Compliance
Data Retention
How long Cresora retains data and your data retention obligations.
Cresora data retention schedule
| Data type | Retention period | Notes |
|---|---|---|
| Payment records | 7 years | PCI DSS Requirement 10; required for dispute resolution |
| API request logs | 90 days | Available in audit log |
| Webhook delivery logs | 30 days | Available in Portal |
| Settlement reports | 7 years | Required for financial records |
| User activity logs | 1 year | Portal login and action history |
| ACH authorization records | 2 years after last entry | NACHA requirement; stored by you, not Cresora |
Your data retention obligations
| Data | Your retention obligation |
|---|---|
| ACH authorization records | 2 years after last debit (NACHA) |
| Customer consent records | Per your privacy policy and applicable law |
| PCI SAQ | Retain each completed SAQ |
| NACHA authorization samples | 2 years |
Data deletion requests
Cresora honors verified data deletion requests per GDPR, CCPA, and other applicable privacy laws. Payment records required by law (PCI, AML, tax) are exempt from deletion.
To submit a data deletion request on behalf of a customer:
- Verify the customer's identity
- Submit via Partner Portal → Compliance → Data Requests → New Request
- Specify the data subject and request type
Cresora processes deletion requests within 30 days and provides confirmation.
Data portability
Customers can request export of their personal data. Cresora provides:
- Transaction history
- Payment method details (masked)
- Account activity
Submit portability requests via Partner Portal → Compliance → Data Requests → New Request → Type: Export.