[makeitdouble]

> I've had multiple legal teams tell me that once they pay for something you need to keep everything. It's required to be able to mount a legal defence incase they want to do chargebacks.

Chargebacks are only actionable within a few months at most, so you could need to keep data during that period, but that would be short enough.

The GDPR requires for instance that you delete information from users that are inactive for a set of years (3 years ?). You wouldn't refuse to apply that on chargeback reasons for instance.