Affirm keeps your personal data for as long as it needs to run its services and meet legal requirements, with no specific deletion timeline stated for most data categories.
This analysis describes what Affirm's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
An open-ended retention standard without specific timelines means your financial and behavioral data may be retained indefinitely unless you affirmatively request deletion.
Interpretive note: The policy does not provide category-specific retention timelines; it is unclear whether Affirm's operational retention schedules satisfy CPRA's disclosure specificity requirement.
The updated Privacy Policy establishes that Affirm qualifies as a financial institution under the Gramm-Leach-Bliley Act, meaning personal information collected in connection with Affirm services is governed by federal banking law rather than applicable state privacy laws. The policy now explicitly discloses collection of identity and profile information including full name, date of birth, Social Security number, email, mailing address, phone number, and password. The updated terms also disclose new data sharing arrangements with fraud prevention, identity verification, and risk intelligence providers, which were not previously detailed. You can contact Affirm's privacy team using the phone number provided in the updated policy to exercise data privacy rights.
View change record →Affirm does not commit to specific retention periods for most personal data categories, meaning your loan history, behavioral inferences, and other profile data may be held for an extended or indeterminate period unless you exercise deletion rights.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Affirm has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide our services, comply with our legal obligations, resolve disputes, and enforce our agreements. The retention period for specific types of personal information may vary based on the nature of the information and our legal requirements.— Excerpt from Affirm's Affirm Privacy Policy
REGULATORY LANDSCAPE: GLBA safeguards rules require data disposal procedures for customer financial information. CCPA and CPRA require that retention periods be disclosed in the privacy policy for each category of personal information; a policy that states only a general necessity standard without category-specific periods may not satisfy CPRA's disclosure specificity requirement. FTC Act Section 5 unfair practices standards apply to retention practices that create unnecessary consumer risk. GOVERNANCE EXPOSURE: Medium. CPRA regulations require that privacy policies disclose the retention period or criteria used to determine retention for each category of personal information. A generalized necessity standard without category-level disclosure may not satisfy this requirement, creating California regulatory exposure. JURISDICTION FLAGS: California CPRA retention disclosure requirements apply to all covered businesses. GLBA data disposal requirements apply nationally. If Affirm processes data subject to FCRA, consumer report retention rules impose specific time limits for certain record types. CONTRACT AND VENDOR IMPLICATIONS: Service provider and data processor agreements should include data retention and deletion schedules consistent with Affirm's stated retention policies and GLBA disposal requirements. Downstream deletion obligations should be contractually required upon termination of processing relationships. COMPLIANCE CONSIDERATIONS: Compliance teams should audit data retention schedules by category, assess whether CPRA's category-specific disclosure requirement is satisfied, document the legal basis for each retention period, and confirm that deletion requests under CCPA result in timely deletion from both Affirm systems and downstream processors.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
An open-ended retention standard without specific timelines means your financial and behavioral data may be retained indefinitely unless you affirmatively request deletion.
Affirm does not commit to specific retention periods for most personal data categories, meaning your loan history, behavioral inferences, and other profile data may be held for an extended or indeterminate period unless you exercise deletion rights.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Affirm.