Which regulatory agencies enforce this type of clause?

{'agency': 'CFPB', 'reason': 'The CFPB oversees data security and retention practices at financial institutions under GLBA and related regulations.', 'full_name': 'Consumer Financial Protection Bureau (CFPB)', 'description': 'Regulates consumer financial products and services. Can investigate companies for unfair, deceptive, or abusive financial practices including improper fees, billing errors, and data misuse.', 'who_can_file': 'Anyone who has used a consumer financial product or service in the US', 'complaint_url': 'https://www.consumerfinance.gov/complaint/', 'what_you_need': 'Account number or details, dates of transactions or events, description of the issue, and any supporting documents', 'what_to_expect': 'The company must respond within 15 days. The CFPB forwards your complaint and may use it in enforcement actions. Individual compensation is possible in some cases.'}

What is the severity of this clause?

ConductAtlas classifies this Data Security and Retention clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Data Security and Retention — Chase

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Chase Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Chase states it uses security measures to protect your personal information and retains data for as long as necessary to fulfill the purposes described in the policy or as required by law.

ⓘ

This analysis describes what Chase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision operationally establishes Chase's baseline security obligations under applicable law and regulation. It creates the framework through which Chase implements protections for personal information held in its systems and facilities.

Consumer impact (what this means for users)

Your personal and financial data is retained by Chase for unspecified periods, meaning it may remain in their systems long after you stop using their services. Security measures are described in general terms without specific technical commitments.

How other platforms handle this

WhatsApp Medium

We store information until it is no longer necessary to provide our services and WhatsApp Products, or until your account is deleted or becomes inactive, whichever comes first. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and pro...

Roblox Medium

You may request deletion of your account at any time. When you request account deletion, we will delete or anonymize your personal information unless we are required to retain it by law, or unless we need to retain it for legitimate business purposes such as resolving disputes, enforcing our agreeme...

OpenAI Medium

We'll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of...

See all platforms with this clause type →

Monitoring

Chase has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
We use reasonable physical, electronic, and procedural safeguards that comply with legal and regulatory standards to protect and limit access to personal information. This includes device safeguards and secured files and buildings Visit our Security Center for additional information about how we protect your Personal Information.

— Excerpt from Chase's Chase Privacy Notice

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

Retention policies lacking specific timeframes may create compliance exposure under CCPA's data minimization principles and could also be scrutinized under GLBA Safeguards Rule requirements; risk teams should request more granular retention schedules during due diligence.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

Consumer Financial Protection Bureau (cfpb)

Regulates consumer financial products and services. Can investigate companies for unfair, deceptive, or abusive financial practices including improper fees, billing errors, and data misuse.

Who can file: Anyone who has used a consumer financial product or service in the US

What you need: Account number or details, dates of transactions or events, description of the issue, and any supporting documents

What to expect: The company must respond within 15 days. The CFPB forwards your complaint and may use it in enforcement actions. Individual compensation is possible in some cases.

File a complaint →

Applicable regulations

CCPA/CPRA

California, USA

FCRA

United States Federal

GLBA

United States Federal

Indiana Consumer Data Protection Act

US-IN

Provision details

Document information

Document

Chase Privacy Notice

Entity

Chase

Document last updated

May 5, 2026

Tracking information

First tracked

March 6, 2026

Last verified

March 9, 2026

Record ID

CA-P-000371

Document ID

CA-D-00042

Evidence Provenance

Source URL

https://www.chase.com/digital/resources/privacy-security/privacy/online-privacy-policy

Wayback Machine

View archived versions →

Content hash (SHA-256)

3c900de68a57d375e4c409abeea5818018f094e55d6426d878e81cbf80a1b712

Analysis generated

March 6, 2026 20:37 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Chase
Document: Chase Privacy Notice
Record ID: CA-P-000371
Captured: 2026-03-06 20:37:27 UTC
SHA-256: 3c900de68a57d375…
URL: https://conductatlas.com/platform/chase/chase-privacy-notice/data-security-and-retention/
Accessed: May 20, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Third-Party Data Sharing for Marketing medium
Cookies and Online Tracking Technologies medium
California Consumer Rights (CCPA/CPRA) high
Targeted Advertising Opt-Out medium
Children's Privacy Restriction low
Third-Party Links and Social Media Plugins low

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Chase's Data Security and Retention clause do?

How does this clause affect you?

Is ConductAtlas affiliated with Chase?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Chase.