Microsoft revised how it explains data retention. Previously, the policy listed specific criteria for deciding how long to keep data, including examples like documents in OneDrive. Now the policy provides a higher-level framework mentioning purposes for retention, data sensitivity, and legal obligations, but directs users to product documentation for specifics. The practical effect is less transparency about retention timelines in the main privacy policy itself.
Microsoft's privacy policy now provides a less detailed explanation of how long your data is retained. Previously, the policy included specific examples, such as how long deleted emails remain in your system before final deletion, and listed criteria for deciding retention periods. Now those details are consolidated into a more general statement pointing readers to separate product documentation. This means you'll need to consult multiple documents to understand retention timelines for specific services, which reduces transparency at the point of reading the main privacy policy.
The privacy policy is the primary document users and regulators consult to understand how companies handle data. By moving retention details from the policy to scattered product documentation, Microsoft reduced transparency at the point of disclosure, making it harder for users and compliance teams to understand how long their data is kept. This shift also complicates vendor audits and Data Processing Agreement alignment.
→ Review the relevant product documentation (e.g., OneDrive, Outlook, Azure) referenced in the updated privacy policy to understand retention timelines specific to each service you use.
→ If you require clear retention commitments before using Microsoft services, contact Microsoft directly to confirm retention periods for your use case.
→ You will not have access to a single, clear explanation of how long Microsoft retains your data; you may not find detailed retention information without visiting multiple product-specific pages.
→ If you delete data (e.g., empty your Deleted Items folder), you will not know from the main privacy policy how long it remains in Microsoft's systems before permanent removal.
→ Organizations auditing Microsoft's data handling practices will spend more time locating retention policies across multiple product documentations instead of reviewing one comprehensive policy.
ConductAtlas has recorded 2 material changes to this document (since March 2026). An additional minor or cosmetic changes were excluded.
Replaced specific criteria and examples with general factors (purpose, sensitivity, legal obligation); directs to product documentation for details.
Deleted specific example that Deleted Items remain for up to 30 days; removed mention of automated privacy dashboard controls.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
You no longer get a clear explanation of how long Microsoft keeps your data in the privacy policy itself; you have to look elsewhere.
Microsoft modified its retention disclosure to use higher-level criteria (purpose, sensitivity, legal obligation) rather than specific examples and decision trees. The policy now directs users to product documentation for granular details. For organizations conducting vendor assessments, privacy impact assessments, or data processing impact analyses, this change means retention timelines are no longer fully specified in the central privacy policy; compliance teams will need to cross-reference product documentation. This may affect how data retention is represented in Data Processing Agreements and privacy notices served to customers. GDPR Article 5(1)(e) and similar global data minimization principles require that data be kept no longer than necessary; whether Microsoft's framework adequately demonstrates compliance with those principles may depend on clarity and accessibility of the referenced product documentation.
GDPR (Articles 5, 17, 32), CCPA (California Consumer Privacy Act disclosure requirements), UK Data Protection Act 2018, applicable data retention laws in jurisdictions where Microsoft operates
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001202.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherMicrosoft Azure updated its privacy policy on April 19, 2026, making several changes to how it handles your data and …
Microsoft Azure's privacy policy now discloses that if you consent to receive marketing communications via phone, the company may contact …
Microsoft updated its data retention policy on March 6, 2026, to provide more specific guidance on how long it keeps …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.