | Up to three (3) years after resolution. | Trigger: ticket resolution. Basis: dispute resolution and quality improvement. |
| Consent records (privacy policy acceptance, biometric consent) | For the life of the Active Account, plus five (5) years after account deletion or consent revocation. | Trigger: account deletion or consent revocation. Basis: legal defensibility of consent under BIPA, GDPR, and state biometric laws. |
| Account deletion records (the fact that an account was deleted, plus minimal metadata) | Up to twelve (12) months. | Trigger: account deletion. Basis: fraud prevention and audit. |
| Encrypted backups (database and storage) | Rolling 30-day retention. Deleted user data may persist in backups for up to 30 days after deletion. | Trigger: backup creation. Basis: business continuity, disaster recovery, and the practical limits of "right to be forgotten" obligations. |
| Aggregated and anonymized data that cannot be linked back to an individual | May be retained indefinitely for analytics, research, and product improvement. | Trigger: anonymization. Basis: data is no longer personal information. |
When a retention period ends, we delete the relevant data using methods appropriate to the storage medium:
You may delete individual photos, videos, audio recordings, journal entries, and other items at any time from within the app. Deleted items are removed from active systems immediately and from backups within the standard 30-day backup-rotation window.
You may disable face recognition or delete your facial recognition data at any time from Settings > Account > Face Recognition. Deleting biometric data does not delete the underlying photos. Biometric deletion is propagated within 30 days.
Account deletion is available from Settings > Account > Delete Account. The deletion flow guides owners through ownership transfer or family deletion decisions and requires explicit confirmation. Once confirmed, all personal information associated with your account—including Family Content, Biometric Data, and account metadata—is deleted from active systems and propagated through backups within 30 days.
You may also request deletion by emailing privacy@kaiary.ai or support@kaiary.ai.
Consistent with the Illinois Biometric Information Privacy Act (740 ILCS 14/) and analogous state laws, Renji Labs commits to the following with respect to facial geometry data:
Although Kaiary accounts may only be created by adults aged 18 or older, family content frequently includes images, audio, and biographical data about minors. Consistent with the Children's Online Privacy Protection Rule, we apply the following heightened retention practices:
If we are required by law to preserve data—for example, in response to a valid subpoena, court order, or regulatory request—the affected data may be retained beyond the periods stated in this Policy for the duration of the legal hold. We minimize the scope of any legal hold and resume normal deletion as soon as the obligation ends.
Encrypted backups are essential to disaster recovery. When you delete data or close your account, that data is removed from active systems immediately, but copies may remain in routine backups for up to 30 days. Backups are encrypted, access-controlled, and used only for recovery operations. We do not restore deleted user data from backups except in the case of a documented disaster-recovery incident, and any data restored is re-deleted as soon as the incident is resolved.
Data is stored in the United States. If we transfer data outside its country of origin, we do so using lawful transfer mechanisms (such as Standard Contractual Clauses for transfers from the European Economic Area). The retention periods in this Policy apply regardless of where data is stored.
This Policy is reviewed at least annually and updated when there is a material change to our processing activities, infrastructure, vendor relationships, or applicable law. The "Last Updated" date at the top of this document reflects the most recent review. Material changes are summarized in our Privacy Policy and may be communicated to users through the app or by email.
For questions about this Policy or to exercise your rights to delete your data, please contact:
Privacy
Renji Labs, Inc.
2093 Philadelphia Pike #6689
Claymont, DE 19703
Email: privacy@kaiary.ai
see also our privacy policy and information security program.