Microsoft updated its data retention policy on March 6, 2026, to provide more specific guidance on how long it keeps your data and under what circumstances. The new language clarifies that retention depends on factors like whether you expect Microsoft to keep data until you delete it, whether automated deletion controls exist, and the sensitivity of the information. It also explains what happens after you delete items, including a 30-day window before permanent removal from their systems.
Microsoft's updated retention policy provides greater specificity about how long your data persists and under what conditions it is deleted. The policy now explicitly states that deleted items from OneDrive and Outlook.com may remain in Microsoft's systems for up to 30 days before permanent removal, even after you empty the Deleted Items folder. Additionally, the updated terms clarify that retention periods depend on whether you have an expectation that Microsoft will keep the data until you actively remove it, and whether automated controls exist to let you access and delete data yourself. You can review Microsoft's privacy dashboard to exercise available deletion controls and understand which services retain your data under these criteria.
The updated policy clarifies that deletion is not instantaneous; your data persists for up to 30 days after you take deletion action. This matters because it affects how quickly your data is truly removed from Microsoft's systems and may impact your understanding of data breach risk, data residency, and compliance with privacy regulations that require timely erasure.
→ Review your Microsoft privacy dashboard to understand which deletion controls are available for your specific services (OneDrive, Outlook.com, etc.).
→ If you require faster deletion than the 30-day window, contact Microsoft support to understand whether expedited deletion is available for your account or data type.
→ Your deleted data will remain in Microsoft's systems for up to 30 days, during which it could theoretically be accessed by Microsoft or exposed in a breach.
→ You may inadvertently represent to customers or regulators that data is deleted immediately when using Microsoft services, creating compliance risk under GDPR or CCPA if your own privacy notice does not account for the 30-day window.
Data deleted by users remains in Microsoft's system for up to 30 days before final removal.
Retention periods now explicitly depend on customer expectations, availability of automated deletion controls, and data sensitivity.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
When you delete an email or document, Microsoft keeps it for up to 30 days before it is gone for good.
Companies using Microsoft now need to be more precise about telling their customers how long deleted data actually stays in the system.
Microsoft materially revised its data retention disclosure on March 6, 2026, by replacing generic language with specific criteria and concrete examples. The policy now details retention decision factors including customer expectation of retention, availability of automated deletion controls, and data sensitivity, and explicitly discloses a 30-day post-deletion grace period before permanent system removal. This change engages GDPR Article 17 (right to erasure) and CCPA requirements around deletion timelines and transparency; organizations relying on Microsoft as a data processor should verify that contractual Data Processing Agreements align with these retention windows, particularly the 30-day post-deletion period, which may affect breach notification timelines and data subject rights fulfillment claims.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001840.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherMicrosoft Azure updated its privacy policy on April 19, 2026, making several changes to how it handles your data and …
Microsoft revised how it explains data retention. Previously, the policy listed specific criteria for deciding how long to keep data, …
Microsoft Azure's privacy policy now discloses that if you consent to receive marketing communications via phone, the company may contact …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.