Data Retention and Disposal Policy

Organization: Sierra Digital Forge LLC Product covered: StreamWrangler (Android mobile application) Effective date: May 18, 2026 Last reviewed: May 18, 2026 Document owner: Ronald Warren, Managing Member Version: 1.0 Related policies: Information Security Policy v1.0, Access Controls Policy v1.0, Multi-Factor Authentication Policy v1.0

⚠️ DRAFT — REQUIRES LAWYER REVIEW BEFORE PUBLICATION.

1. Purpose

This Data Retention and Disposal Policy (“Policy”) defines how Sierra Digital Forge LLC (“Sierra Digital Forge”) retains, archives, and disposes of data created, received, or processed by Sierra Digital Forge in connection with the StreamWrangler Android mobile application (“StreamWrangler”).

The Policy operationalizes the data-lifecycle requirements summarized in Section 11 of the Sierra Digital Forge Information Security Policy and the data-handling requirements summarized in Section 4 of the same Policy. It adds the procedural depth required by applicable consumer-privacy regulations.

Objectives:

To enumerate every category of data that Sierra Digital Forge creates, receives, or processes in connection with StreamWrangler.
To document the retention period applicable to each category.
To document the disposal method by which each category is eliminated at the end of its retention period or on demand.
To make explicit the distinction between on-device data and Sierra Digital Forge-controlled Firebase records.
To honor user-initiated deletion requests, regulator deletion requests, and the Right to Erasure where applicable consumer-privacy regulations grant it.

2. Scope

This Policy applies to:

All data Sierra Digital Forge creates, receives, or processes in connection with the StreamWrangler application, including data the application receives from third-party services (TMDB, Watchmode, Trakt, YouTube embedded player) and data Sierra Digital Forge stores in its Firebase project (Authentication and Cloud Firestore).
All Sierra Digital Forge-controlled records that relate to the operation of StreamWrangler, including source code, build artifacts, signing keys, API credentials, security and privacy policies, vendor agreements, incident reports, and access-review records.
All data residing on the Sierra Digital Forge developer workstation that pertains to StreamWrangler.

This Policy does NOT cover:

Data held by subprocessors on subprocessor-controlled infrastructure. Each subprocessor maintains its own retention and disposal policy applicable to data Sierra Digital Forge submits to it. Section 7 describes Sierra Digital Forge’s posture toward subprocessor-side retention.
Personal records of the Managing Member that do not pertain to StreamWrangler.
Data held by the end user on the end user’s own device after StreamWrangler is uninstalled and the Android system reclaims the application’s sandboxed storage area.

3. Definitions

Term	Definition
Data	Any information, in any format, created, received, transmitted, or stored by or on behalf of Sierra Digital Forge in connection with StreamWrangler.
Consumer data	Data that pertains to a specific end user of StreamWrangler, including but not limited to user-entered records, watchlist entries, viewing state, Trakt-sourced history, and identity assertions returned by Firebase Authentication.
On-device data	Consumer data that resides on the end user’s Android device inside the StreamWrangler application’s sandboxed storage area. For registered users, this is typically a local cache of the source-of-truth state stored in Cloud Firestore. For guest users, on-device data is the only copy.
Firebase-held data	Consumer data Sierra Digital Forge stores on its Firebase project. Includes Firebase Authentication records (UID, email, hashed password / federated identity) and Cloud Firestore documents under `users/<uid>/...`.
Sierra Digital Forge-controlled records	Data held on infrastructure that Sierra Digital Forge controls, including the developer workstation, the private source-code repository on GitHub, the Firebase project, and the developer password manager.
Retention period	The interval during which a data category is permitted to exist before disposal is required.
Disposal	The act of permanently removing data such that the data cannot be reconstructed, retrieved, or used. The applicable disposal methods are enumerated in Section 9.
Right to Erasure	A consumer’s right to have data about them deleted on request, where applicable consumer-privacy regulations grant such a right.
Subprocessor	A third-party service Sierra Digital Forge has engaged to support a feature of StreamWrangler. The enumerated subprocessors are Firebase (Authentication and Cloud Firestore), TMDB, Watchmode, Trakt, and YouTube.

4. Roles & Responsibilities

Sierra Digital Forge is a member-managed limited liability company. All Policy roles are currently vested in the Managing Member.

Role	Holder	Responsibility
Policy owner	Ronald Warren, Managing Member	Approves and maintains this Policy; defines the categories enumerated in Section 5; signs off on retention-period adjustments.
Records officer	Ronald Warren, Managing Member	Maintains the records of disposal described in Section 12; processes deletion requests received under Section 11.
Implementation lead	Ronald Warren, Managing Member	Ensures the StreamWrangler application code implements the on-device retention and disposal behaviors described in Sections 6 and 9.

5. Data Categories

Sierra Digital Forge classifies the data within the scope of this Policy into the following categories. The retention period and disposal method applicable to each category are documented in Sections 6, 7, 8, and 9.

Category	Examples	Where it resides
A. On-device guest preferences	Preferred streamers, hide-anime toggle, recently viewed list, default tab.	End user’s Android device, inside the StreamWrangler sandboxed storage area. Guest mode only.
B. On-device registered-user cache	Cached copy of the user’s watchlist, viewing state, settings, and recently viewed list, mirroring Cloud Firestore for offline reads.	End user’s Android device, inside the StreamWrangler sandboxed storage area.
C. On-device authentication and OAuth tokens	Firebase Authentication session and refresh tokens; Trakt OAuth tokens (registered users who linked Trakt).	End user’s Android device, inside App-private storage protected by the Android user-data sandbox.
D. Firebase Authentication record	UID, email address, hashed password (or third-party sign-in linkage), creation date, sign-in audit metadata.	Sierra Digital Forge Firebase project (administered through Google Cloud Console).
E. Cloud Firestore documents	Watchlist, viewing state, profile, settings, family-member identity configuration, recently viewed list, Family Activity entries.	Sierra Digital Forge Firebase project, under `users/<uid>/...`.
F. On-device diagnostic data	Android `logcat` output during development.	End user’s Android device. Not transmitted off-device in production.
G. Source code and build artifacts	Kotlin source files, Gradle build configuration, Compose UI code, asset files, generated APK builds.	Private GitHub repository (`rdwarren67/streamwrangler`) under Sierra Digital Forge control; local working copy on the developer workstation.
H. API credentials	TMDB API key, Watchmode API key, Trakt client ID + secret, Firebase config (committed to repo per Google guidance).	`local.properties` on the developer workstation (gitignored); developer password manager.
I. Code-signing keys	Android release keystore that signs StreamWrangler APK builds for distribution via the Google Play Store.	Developer workstation; backed up to an encrypted offline backup target.
J. Business records	This Policy and related policies; vendor agreements; access-review records; incident reports; tax and accounting records pertaining to StreamWrangler.	Developer workstation; backed up per Sierra Digital Forge business-records practice.
K. Subprocessor-held data	TMDB-side query logs; Watchmode-side query logs; Trakt-side OAuth linkage; YouTube-side embed playback metadata; Firebase platform logs.	Each subprocessor’s own infrastructure.

6. Retention of On-Device Consumer Data (Categories A, B, C, F)

6.1 Retention model

On-device consumer data is retained on the end user’s device under the user’s direct control.

Guest mode (Category A). On-device data is the only copy. Sierra Digital Forge never holds a guest user’s preferences on Sierra Digital Forge-controlled infrastructure.
Registered mode (Categories B and C). On-device data is a local cache; the source of truth lives in Cloud Firestore.

The retention period for on-device consumer data is “for as long as the end user chooses to keep it.” The user is in continuous control of retention through the affordances described in Section 6.2.

6.2 User-controlled disposal affordances

The StreamWrangler application provides the following user-controlled disposal affordances:

Individual record deletion. The user may delete any individual watchlist entry, watched-episode mark, recently viewed entry, or Family Activity entry through the in-application editor surface. Deletion immediately removes the record from the application’s sandboxed storage and (for registered users) from the corresponding Cloud Firestore document.
Sign out. The user may sign out of their account from Settings → Account → Sign Out. Sign-out clears the application’s cached identity assertion and Firebase session token. Other application data is not affected on-device; the Firestore documents remain in the backend under the account UID until the user signs back in or deletes the account.
Disconnect Trakt. The user may disconnect a linked Trakt account from inside the application. Disconnection deletes the corresponding Trakt OAuth token from on-device storage and signals Trakt to revoke the token. Existing watchlist records sourced from Trakt remain on-device and in Firestore for the user’s reference unless the user separately deletes them.
Delete Account & Wipe Data. The user may invoke Settings → Account → Delete Account & Wipe Data. This affordance performs an in-app wipe of all user data on the device (Categories A, B, C), triggers backend deletion of the user’s Firebase Authentication record and Firestore documents (Categories D, E), and signs the user out.
Uninstall. The user may uninstall the application via the Android system. The Android system reclaims the application’s sandboxed storage area; on devices with file-based encryption, the storage area is cryptographically inaccessible after the encryption keys for that uid are discarded. For registered users, the Firestore documents and Firebase Authentication record remain until the user explicitly deletes the account.

6.3 Diagnostic data (Category F)

Diagnostic data is treated separately because it is not user-created.

Android logcat output is written by the application during development to support debugging. logcat retention is governed by the Android operating system’s circular log buffer; entries are evicted on a first-in-first-out basis as the buffer fills. StreamWrangler does NOT transmit logcat output off-device in production builds.

Diagnostic data is never persisted across application uninstall.

7. Retention of Firebase-Held Data (Categories D, E)

7.1 Active account

While a user’s StreamWrangler account is active:

The Firebase Authentication record is retained on Sierra Digital Forge’s Firebase project for the lifetime of the account.
Cloud Firestore documents under users/<uid>/... are retained for as long as the user maintains them. Sierra Digital Forge does not impose a unilateral retention ceiling on these documents while the account is active.

7.2 Account deletion

When a user invokes Delete Account & Wipe Data, or submits an email deletion request honored under Section 11:

The Firebase Authentication record is deleted from the Firebase project.
The Cloud Firestore documents under users/<uid>/... are deleted.
Both deletions complete within 30 days. Short-term backups age out on a rolling 30-day cycle.

7.3 Inactive accounts

Sierra Digital Forge does not currently apply a unilateral retention ceiling to inactive accounts. Inactive-account purge cadences may be introduced in a future revision of this Policy and will be announced in-app and via the published Privacy Policy at least 30 days before they take effect.

8. Retention of Sierra Digital Forge-Controlled Records (Categories G, H, I, J)

8.1 Source code and build artifacts (Category G)

Sub-category	Retention period	Disposal method when retention ends
Source code in private GitHub repository	Retained for the lifetime of the StreamWrangler product. Retained for an additional period after product end-of-life to support customer-support tail and any post-launch security disclosures.	Repository deletion via GitHub administrative interface.
Local working copy on developer workstation	Retained as a working copy while the product is in active development.	Filesystem deletion; secure-erase before workstation retirement (Section 9).
Compiled APK debug builds	Retained on the developer workstation for the duration of the active development session. Older debug builds are routinely overwritten by Gradle’s build output.	Filesystem deletion via `./gradlew clean`.
Signed APK release builds prior to upload to Play	Retained on the developer workstation until the corresponding release has been promoted to production and verified.	Filesystem deletion after release verification.

8.2 API credentials (Category H)

Credential	Retention period	Disposal method when retention ends
`TMDB_API_KEY`	Retained while StreamWrangler integrates with TMDB. Rotated before the first public build per the pre-rotation note in `LEGAL_README.md`, then on standard cadence.	Rotation by issuing a new key in the TMDB Developer Dashboard and revoking the old key; secure deletion of the old key from `local.properties` and the password manager.
`WATCHMODE_API_KEY`	Retained while StreamWrangler integrates with Watchmode. Rotated before the first public build per the pre-rotation note.	Rotation by issuing a new key and revoking the old.
Trakt client ID and secret	Retained while StreamWrangler integrates with Trakt.	Rotation in the Trakt Application Console; secure deletion of the old secret.
Firebase config (`google-services.json`)	Retained for the lifetime of the Firebase project. The config file is public per Google’s guidance and is not treated as a secret; protection is via Firestore Security Rules.	Project deletion through Google Cloud Console.

Credential rotation occurs:

On suspicion or confirmation of credential compromise.
On personnel separation that involved credential exposure (not applicable today; Sierra Digital Forge has no personnel beyond the Managing Member).
On vendor-recommended cadence where the vendor requires periodic rotation.

8.3 Code-signing keys (Category I)

The Android release keystore is retained for the lifetime of the StreamWrangler product. Loss of the keystore prevents publication of further updates of the same application package on the Google Play Store and is treated as a high-impact incident.

Disposal of the release keystore occurs only when the application is permanently end-of-lifed and no further updates will ever be published. Disposal in that scenario consists of secure filesystem deletion, secure deletion of the offline backup copy, and an attestation entered into the records of disposal (Section 12).

8.4 Business records (Category J)

Sub-category	Retention period	Disposal method when retention ends
Security and privacy policies (this Policy and related documents)	Retained for the lifetime of the StreamWrangler product plus the longer of (i) seven years and (ii) any longer period required by applicable regulation.	Secure filesystem deletion.
Vendor agreements (TMDB, Watchmode, Trakt, Firebase, etc.)	Retained for the lifetime of the contract plus any post-termination period required by the contract or by applicable accounting / tax retention requirements.	Secure filesystem deletion.
Access-review records (Section 14 of the Access Controls Policy)	Retained for at least three years from the date of the review.	Secure filesystem deletion.
Incident reports	Retained for at least seven years from the date the incident was closed.	Secure filesystem deletion.
Tax and accounting records pertaining to StreamWrangler	Retained per applicable Internal Revenue Service and Nevada Department of Taxation retention requirements (currently seven years from the relevant filing date).	Secure filesystem deletion or destruction of physical records.

9. Disposal Methods

This Section enumerates the disposal methods Sierra Digital Forge applies to dispose of data at the end of its retention period or on demand.

9.1 On-device disposal

In-application record deletion removes the record from the application’s sandboxed storage and (for registered users) the corresponding Cloud Firestore document.
In-application Delete Account & Wipe Data clears the application’s sandboxed storage, signs the user out, and triggers deletion of the user’s Firebase Authentication record and Firestore documents.
Application uninstall invokes the Android system’s application-removal flow. The Android system reclaims the application’s sandboxed storage area; on devices with file-based encryption, the storage area is cryptographically inaccessible after the encryption keys for that application uid are discarded. (Backend records under the user’s UID remain until the user explicitly deletes the account.)

9.2 Firebase disposal

User-initiated account deletion is executed by the application against Firebase Authentication and Cloud Firestore. Backups age out on a rolling 30-day cycle.
Administrator-initiated deletion (in response to an email request honored under Section 11) is performed by the Managing Member through the Firebase / Google Cloud Console.

9.3 Sierra Digital Forge-controlled disposal

Filesystem deletion removes the file from the workstation filesystem using a standard delete operation, followed by a manual emptying of the operating-system recycle bin.
Secure-erase before workstation retirement is applied to the developer workstation before the workstation is decommissioned, sold, donated, or otherwise transferred out of Sierra Digital Forge’s control. The secure-erase method is the workstation manufacturer’s published secure-erase tool, or a National Institute of Standards and Technology Special Publication 800-88 Revision 1-aligned wipe utility appropriate to the storage device type (HDD versus SSD).
Credential rotation disposes of a credential by issuing a new credential at the vendor, marking the old credential revoked at the vendor, and then deleting the old credential value from local.properties and the password manager.
Repository deletion disposes of source-code data by deleting the GitHub repository via the GitHub administrative interface. GitHub holds a brief recovery window per its own retention policy; after that window expires, the repository is unrecoverable.
Cryptographic destruction of signing keys is applied to the release keystore at end-of-life by securely deleting every copy (workstation and offline backup) and entering an attestation of destruction into the records of disposal.

9.4 Subprocessor-side disposal

Sierra Digital Forge cannot perform direct disposal of data held by a subprocessor. Disposal is requested through the subprocessor’s published mechanisms:

Firebase: Deletion via the Firebase / Google Cloud Console for Sierra Digital Forge-administered records.
TMDB and Watchmode: Stateless query logs; no per-user retention to dispose of.
Trakt: OAuth token revocation via the App’s disconnect affordance or via the Trakt account-settings page.
YouTube: Embedded-player metadata is per Google’s published retention; the end user can manage their YouTube account data via their Google account.

10. Backup and Archival Data

The Firebase project benefits from Google Cloud’s redundancy. Sierra Digital Forge does not maintain a separate independent backup of the Firebase project; restoration after a Firebase-side incident would be coordinated with Google’s standard support and recovery channels.

Sierra Digital Forge does maintain backups of Sierra Digital Forge-controlled records, as follows:

The source-code repository on GitHub is the canonical retention store for source code and benefits from GitHub’s own redundancy and backup posture. Sierra Digital Forge does not maintain an additional independent backup of the source-code repository.
The release keystore is backed up to an encrypted offline target (an external storage device retained in a physically secure location at the Sierra Digital Forge mailing address). The backup is updated when the keystore is updated; on disposal of the primary keystore, the backup is disposed of in the same operation.
Business records and policies are backed up to encrypted offline storage co-located with the keystore backup.

Backups inherit the retention period of their source data. Disposal of a backup occurs whenever disposal of the source data occurs, and is recorded in the same records-of-disposal entry.

11. Data Subject Deletion Requests

11.1 On-device data

A user who wishes to have their on-device data deleted exercises that right directly through the in-application Delete Account & Wipe Data affordance described in Section 6.2, or by uninstalling the application.

11.2 Firebase-held data

A registered user who wishes to have their Firebase Authentication record and Cloud Firestore documents deleted may:

Use Settings → Account → Delete Account & Wipe Data from inside the application.
Email privacy@sierradigitalforge.com with the subject “Delete My StreamWrangler Account.”

Sierra Digital Forge responds within 5 business days and completes deletion within 30 days.

11.3 Subprocessor-held data

A user who wishes to have data held by a subprocessor deleted may:

For Trakt-held data: disconnect via the App, then visit trakt.tv to manage the linkage history.
For YouTube-played trailer history: manage via the user’s Google account at myactivity.google.com.
For data submitted to TMDB or Watchmode: no per-user records are submitted by Sierra Digital Forge; query logs on those providers are subject to the providers’ own retention.

Sierra Digital Forge will, on user request and on receipt of sufficient information to identify the data in question, assist the user in routing a deletion request to the appropriate subprocessor, including providing the user with the subprocessor’s published contact channel.

11.4 Right to Erasure inquiries

A user with a Right to Erasure inquiry under a consumer-privacy regulation may contact Sierra Digital Forge at privacy@sierradigitalforge.com. Sierra Digital Forge will:

Confirm receipt of the inquiry within a reasonable period.
Identify the data Sierra Digital Forge holds about the user (Firebase Authentication record and Cloud Firestore documents under the user’s UID).
Execute the deletion against Firebase, or provide a reasoned response if a legal hold or other regulatory exception applies.
Provide the user with routing information for any subprocessor-held data the user has identified.

12. Records of Disposal

Sierra Digital Forge maintains a records-of-disposal log for disposal events that affect Sierra Digital Forge-controlled records (Categories G, H, I, J) and for backup-target updates. The log entry for each disposal records:

The data category disposed of.
The retention period that applied.
The disposal method used (per Section 9).
The date the disposal was completed.
The records officer who completed the disposal.

The records-of-disposal log itself is retained for at least seven years from the date of the most recent entry.

Per-user Firebase-side disposals (account deletions) are recorded in the Firebase Cloud Audit Log automatically; Sierra Digital Forge does not maintain a parallel per-user disposal log.

13. Exception Process

If an operational situation appears to require a deviation from this Policy (for example, extending the retention of a specific incident report past the standard period because of an ongoing investigation), the exception is handled per Section 15 of the Sierra Digital Forge Access Controls Policy: documented in writing in advance, approved by the Managing Member, logged with start and end timestamps, and closed promptly when the underlying need ends.

No exception has been issued since the Effective Date of this Policy.

14. Policy Review

This Policy is reviewed in full at least once per calendar year by the Managing Member. The annual review considers:

Whether the data categories enumerated in Section 5 still reflect the data Sierra Digital Forge processes.
Whether the retention periods in Sections 6, 7, and 8 still reflect Sierra Digital Forge’s operational and regulatory requirements.
Whether the disposal methods in Section 9 remain effective on currently-supported Android versions and currently-engaged subprocessors.
Whether the Right-to-Erasure routing in Section 11.4 reflects the current regulatory environment.

The Policy is also reviewed promptly on the occurrence of any of the events listed in Section 14.2 of the Sierra Digital Forge Access Controls Policy, with particular attention to events that change the data Sierra Digital Forge processes (new subprocessor onboarding, new product feature, new applicable regulation).

Sierra Digital Forge Information Security Policy (v1.0)
Sierra Digital Forge Access Controls Policy (v1.0)
Sierra Digital Forge Multi-Factor Authentication Policy (v1.0)
Sierra Digital Forge Privacy Policy (published at the URL specified in the Google Play Console listing for StreamWrangler)
TMDB API Terms of Use
Watchmode API Terms of Service
Trakt API Terms of Service
Firebase Data Processing and Security Terms

16. Distribution & Contact

This Policy is made available to partners, vendors, and regulators on request.

Sierra Digital Forge LLC — primary contacts

Channel	Detail
Mailing address	c/o Northwest Registered Agent LLC, 732 S. 6th St., Suite N, Las Vegas, NV 89101, USA
Executive email	ron@sierradigitalforge.com
Operations / security email	info@sierradigitalforge.com
Telephone (voice or text, mobile)	702-469-7646
Telephone (office)	1-855-SIERRA (1-855-743-7772)
Website	www.sierradigitalforge.com

17. Acknowledgment

I, Ronald Warren, in my capacity as Managing Member of Sierra Digital Forge LLC, attest that the data retention and disposal practices described in this Policy are in effect as of the Effective Date. I commit to maintain, review, and update this Policy in accordance with the cadences specified herein, and to honor the user-controlled disposal affordances enumerated in Section 6.2 in every supported release of StreamWrangler.

Ronald Warren Managing Member, Sierra Digital Forge LLC Date: May 18, 2026