Data Retention and Disposal Policy
Organization: Sierra Digital Forge LLC Product covered: QuiltRBuddy (Windows desktop + Android, .NET MAUI) Effective date: May 18, 2026 Last reviewed: May 18, 2026 Document owner: Ronald Warren, Managing Member Version: 1.0 Related policies: Information Security Policy v1.0, Access Controls Policy v1.0, Multi-Factor Authentication Policy v1.0
⚠️ DRAFT — REQUIRES LAWYER REVIEW BEFORE PUBLICATION.
1. Purpose
This Data Retention and Disposal Policy (“Policy”) defines how Sierra Digital Forge LLC (“Sierra Digital Forge”) retains, archives, and disposes of data created, received, or processed by Sierra Digital Forge in connection with QuiltRBuddy.
Objectives:
- To enumerate every category of data that Sierra Digital Forge creates, receives, or processes in connection with QuiltRBuddy.
- To document the retention period applicable to each category.
- To document the disposal method by which each category is eliminated.
- To make explicit the distinction between on-device data and Sierra Digital Forge-controlled Community-backend records.
- To honor user-initiated deletion requests, regulator deletion requests, and the Right to Erasure where applicable consumer-privacy regulations grant it.
2. Scope
This Policy applies to:
- All data Sierra Digital Forge creates, receives, or processes in connection with QuiltRBuddy, including data the application receives from third-party services (Gemini, payment processor, identity provider) and data Sierra Digital Forge stores on its Community backend.
- All Sierra Digital Forge-controlled records that relate to the operation of QuiltRBuddy, including source code, build artifacts, signing keys (Windows + Android), API credentials, security and privacy policies, vendor agreements, incident reports, and access-review records.
- All data residing on the Sierra Digital Forge developer workstation that pertains to QuiltRBuddy.
This Policy does NOT cover:
- Data held by subprocessors on subprocessor-controlled infrastructure.
- Personal records of the Managing Member that do not pertain to QuiltRBuddy.
- Project files (quilt designs, block files) the user has saved into their own folders on their own device — these belong to the user, may live in shared folders, and Sierra Digital Forge never receives a copy.
3. Definitions
| Term | Definition |
|---|---|
| Data | Any information, in any format, created, received, transmitted, or stored by or on behalf of Sierra Digital Forge in connection with QuiltRBuddy. |
| Consumer data | Data that pertains to a specific end user of QuiltRBuddy, including Community profile, Community content, subscription state, and identity assertions returned by the identity provider. |
| On-device data | Consumer data that resides on the end user’s Windows or Android device. For offline-only users, on-device data is the only copy. For Community users, on-device data is typically a local cache of Community records. |
| Community-backend-held data | Consumer data Sierra Digital Forge stores at the identity provider and the payment processor. Includes the identity-provider authentication record, the payment-processor customer record, and the Community-backend records (profile, posts, challenges, subscription cache). |
| Sierra Digital Forge-controlled records | Data held on infrastructure that Sierra Digital Forge controls, including the developer workstation, the private source-code repository on GitHub, and the developer password manager. |
| Retention period | The interval during which a data category is permitted to exist before disposal is required. |
| Disposal | The act of permanently removing data such that the data cannot be reconstructed, retrieved, or used. |
| Right to Erasure | A consumer’s right to have data about them deleted on request, where applicable consumer-privacy regulations grant such a right. |
| Subprocessor | A third-party service Sierra Digital Forge has engaged to support a feature of QuiltRBuddy. The enumerated subprocessors are Google Cloud (Gemini), the payment processor ({{PAYMENT_PROCESSOR}}), and the identity provider ({{IDENTITY_PROVIDER}}). |
4. Roles & Responsibilities
| Role | Holder | Responsibility |
|---|---|---|
| Policy owner | Ronald Warren, Managing Member | Approves and maintains this Policy. |
| Records officer | Ronald Warren, Managing Member | Maintains the records of disposal; processes deletion requests received under Section 11. |
| Implementation lead | Ronald Warren, Managing Member | Ensures the QuiltRBuddy application code implements the on-device retention and disposal behaviors described in Sections 6 and 9. |
5. Data Categories
| Category | Examples | Where it resides |
|---|---|---|
| A. On-device user-saved files | Quilt project files (.json), block files (.qrblock), fabric-catalog imports. | On Windows: user-chosen folders. On Android: app-private external storage (Android/data/{{ANDROID_PACKAGE_NAME}}/files/). |
| B. On-device application preferences | Workspace state, theme, last-opened-project pointer, draft Community posts. | On Windows: MAUI Preferences storage. On Android: app-private SharedPreferences. |
| C. On-device authentication and Community tokens | Community session and refresh tokens, payment-processor customer identifier. | Platform-specific protected storage (Windows DPAPI / PasswordVault; Android EncryptedSharedPreferences). |
| D. Community identity record | UID, email address, hashed password (provider-managed), creation date, sign-in audit metadata. | The Community identity provider’s infrastructure ({{IDENTITY_PROVIDER}}). |
| E. Community-backend records | Profile (display name, optional bio, avatar reference), Community posts, comments, challenge participation, subscription cache. | The Community backend Sierra Digital Forge administers through the identity provider’s data stores. |
| F. Payment-processor records | Customer record (email, last-4 of card, billing region), subscription state, invoice history. | The payment processor’s infrastructure. |
| G. On-device diagnostic data | Platform log facility output during development. | End user’s device. Not transmitted off-device in production. |
| H. Source code and build artifacts | C# / XAML source files, MAUI build configuration, asset files, generated MSIX / APK builds. | Private GitHub repository under Sierra Digital Forge control; local working copy on the developer workstation. |
| I. API credentials | GEMINI_API_KEY, payment-processor publishable + secret keys, identity-provider config. | secrets.json or equivalent on the developer workstation (gitignored); developer password manager. |
| J. Code-signing keys | Windows code-signing certificate; Android upload keystore for the QuiltRBuddy package. | Developer workstation; backed up to an encrypted offline backup target. |
| K. Business records | This Policy and related policies; vendor agreements; access-review records; incident reports; tax and accounting records pertaining to QuiltRBuddy. | Developer workstation; backed up per Sierra Digital Forge business-records practice. |
| L. Subprocessor-held data | Gemini-side query logs; payment-processor-side records (regulatorily required to retain); identity-provider platform logs. | Each subprocessor’s own infrastructure. |
6. Retention of On-Device Consumer Data (Categories A, B, C, G)
6.1 Retention model
On-device consumer data is retained on the end user’s device under the user’s direct control.
- Offline-only mode (Categories A, B). On-device data is the only copy. Sierra Digital Forge never holds a copy of these files.
- Community mode (Categories B, C). Tokens and cached Community records are on-device; the source of truth lives at the identity provider and on the Community backend.
The retention period for on-device consumer data is “for as long as the end user chooses to keep it.” The user is in continuous control of retention through the affordances described in Section 6.2.
6.2 User-controlled disposal affordances
The QuiltRBuddy application provides the following user-controlled disposal affordances:
- Project file deletion. The user may delete any individual quilt project or block file through the in-application file-management surface, or by deleting the file directly from the operating system file browser. Project files belong to the user; Sierra Digital Forge does not impose retention controls on them.
- Sign out. The user may sign out of Community from Edit > Preferences > Account > Sign Out. Sign-out clears the application’s cached Community session token. Other application data is not affected; Community-backend records remain under the account UID until the user signs back in or deletes the account.
- Delete Community Account. The user may invoke Edit > Preferences > Your Data > Delete Community Account. This affordance:
- Wipes the local Community profile, posts, challenges, draft posts, and subscription cache from the device.
- Triggers backend deletion of the identity-provider account and Community-backend records.
- Optionally (with a separate confirmation) cancels the user’s subscription at the payment processor and instructs the processor to delete the customer record where permitted by law and processor policy.
- Download My Data. Under Edit > Preferences > Your Data > Download My Data, the user can export a ZIP of every record Sierra Digital Forge holds for their account (GDPR Article 20 portability).
- Uninstall. The user may uninstall the application. The platform reclaims sandboxed storage on Android; on Windows, user-chosen project files are left in place (they belong to the user).
6.3 Diagnostic data (Category G)
Diagnostic data is treated separately because it is not user-created.
- Platform log facility output is written by the application during development to support debugging. Log retention is governed by the operating system. QuiltRBuddy does NOT transmit log output off-device in production builds.
Diagnostic data is never persisted across application uninstall.
7. Retention of Community-Backend-Held Data (Categories D, E, F)
7.1 Active account
While a user’s QuiltRBuddy Community account is active:
- The identity-provider record (Category D) is retained for the lifetime of the account.
- Community-backend records (Category E) are retained for as long as the user maintains them.
- The payment-processor customer record (Category F) is retained for the lifetime of the subscription plus any post-cancellation period required by the processor’s policies and applicable accounting/tax regulations (typically seven years for billing records).
7.2 Account deletion
When a user invokes Delete Community Account, or submits an email deletion request honored under Section 11:
- The identity-provider record is deleted within 30 days.
- Community-backend records are deleted within 30 days.
- The payment-processor customer record is deleted to the extent permitted by the processor’s policies and applicable regulations. Subscription billing records typically must be retained for tax/accounting purposes for seven years; the customer-personal-data fields are minimized (e.g., name and email replaced with deletion-token markers).
- Short-term backups age out on a rolling 30-day cycle.
7.3 Inactive accounts
Sierra Digital Forge does not currently apply a unilateral retention ceiling to inactive accounts. Inactive-account purge cadences may be introduced in a future revision of this Policy and will be announced in-app and via the published Privacy Policy at least 30 days before they take effect.
8. Retention of Sierra Digital Forge-Controlled Records (Categories H, I, J, K)
8.1 Source code and build artifacts (Category H)
| Sub-category | Retention period | Disposal method when retention ends |
|---|---|---|
| Source code in private GitHub repository | Lifetime of the QuiltRBuddy product plus a post-end-of-life tail. | Repository deletion via GitHub administrative interface. |
| Local working copy on developer workstation | While actively developing. | Filesystem deletion; secure-erase before workstation retirement (Section 9). |
| Compiled MSIX / APK debug builds | Duration of the active development session. | Filesystem deletion. |
| Signed MSIX / APK release builds prior to store upload | Until the release has been promoted to production and verified. | Filesystem deletion after release verification. |
8.2 API credentials (Category I)
| Credential | Retention period | Disposal method when retention ends |
|---|---|---|
GEMINI_API_KEY | While QuiltRBuddy integrates with Gemini. | Rotation by issuing a new key in the Google Cloud Console and revoking the old; secure deletion of the old key from secrets.json and the password manager. |
| Payment-processor publishable + secret keys | While QuiltRBuddy integrates with the processor. | Rotation in the processor’s dashboard; secure deletion of the old secret. |
| Identity-provider config / admin keys | While the Community identity provider is in use. | Rotation in the provider’s console; secure deletion of the old config. |
8.3 Code-signing keys (Category J)
The Windows code-signing certificate and the Android upload keystore are retained for the lifetime of the QuiltRBuddy product. Loss of the Android upload keystore prevents publication of further updates of the same application package on the Google Play Store and is treated as a high-impact incident. (Play App Signing, when enabled, mitigates this by allowing key rotation via the Play Console.)
Disposal at end-of-life consists of secure filesystem deletion, secure deletion of the offline backup copy, and an attestation entered into the records of disposal (Section 12).
8.4 Business records (Category K)
| Sub-category | Retention period | Disposal method |
|---|---|---|
| Security and privacy policies | Lifetime of QuiltRBuddy plus seven years (or longer if required by regulation). | Secure filesystem deletion. |
| Vendor agreements | Lifetime of the contract plus accounting/tax retention requirements. | Secure filesystem deletion. |
| Access-review records | At least three years from the review date. | Secure filesystem deletion. |
| Incident reports | At least seven years from incident closure. | Secure filesystem deletion. |
| Tax / accounting records | Per IRS and Nevada Department of Taxation retention requirements (currently seven years). | Secure filesystem deletion or destruction of physical records. |
9. Disposal Methods
9.1 On-device disposal
- In-application record deletion removes the record from the application’s sandboxed storage and (for Community users) the corresponding backend record.
- In-application Delete Community Account clears the application’s sandboxed Community state, signs the user out, and triggers backend deletion.
- Application uninstall invokes the platform’s application-removal flow. Android reclaims sandboxed storage; Windows leaves user-chosen project files in place (they belong to the user).
9.2 Community-backend disposal
- User-initiated account deletion is executed by the application against the identity provider, the Community backend, and (where applicable) the payment processor.
- Administrator-initiated deletion (in response to an email request honored under Section 11) is performed by the Managing Member through the relevant vendor consoles.
9.3 Sierra Digital Forge-controlled disposal
- Filesystem deletion removes the file from the workstation filesystem; followed by emptying the operating-system recycle bin.
- Secure-erase before workstation retirement uses the manufacturer’s secure-erase tool or an NIST SP 800-88 Rev. 1-aligned wipe utility.
- Credential rotation issues a new credential at the vendor, marks the old credential revoked, and deletes the old credential value from
secrets.jsonand the password manager. - Repository deletion uses the GitHub administrative interface.
- Cryptographic destruction of signing keys is applied at end-of-life by securely deleting every copy (workstation and offline backup) and entering an attestation.
9.4 Subprocessor-side disposal
Sierra Digital Forge cannot perform direct disposal of data held by a subprocessor. Disposal is requested through the subprocessor’s published mechanisms:
- Gemini: No per-user retention to dispose of (stateless query logs). Configured for the most restrictive retention available.
- Payment processor: Customer-record deletion via the processor’s API or dashboard, subject to the processor’s retention policies and applicable accounting/tax regulations.
- Identity provider: Account record deletion via the provider’s console.
10. Backup and Archival Data
The Community-backend and payment-processor data benefit from each vendor’s standard redundancy. Sierra Digital Forge does not maintain independent backups of those records.
Sierra Digital Forge does maintain backups of:
- Source code (GitHub-native redundancy; no separate independent backup).
- Code-signing keys (encrypted offline target retained in a physically secure location).
- Business records and policies (encrypted offline storage co-located with the keystore backup).
Backups inherit the retention period of their source data.
11. Data Subject Deletion Requests
11.1 On-device data
A user who wishes to have their on-device data deleted exercises that right directly through the in-application Delete Community Account affordance described in Section 6.2, or by uninstalling the application and deleting their project files if desired.
11.2 Community-backend and payment-processor data
A registered user who wishes to have their account records deleted may:
- Use Edit > Preferences > Your Data > Delete Community Account from inside the application.
- Email privacy@sierradigitalforge.com with the subject “Delete My QuiltRBuddy Account.”
Sierra Digital Forge responds within 5 business days and completes deletion within 30 days, subject to processor-side retention of billing records as described in Section 7.2.
11.3 Subprocessor-held data
A user who wishes to have data held by a subprocessor deleted may:
- For Gemini-held query logs: contact Google directly through the Google account permissions page.
- For payment-processor records: contact the payment processor through its support channel (Stripe Privacy, Paddle Privacy, or Google Account Permissions for Play Billing, depending on which processor handled the user’s subscription).
11.4 Right to Erasure inquiries
A user with a Right to Erasure inquiry under a consumer-privacy regulation may contact Sierra Digital Forge at privacy@sierradigitalforge.com. Sierra Digital Forge will:
- Confirm receipt of the inquiry within a reasonable period.
- Identify the data Sierra Digital Forge holds about the user.
- Execute the deletion against the identity provider and Community backend, or provide a reasoned response if a legal hold or other regulatory exception applies.
- Provide the user with routing information for any subprocessor-held data the user has identified.
12. Records of Disposal
Sierra Digital Forge maintains a records-of-disposal log for disposal events that affect Sierra Digital Forge-controlled records (Categories H, I, J, K) and for backup-target updates. Each log entry records:
- The data category disposed of.
- The retention period that applied.
- The disposal method used.
- The date the disposal was completed.
- The records officer who completed the disposal.
The records-of-disposal log itself is retained for at least seven years.
Per-user backend disposals (account deletions) are recorded in the vendor audit logs automatically.
13. Exception Process
If an operational situation appears to require a deviation from this Policy, the exception is handled per Section 15 of the Sierra Digital Forge Access Controls Policy: documented in writing in advance, approved by the Managing Member, logged with start and end timestamps, and closed promptly when the underlying need ends.
No exception has been issued since the Effective Date of this Policy.
14. Policy Review
This Policy is reviewed in full at least once per calendar year by the Managing Member. The annual review considers:
- Whether the data categories enumerated in Section 5 still reflect the data Sierra Digital Forge processes.
- Whether the retention periods in Sections 6, 7, and 8 still reflect Sierra Digital Forge’s operational and regulatory requirements.
- Whether the disposal methods in Section 9 remain effective on currently-supported Windows and Android versions and currently-engaged subprocessors.
- Whether the Right-to-Erasure routing in Section 11.4 reflects the current regulatory environment.
The Policy is also reviewed promptly on the occurrence of any of the events listed in Section 14.2 of the Sierra Digital Forge Access Controls Policy.
15. Related Documents
- Sierra Digital Forge Information Security Policy (v1.0)
- Sierra Digital Forge Access Controls Policy (v1.0)
- Sierra Digital Forge Multi-Factor Authentication Policy (v1.0)
- Sierra Digital Forge Privacy Policy (published at the URL specified in the Google Play Console listing for QuiltRBuddy)
16. Distribution & Contact
This Policy is made available to partners, vendors, and regulators on request.
Sierra Digital Forge LLC — primary contacts
| Channel | Detail |
|---|---|
| Mailing address | c/o Northwest Registered Agent LLC, 732 S. 6th St., Suite N, Las Vegas, NV 89101, USA |
| Executive email | ron@sierradigitalforge.com |
| Operations / security email | info@sierradigitalforge.com |
| Telephone (voice or text, mobile) | 702-469-7646 |
| Telephone (office) | 1-855-SIERRA (1-855-743-7772) |
| Website | www.sierradigitalforge.com |
17. Acknowledgment
I, Ronald Warren, in my capacity as Managing Member of Sierra Digital Forge LLC, attest that the data retention and disposal practices described in this Policy are in effect as of the Effective Date.
Ronald Warren Managing Member, Sierra Digital Forge LLC Date: May 18, 2026