Billtrust data archiving and deletion policy

Billtrust is committed to the secure and confidential care of your data. We retain data only as long as necessary: to enforce our agreements and comply with legal obligations.

When those needs end, we securely archive or delete your data according to the retention schedule below. This schedule balances our operational needs with your privacy rights. We regularly review our procedures to ensure they remain appropriate and effective.

Data retention guidelines

This table contains a select list of the data types included within Billtrust’s data retention procedures, including recommended retention periods. Retention intervals may be adjusted from time to time as appropriate.

Type of data Example Retention requirement
Transaction data

  • Bills (banking)

  • Bill statements (payment processing)

  • Documents

  • Emails

  • 10 years

  • Active + 7 years

  • 2 years

  • 7 years
Payment transaction data

  • Payments

  • Active + 7 years
Payment account data

  • Credit card info

  • ACH details

  • Active + 7 years

  • Active + 7 years
Master data

  • Customer data

  • Account details

  • Print facilities

  • Employee info

  • Active + 7 years

  • Active + 7 years

  • Active + 7 years

  • Term + 10 years
Processing data

  • Agent task data

  • FTP processing info

  • Active + 1 year

  • Active + 1 year
Audit/log data

  • User login attempts

  • Session info

  • Batch error logs

  • Application logs

  • Security logs

  • Active + 5 years

  • Active + 5 years

  • Active + 1 year

  • Active + 1 year

  • Active + 1 year

Data archiving/purging procedure

Before deleting or archiving data, we follow each step in this procedure:

  1. We confirm that data is not subject to a legal hold or record retention requirements.

  2. We confirm that contractual requirements do not prevent data from being purged.

  3. We identify adverse impacts to Billtrust systems that may arise from the data purge.

  4. We confirm and document that data meets or exceeds the retention schedule timeframe.

  5. We document how data will be purged/archived, and these motions are reviewed and approved by the compliance team and the team responsible for the applicable product or system.

  6. We ensure that purging activity complies with NIST SP 800-88 or a similar standard.

  7. We document evidence and maintain records that show what data was archived or deleted (e.g., screenshots and audit logs)

  8. We record the date and time that data was deleted and the name of the employee who conducted the purge.

Questions?

If you have questions about our data retention guidelines, please open a case with Customer Support.