Data Retention Policy — JITPOS Platform
Entity: AppSquire Consulting Ltd. Effective Date: 2026-05-29 Version: 1.1 Applies to: All JITPOS platforms (Storefront, iPad POS, SaaS Platform)
1. Introduction
This Data Retention Policy describes how AppSquire Consulting Ltd. ("we," "us," or "our") retains and disposes of data across the JITPOS Platform ecosystem. This policy applies to all data processed through the Storefront, iPad POS, and SaaS Platform.
Proper data retention is essential for regulatory compliance (including the Cannabis Act, PIPEDA, and provincial cannabis legislation), operational needs, and privacy protection.
2. Principles
- Purpose Limitation: Data is retained only as long as necessary for the purpose for which it was collected
- Legal Compliance: Minimum retention periods are observed as required by law
- Data Minimization: We do not retain data longer than necessary
- Secure Disposal: Data is securely deleted when no longer required
3. Retention Schedules
3.1 Customer Data (Storefront & iPad POS)
| Data Category | Retention Period | Justification |
|---|---|---|
| Customer account information | Duration of account + 2 years after closure | Service provision, legal compliance |
| Date of birth / age verification | Duration of account + 2 years | Cannabis regulatory compliance |
| Transaction / order records | 7 years from transaction date | Tax, regulatory, and audit requirements |
| Payment records (transaction confirmations) | 7 years from transaction date | Financial record-keeping, dispute resolution |
| Shipping / delivery records | 7 years from delivery date | Dispute resolution, regulatory compliance |
| Customer communications | 3 years from last communication | Customer service, dispute resolution |
| Loyalty program data | Duration of enrollment + 24 months | Program administration |
| Marketing consent records | Duration of consent + 36 years | Proof of consent under PIPEDA |
3.2 Tenant Data (SaaS Platform)
| Data Category | Retention Period | Justification |
|---|---|---|
| Tenant business information | Duration of subscription + 7 years | Contractual, legal compliance |
| Authorized User accounts | Duration of subscription + 30 days | Service provision |
| Subscription and billing records | 7 years from last payment | Tax, accounting, audit |
| Support tickets | 3 years from resolution | Service quality, dispute resolution |
| Tenant configuration data | Duration of subscription + 90 day export window | Service provision |
3.3 Platform Operations Data
| Data Category | Retention Period | Justification |
|---|---|---|
| Application logs | 6 months | Debugging, security monitoring |
| Access / authentication logs | 12 months | Security, compliance auditing |
| API logs | 12 months | Performance monitoring, debugging |
| Error logs | 6 months | Debugging, quality assurance |
| Security event logs | 2 years | Security investigation, compliance |
3.4 Analytics and Cookies
| Data Category | Retention Period | Justification |
|---|---|---|
| Website analytics (raw) | 14 months | Performance optimization |
| Website analytics (aggregated) | 5 years | Trend analysis |
| Session cookies | End of browser session | Storefront functionality |
| Persistent cookies | See Cookie Policy | Per cookie purpose |
3.5 Backups
| Backup Type | Retention Period | Notes |
|---|---|---|
| Daily backups | 35 days | Rolling deletion |
| Weekly backups | 12 weeks | Rolling deletion |
| Monthly backups | 6 months | Rolling deletion |
4. Regulatory Minimum Retention
Certain records must be retained for minimum periods under applicable law:
| Regulation | Data Type | Minimum Period |
|---|---|---|
| Cannabis Act / Provincial Cannabis Legislation | Transaction records, age verification records | [VERIFY WITH LEGAL — varies by province] |
| Income Tax Act | Financial and transaction records | 6 years from end of fiscal year |
| PIPEDA | Consent records | Duration of consent relationship + reasonable period |
| Provincial Employment Standards | Employee-related records (if applicable) | [VERIFY — varies by province] |
Note: Where regulatory minimums exceed the periods in Section 3, the regulatory minimum applies.
5. Data Disposal
5.1 Secure Deletion
When data reaches the end of its retention period, it will be securely deleted using:
- Cryptographic erasure for encrypted data stores
- Secure overwrite or destruction for other storage media
- API-based deletion for third-party services (e.g., payment processors)
5.2 Backup Disposal
Data in backups will be purged according to the backup retention schedule in Section 3.5. Data may persist in backups beyond its primary retention period until the backup is purged.
5.3 Exception: Legal Holds
Data subject to a legal hold (e.g., litigation, regulatory investigation) must not be deleted until the hold is released, regardless of the standard retention period.
6. Tenant Data on Termination
When a Tenant's subscription ends:
- Export Window: Tenant Data is available for export for 30 days
- Deletion: After the export window, Tenant Data is deleted from active systems within 90 days
- Backups: Tenant Data is purged from backups within 180 days of deletion
- Certification: Upon request, we provide written certification of deletion
- Exceptions: Data required by law (e.g., transaction records, age verification) is retained for the applicable regulatory period
7. Customer Data Deletion Requests
7.1 Storefront Customers
Customers may request deletion of their account and personal information. Upon receiving a valid request:
- Account and profile data are deleted within 30 business days
- Transaction records are retained for the regulatory minimum period (anonymized where possible)
- Age verification records are retained as required by law
7.2 iPad POS Customers
Customers who provided personal information at point of sale may request deletion by contacting the Retailer or us directly.
8. Responsibilities
| Role | Responsibility |
|---|---|
| AppSquire Consulting Ltd. | Implementing and enforcing retention schedules, secure disposal |
| Tenants | Cooperating with retention obligations, not requesting retention beyond legal requirements |
| Privacy Officer | Overseeing compliance, reviewing retention schedules annually |
9. Review and Updates
This policy will be reviewed at least annually and updated as necessary to reflect changes in:
- Applicable laws and regulations
- Business requirements
- Platform capabilities
- Industry best practices
10. Contact Information
Privacy Officer AppSquire Consulting Ltd. 7313 Roper Rd NW info@jitpos.net 888-481-3323
Revision History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-05-29 | Initial Document Creation |
| 1.1 | 2026-05-29 | Updated templating structure |