The policy states that personal information is retained for as long as necessary to provide services, meet legal obligations, resolve disputes, and enforce agreements, and that data will be deleted or anonymized when no longer needed.
This analysis describes what Acorns's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations.
Interpretive note: The policy does not specify retention periods by data category, and whether the stated criteria satisfy CPRA's retention disclosure requirements is a jurisdiction-dependent legal question not resolvable from the document text alone.
The updated policy removes explicit language describing how data flows when users sign in via Apple or Google, including what information those services share with Acorns and how it is used. Previously, the policy stated that Acorns receives information such as name and email address through third-party sign-in services solely to manage accounts and provide services. The revised language also shifts the AI chatbot from an optional feature users 'may access' to a stated service Acorns 'uses' to direct users to internal articles. Users no longer have a published explanation of third-party sign-in data practices in the privacy notice, though the terms suggest data shared through third-party services remains subject to those providers' terms.
View change record →This new provision establishes data retention and deletion standards, providing transparency on how long Acorns keeps personal information.
View full change record →Under these terms, Acorns retains personal information, including financial account data and behavioral data, for an undefined duration tied to service provision, legal compliance, and dispute resolution. No specific maximum retention periods are stated for individual data categories in the reviewed provision.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Acorns has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. When we no longer need your personal information, we will take steps to delete or anonymize it.— Excerpt from Acorns's Acorns Privacy Policy
1) REGULATORY LANDSCAPE: GLBA does not specify universal retention periods but requires reasonable data security practices including controls over data that is no longer needed. CCPA and CPRA require businesses to disclose retention periods or the criteria used to determine them for each category of personal information; a disclosure that data is retained 'as long as necessary' without criteria specification may not satisfy CPRA's retention disclosure requirements. State data security laws in New York and other jurisdictions may impose obligations regarding timely destruction of personal information that is no longer needed. 2) GOVERNANCE EXPOSURE: Medium. The absence of specific retention period disclosures by data category may create exposure under CPRA's requirement to disclose the period for which each category of personal information will be retained, or if that is not possible, the criteria used to determine that period. 3) JURISDICTION FLAGS: California's CPRA creates the most specific retention disclosure obligation, requiring category-level retention period disclosures in privacy policies. Virginia, Colorado, and other state privacy laws similarly impose data minimization and retention-related obligations. 4) CONTRACT AND VENDOR IMPLICATIONS: Data retention schedules should be reflected in service provider agreements to ensure that vendors holding personal information on Acorns' behalf apply consistent retention and deletion standards. Procurement teams should verify that vendor agreements include contractual obligations to delete or return data upon contract termination. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether the current retention disclosure satisfies CPRA's category-level retention period requirement, and if not, update the policy to include specific retention periods or criteria for each data category. Internal data retention schedules should be documented and mapped to the categories of personal information described in the privacy policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations.
Under these terms, Acorns retains personal information, including financial account data and behavioral data, for an undefined duration tied to service provision, legal compliance, and dispute resolution. No specific maximum retention periods are stated for individual data categories in the reviewed provision.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Acorns.