payment-gateway.app Docs

payment-gateway.app Docs

Payment Gateway Overview

Backup & Recovery (GDPR)Caddy Reverse Proxy Hostnames & DNS conventions Configuration Requirements Data Processing & Encryption Data Protection Guide Docker Compose Deployment Environment Variables Reference Evidence & Audit Checklist High Availability & Scaling Deployment Overview Licensing Operations Monitoring & Observability Podman Deployment Retention Policy Playbook Shared Responsibility Matrix Troubleshooting Updates & Automation

Deployment

Retention Policy Playbook

Practical guidance for selecting retention settings by business model and compliance posture.

Retention Policy Playbook

This playbook helps operators convert legal/compliance requirements into concrete values for Settings > Retention.

[!IMPORTANT] Use this as implementation guidance. Final retention periods must be approved by your legal/compliance function.

What You Can Configure

At organization scope, you can configure:

transaction retention window (days),
customer-data retention windows for:
- IP addresses,
- billing address,
- shipping address,
- customer email,
- transaction items,
country-retention behavior.

Suggested Starting Profiles

1) B2C Digital Services (EU-heavy)

Transaction data: medium-to-long retention (finance/tax records).
IP addresses: short retention (fraud + troubleshooting window).
Address fields: short-to-medium unless tax/legal obligations require longer.
Customer email: medium retention for billing/service history.

2) B2B Invoicing

Transaction/invoice-linked fields: long retention aligned with accounting law.
IP addresses: short-to-medium retention.
Shipping address: optional depending on physical-goods relevance.
Customer email/contact: medium-to-long where contract/service support requires.

3) Strict Data Minimization Posture

Set shortest legally permissible values by field type.
Use 0 for immediate deletion only where legally acceptable.
Keep country retention if required for tax/compliance evidence.

Decision Workflow

Map each field class to business purpose.
Map legal basis and minimum retention obligations.
Choose retention values and approve internally.
Configure in Settings > Retention.
Validate deletion behavior in non-production.
Re-review quarterly or on regulation change.

Common Pitfalls

Using one blanket value for all field types.
Setting very short windows without finance/legal confirmation.
Forgetting to re-check retention after entering new markets.
Treating backups as exempt from lifecycle policy.

Change Management Template

For each policy change, record:

date and approver,
old value and new value,
reason (legal, operational, minimization, incident),
validation result after rollout.

Related Pages

Data Protection Guide
Shared Responsibility Matrix
Evidence & Audit Checklist

Podman Deployment

Secure, rootless deployment with systemd integration for Linux servers.

Shared Responsibility Matrix

Clarifies which data-protection controls are covered by the application and which must be operated by the self-hosted customer.

On this page

Retention Policy Playbook What You Can Configure Suggested Starting Profiles 1) B2C Digital Services (EU-heavy)2) B2B Invoicing 3) Strict Data Minimization Posture Decision Workflow Common Pitfalls Change Management Template Related Pages