Data Retention Policy

Last updated: 2026-04-12

1. Purpose

This Data Retention Policy explains how long GridPlay Studios (“GridPlay”, “we”, “us”) stores different types of data, why we store it, and when it is deleted or anonymized. Our goal is to balance operational needs, creator experience, and legal obligations while respecting user privacy.

2. Categories of Data & Retention Periods

2.1 Authentication & Account Data

This includes information used to create and secure your account and to provide cross‑domain sign‑in:

  • Account identifiers (such as UUID)
  • Authentication tokens (e.g., JWT, Sanctum)
  • Login history and device/session metadata

Retention:

  • Active accounts: retained while the account remains active.
  • Deleted accounts: personal account data is removed within 30 days of deletion.
  • Tokens: expire automatically; revoked tokens may be retained for up to 7 days for security auditing.

Reason: To maintain account security, prevent fraud, and support our single sign‑on ecosystem across GridPlay services.

2.2 Creator Content & Operational Data

This includes data you configure or generate while using GridPlay:

  • Bot configurations and settings
  • Vendor and rental configurations
  • Message of the Day (MOTD) content and schedules
  • Inventory sync data and related operational settings

Retention:

  • Active accounts: retained while the account remains active.
  • Deleted accounts: associated creator content is removed within 30 days, unless required for legal reasons.
  • MOTD messages: may be retained for up to 90 days for dispute resolution and service integrity.

Reason: To operate the service, preserve creator setups, and support troubleshooting and dispute resolution.

2.3 Transaction & Financial Data

This includes records related to payments and financial activity:

  • Purchase and subscription records
  • Rental and vendor transaction logs
  • Stripe or other payment processor records and payout details

Retention:

  • Typically retained for at least 7 years to comply with tax, accounting, and legal requirements.

Reason: To meet financial reporting, audit, and regulatory obligations.

2.4 Support & Communication Data

This includes information you share when contacting us:

  • Support tickets and their contents
  • Emails or other communications with our support team

Retention:

  • Typically retained for up to 2 years after a ticket is closed.

Reason: To maintain a history of support interactions and assist with future inquiries or disputes.

2.5 System Logs & Analytics

This includes technical and usage data generated by our systems:

  • Error and performance logs
  • Bot heartbeat and status logs
  • API request logs
  • Usage and engagement analytics

Retention:

  • Error logs: typically retained for 30–90 days.
  • Usage analytics: typically retained for up to 12 months, with older data aggregated or anonymized.
  • Security‑relevant logs: may be retained for up to 1 year.

Reason: To monitor service health, improve performance, and protect the platform from abuse.

3. Data Deletion Procedures

3.1 User‑Initiated Deletion

When you request deletion of your account (where available in your account settings or via support), we will:

  • Remove or anonymize personal account data within approximately 30 days.
  • Retain financial and transaction records as required by law (typically 7 years).
  • Retain or anonymize logs and analytics where necessary for security and service integrity.

3.2 Automated Deletion

We may run scheduled processes to:

  • Purge expired logs and temporary data.
  • Remove orphaned or unused records.
  • Anonymize older analytics data.

4. Data Minimization

We aim to collect and retain only the data that is:

  • Necessary to provide and improve our services,
  • Required to meet legal and regulatory obligations, or
  • Explicitly provided by creators to configure and operate their experiences.

We do not intentionally collect data that is not needed for these purposes.

5. Backups

Our backups may contain copies of the data described in this policy. Backups are:

  • Retained on a rolling basis (for example, around 30 days),
  • Encrypted at rest where technically supported, and
  • Accessible only to authorized personnel.

When data is deleted from our active systems, it will also be removed from backups as those backups naturally expire and are overwritten.

6. Third‑Party Services

We may use third‑party providers to deliver parts of the GridPlay ecosystem, such as:

  • Payment processors (e.g., Stripe) for handling payments and payouts,
  • Email providers for sending transactional or support emails, and
  • Hosting and infrastructure providers for running our services.

These providers have their own data retention practices, which may differ from ours. Where possible, we align our retention practices with their requirements and our legal obligations.

7. Policy Updates

We may update this Data Retention Policy from time to time, for example when we introduce new features, change how our services work, or respond to legal or regulatory changes.

When we make material changes, we will update the “Last updated” date above and may provide additional notice where appropriate.

8. Contact

If you have questions about this Data Retention Policy or how your data is handled, you can contact us at:

GridPlay Studios
support@gridplay.ca