Grubhub keeps your personal information for as long as your account is active, and potentially for an unspecified additional period afterward that Grubhub determines based on legal needs.
This analysis describes what Grubhub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The additional retention period beyond account closure is not defined by a specific timeframe, meaning your data may be retained for an indeterminate period after you close your account, which limits the practical effect of account deletion.
Interpretive note: The phrase 'such additional period as Grubhub determines is necessary' is not defined with a specific maximum timeframe, creating ambiguity about the practical retention duration after account closure.
Closing your Grubhub account does not guarantee immediate deletion of your personal data; Grubhub may retain your information for an unspecified additional period it determines necessary for legal compliance and defense, which could mean years of continued data storage.
How other platforms handle this
We retain data as needed to facilitate and personalize your use of CL, combat fraud/abuse and/or as required by law.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. When we no longer need to use your personal ...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Monitoring
Grubhub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Grubhub retains identifiers for as long as you have an account with Grubhub, and for such additional period as Grubhub determines is necessary to comply with its legal obligations and defend against legal claims. Grubhub retains payment information for as long as you have an account with Grubhub, and for such additional period as Grubhub determines is necessary to comply with its legal obligations and defend against legal claims.— Excerpt from Grubhub's Grubhub Privacy Policy
1) REGULATORY LANDSCAPE: CCPA/CPRA requires that businesses retain personal information only as long as reasonably necessary for the disclosed purpose, and the absence of specific retention timeframes beyond 'as Grubhub determines' may create tension with this requirement. The California Privacy Protection Agency has indicated that indefinite or vaguely defined retention periods may be scrutinized. GDPR's storage limitation principle, if applicable to any EU users, requires specific and defined retention periods. The FTC's data minimization guidance also encourages defined retention limits. 2) GOVERNANCE EXPOSURE: Medium. The use of 'such additional period as Grubhub determines is necessary' without a defined maximum creates regulatory exposure under CPRA and similar laws that require retention to be reasonably necessary and disclosed. The absence of category-specific retention schedules for sensitive data types such as precise geolocation and health-related inferences is particularly notable. 3) JURISDICTION FLAGS: California CPRA creates the most direct exposure for vague retention language, as the Privacy Protection Agency may require more specific disclosure. Colorado, Connecticut, and Virginia privacy laws similarly require that data not be retained beyond its stated purpose. EU/UK GDPR Article 5's storage limitation principle would require defined retention periods for any EU-facing data processing. 4) CONTRACT AND VENDOR IMPLICATIONS: Vendor and service provider contracts should include matching retention and deletion obligations to ensure that data shared with third parties is not retained beyond Grubhub's own stated periods. Procurement teams should audit whether data processor agreements include defined deletion timelines aligned with Grubhub's retention schedule. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should develop and document specific, category-level retention schedules for each personal information type collected, including geolocation, payment data, commercial information, and inferences. The phrase 'as Grubhub determines is necessary' should be supplemented with defined maximum retention periods in updated policy language to reduce regulatory exposure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The additional retention period beyond account closure is not defined by a specific timeframe, meaning your data may be retained for an indeterminate period after you close your account, which limits the practical effect of account deletion.
Closing your Grubhub account does not guarantee immediate deletion of your personal data; Grubhub may retain your information for an unspecified additional period it determines necessary for legal compliance and defense, which could mean years of continued data storage.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Grubhub.