That depends on the type of data and locality. If, for example, you're in the US and the data stored on the app is ePHI, then "HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later". Some states, for example Massachusetts, have even longer retention periods of 7 years.
In other jurisdictions (e.g. Canada, EU), there is no specified period, so you have to define it on your own considering the requirement that the "Personal Information shall only be retained as long as necessary for the fulfillment of those purposes behind data processing."
Make sure you document the retention time and the justification in your procedures, and explain how you handle access and retention in terms of use or contracts with your customers.