Microsoft modified its data retention policy language on April 19, 2026. Previously, the policy described specific retention criteria including whether customers expected data to be retained until they removed it, and whether automated deletion controls existed. The updated language simplifies retention guidance by stating that Microsoft retains personal data to provide services, fulfill transactions, and for legitimate purposes including legal obligations, business operations, and dispute resolution. The revised policy removes granular examples (like email deletion procedures) and instead directs users to product documentation, while adding new retention justifications around improving products, protecting systems, and customer safety.
The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.
The updated terms establish broader grounds for retaining personal data, expanding from transaction and legal necessity to include business operations and product development. This change affects how long data may be retained and the purposes Microsoft may rely on to justify that retention, shifting retention decisions away from unified policy guidance into product-specific documentation that users must actively consult.
→ Review product-specific retention documentation for services you use (OneDrive, Outlook.com, etc.) to understand actual data deletion timelines.
→ Check your account settings in Microsoft privacy dashboard for any available controls over data retention or automatic deletion of old data.
→ Personal data will be retained under the expanded purposes stated in the policy, which now include business operations and product improvement beyond legal requirements.
→ Without consulting product-specific documentation, you may not understand how long Microsoft retains particular data types or what deletion options are available.
ConductAtlas has recorded 4 material changes to this document over 44 days of monitoring (since March 2026). An additional minor or cosmetic changes were excluded.
4 of Microsoft's significant changes have been classified as negative for consumers.
Expanded from legal compliance and transaction fulfillment to include business operations, product development, safety, and dispute resolution.
Changed from explicit policy statement of deletion procedures and storage limits to delegation to product-specific documentation.
Added explicit authorization to use auto-dialer and AI-generated voice for marketing calls to consenting phone numbers.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Microsoft can now point to more reasons to keep your data, not just legal requirements and fulfilling what you asked for.
Organizations must check individual product policies to understand how long data is actually retained, rather than relying on a central privacy policy.
This change broadens the stated legal bases for data retention across Microsoft's product portfolio. The updated language adds operational and business development justifications alongside legal obligations. Organizations evaluating Microsoft as a vendor should review product-specific documentation to understand actual retention timelines, as the privacy statement now explicitly delegates retention details to individual product policies rather than providing unified guidance. For data controllers or processors reliant on standard contractual clauses or data processing agreements, this shift in retention justification may require review of underlying vendor contracts to confirm alignment with organizational data retention policies and applicable law.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001079.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherMicrosoft updated three passages in its Responsible AI Principles on April 19, 2026. The first change revised the opening tagline …
Microsoft updated three phrases in its Responsible AI document. The opening tagline changed from 'Build your business with trustworthy AI' …
Microsoft's Privacy Statement was updated on April 8, 2026, with 2 sentences added, 11 sentences removed, and 10 sentences modified. …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.