1. Introduction
This Data Retention Schedule describes:
- What data Motiw8 collects
- How long each type of data is stored
- Why certain retention periods are required
- When data is deleted
- How backups and logs are handled
- How retention interacts with GDPR and other laws
- Exceptions for fraud, financial, and legal compliance
- Meaning of anonymization vs deletion
Retention periods apply to:
- Supabase database tables
- Supabase Storage buckets
- AWS Rekognition metadata
- Stripe / RevenueCat financial data
- Internal logs and audit trails
When a retention period expires, the data is:
- Permanently deleted
- Or anonymized (if deletion breaks accounting/legal obligations)
2. Definitions
- Personal Data — Information that directly or indirectly identifies a user.
- Media Evidence — Photos, videos, timestamp screenshots submitted for verification.
- Derived Data — AI/ML outputs, OCR text, labels, face vectors, flags.
- Financial Data — Transactions, payouts, billing details.
- Backups — Historical database snapshots stored securely.
- Anonymization — Irreversibly removing identifiers so data cannot be linked to a user.
- Deletion — Permanent removal from all production systems.
3. Summary Table — Retention Periods
| Data Category | Retention | Rationale |
|---|---|---|
| Media (photos) | 180 days after challenge ends | Verification integrity, appeals |
| Media (videos) | 90 days after challenge ends | Storage limits, liveness only needed short-term |
| Timestamp screenshots | 180 days | Date validation for challenges |
| Face vectors | Until account deletion or consent withdrawal | Required for future comparisons |
| Derived verification data | 3 years | Fraud analytics, dispute resolution |
| Fraud flags & risk scoring | 3 years | Anti-cheat compliance |
| Challenge results | Permanent | Historical accuracy |
| Account profile data | Until deletion | Needed for service delivery |
| Health data (steps, weight) | Until deletion | User fitness history |
| Challenge participation records | Permanent | Required for historical rankings |
| Payout records | 7 years | EU/US tax and accounting laws |
| Transaction logs | 7 years | Stripe + EU AML law |
| KYC documents | 7 years | AML regulations |
| Audit logs | 7 years | Security and compliance |
| Backups | 30–90 days | Disaster recovery only |
| Consent records | 7 years | Legal proof of consent |
| Analytics logs | 2–5 years (Firebase) | Industry standard |
4. Detailed Retention by Category
4.1 Media Evidence Retention
4.1.1 Photos (scale, full-body, timestamp)
- Retention: 180 days after challenge completion
- Location: Supabase Storage evidence-photos
- Reason:
- Allows audits
- Enables appeals
- Supports fraud investigations
- Required by fairness and verification rules
After 180 days:
- Files are permanently deleted.
- Perceptual hashes may be retained (see below).
4.1.2 Videos
- Retention: 90 days after challenge completion
- Location: Supabase Storage evidence-videos
- Reason:
- Liveness checks needed only once
- Large file sizes
After 90 days:
- Permanent deletion.
4.1.3 Timestamp Screenshots
- Retention: 180 days
- Reason:
- Date verification disputes
- Fraud detection
4.2 Derived Data & AI Outputs
Derived data includes:
- OCR weight values
- Face similarity scores
- Liveness scores
- Duplicate detection hashes
- Content moderation labels
- Fraud likelihood scoring
- Device metadata
- Scale value consistency metrics
- Retention: 3 years
- Reason:
- Fraud pattern detection
- Compliance with challenge integrity
- Investigation of disputes
- Training future fraud-detection models (non-personalized)
After 3 years:
- Either anonymized or deleted.
4.3 Face Vectors & Biometrics
Face vectors (numerical biometrics) created via AWS Rekognition CompareFaces:
- Stored in a Supabase table weighins.face_vector
- NOT stored as images by AWS
- Used only to compare your baseline vs final submission
Retention: until:
- You delete your account, OR
- You withdraw biometric consent
Upon deletion request:
- Vectors are immediately erased
- No backup copy kept
4.4 Health Data (Weight, Steps, Body Fat)
Stored in:
- weighins
- steps_daily
- user_baselines
- Retention: until account deletion
- Reason:
- Required to deliver fitness tracking features
- Needed for historical ranking accuracy
4.5 Challenge Participation Records
Challenge data (rank, score, final result, history):
- Permanent retention
- Personal identifiers can be anonymized
Why permanent?
- Other participants need accurate historical rankings
- Financial payouts depend on immutable challenge results
- Appeals may happen after long delays
Users may request anonymization, but records remain.
4.6 Financial Data
Includes:
- Stripe PaymentIntents
- Payout logs
- Internal wallet ledger
- Service fees
- VAT invoicing
- Accounting records
- Retention: 7 years
- Legal Basis:
- EU VAT law
- EU Accounting Directive
- US IRS compliance
- Anti-money-laundering rules
Cannot be deleted early.
If a user requests account deletion:
- Personal identifiers replaced with an anonymized placeholder
- Financial records remain tied to a pseudonymous ID
4.7 KYC/AML Data (Future Stripe Identity)
Includes:
- ID documents
- Selfie liveness video
- Stripe identity report
- Retention: 7 years (required by AMLD5 & PSD2)
- Stored by: Stripe Identity
- Not stored by: Motiw8
Deletion: Motiw8 can request Stripe to erase earlier than required only if legally allowed.
4.8 Audit Logs
Logs may contain:
- IP addresses
- Device fingerprints
- Authentication attempts
- Account events
- Payment events
- Retention: 7 years
- Reason:
- Security compliance
- Fraud detection
- Platform integrity
- Stripe audit obligations
4.9 User Consents
Stored in user_consents:
- Consent type
- Timestamp
- Version
- IP address
- Device information
- Retention: 7 years
- Reason:
- GDPR accountability (Art. 7)
- Proof of lawful basis
4.10 Backups
Supabase backups (encrypted):
- Stored 30–90 days
- Cannot be altered
- Automatically rotated
Deletion from production takes effect once backups expire.
5. Interaction with GDPR Rights
When users request:
5.1 Right to Access
We provide:
- All personal data
- All media not yet deleted
- Derived data
- Logs (where allowed)
5.2 Right to Erasure
Not applicable to:
- Financial records (7-year rule)
- Challenge result history (must remain for fairness)
- Fraud investigation data (legal obligation)
These are anonymized, not deleted.
5.3 Right to Rectification
Users may correct:
- Profile info
- Health data (future entries only)
- Incorrect metadata (case-by-case)
5.4 Right to Object
Users may object to:
- Non-essential analytics
- Non-essential profiling
Cannot object to:
- Fraud detection
- Required verification
- Financial compliance
5.5 Right to Portability
We export:
- Steps data
- Weight history
- Challenge history
- Consents
- All stored metadata
In a machine-readable format.
6. Exceptions & Special Cases
6.1 Fraud Flags
Kept 3 years even after account deletion.
Reason: prevent repeated sign-ups using new accounts.
6.2 Legal Requests
We may retain data beyond schedule when:
- Required by a court
- Needed for litigation defense
- Required for financial investigations
- Tax audits
6.3 Suspicious or Penalized Accounts
If an account is under investigation:
- Evidence is preserved indefinitely until case closure
7. How Data Is Deleted
Deletion is multi-step:
- Mark for deletion
- Remove from Supabase tables
- Delete media from storage buckets
- Delete AI-derived information
- Scrub identifiers from challenge records
- Anonymize financial records
- Purge logs after 90 days
- Expire from backups after 30–90 days
Users receive a confirmation email when deletion is complete.
8. Internal Retention Governance
The retention schedule is reviewed:
- At least once per year
- After major product updates
- After changes in law
- After data breach incidents
All updates receive a version bump (e.g., 1.0.0 → 1.1.0).