Checkout.com keeps your personal data only as long as needed for the stated purposes or to meet legal requirements, and the length of time depends on the type and sensitivity of the data.
This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Retention periods for financial and identity data are often long due to regulatory requirements in the payments sector, and understanding how long data is held affects the practical utility of deletion requests.
Interpretive note: The policy does not specify concrete retention periods by data category; actual retention durations depend on applicable sector-specific legal obligations that are not enumerated in the document.
Personal financial and identity data collected by Checkout.com may be retained for extended periods to meet legal and regulatory obligations, meaning deletion requests may be limited or delayed where legal retention requirements apply.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Checkout.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means, and the applicable legal requirements.— Excerpt from Checkout.com's Checkout.com Privacy
1. REGULATORY LANDSCAPE: Data retention engages GDPR Article 5(1)(e) (storage limitation principle), UK GDPR equivalents, and sector-specific retention obligations under AML regulations (EU AMLD, UK MLR 2017), PSD2, and financial record-keeping requirements. Retention periods for payment and identity data are often mandated at five to seven years under AML and financial regulation, which may override individual deletion requests. 2. GOVERNANCE EXPOSURE: Medium. The policy does not specify concrete retention periods for each data category, which is a common but noted gap in GDPR compliance assessments. Regulators expect organizations to maintain a retention schedule and be able to communicate periods to data subjects on request. 3. JURISDICTION FLAGS: EU and UK users have rights to request deletion once retention periods expire, but legal retention obligations take precedence. US users have fewer specific retention rights but financial services regulations impose minimum retention requirements. Merchants should ensure their own retention schedules align with Checkout.com's processing terms. 4. CONTRACT AND VENDOR IMPLICATIONS: DPAs should specify retention periods for processor-held data and require deletion or return of data upon contract termination. Merchants should audit whether Checkout.com's retention practices for cardholder data are compatible with their own data minimization obligations. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should request a data retention schedule from Checkout.com for all categories of personal data processed, and confirm that retention periods are enforced technically. Deletion request workflows should be designed to honor erasure where no legal retention obligation applies and to communicate applicable legal holds transparently to data subjects.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Retention periods for financial and identity data are often long due to regulatory requirements in the payments sector, and understanding how long data is held affects the practical utility of deletion requests.
Personal financial and identity data collected by Checkout.com may be retained for extended periods to meet legal and regulatory obligations, meaning deletion requests may be limited or delayed where legal retention requirements apply.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.