Grubhub keeps your personal information for as long as your account is active, and potentially for an unspecified additional period afterward that Grubhub determines based on legal needs.
This analysis describes what Grubhub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The additional retention period beyond account closure is not defined by a specific timeframe, meaning your data may be retained for an indeterminate period after you close your account, which limits the practical effect of account deletion.
Interpretive note: The phrase 'such additional period as Grubhub determines is necessary' is not defined with a specific maximum timeframe, creating ambiguity about the practical retention duration after account closure.
Closing your Grubhub account does not guarantee immediate deletion of your personal data; Grubhub may retain your information for an unspecified additional period it determines necessary for legal compliance and defense, which could mean years of continued data storage.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Grubhub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Grubhub retains identifiers for as long as you have an account with Grubhub, and for such additional period as Grubhub determines is necessary to comply with its legal obligations and defend against legal claims. Grubhub retains payment information for as long as you have an account with Grubhub, and for such additional period as Grubhub determines is necessary to comply with its legal obligations and defend against legal claims.— Excerpt from Grubhub's Grubhub Privacy Policy
1) REGULATORY LANDSCAPE: CCPA/CPRA requires that businesses retain personal information only as long as reasonably necessary for the disclosed purpose, and the absence of specific retention timeframes beyond 'as Grubhub determines' may create tension with this requirement. The California Privacy Protection Agency has indicated that indefinite or vaguely defined retention periods may be scrutinized. GDPR's storage limitation principle, if applicable to any EU users, requires specific and defined retention periods. The FTC's data minimization guidance also encourages defined retention limits. 2) GOVERNANCE EXPOSURE: Medium. The use of 'such additional period as Grubhub determines is necessary' without a defined maximum creates regulatory exposure under CPRA and similar laws that require retention to be reasonably necessary and disclosed. The absence of category-specific retention schedules for sensitive data types such as precise geolocation and health-related inferences is particularly notable. 3) JURISDICTION FLAGS: California CPRA creates the most direct exposure for vague retention language, as the Privacy Protection Agency may require more specific disclosure. Colorado, Connecticut, and Virginia privacy laws similarly require that data not be retained beyond its stated purpose. EU/UK GDPR Article 5's storage limitation principle would require defined retention periods for any EU-facing data processing. 4) CONTRACT AND VENDOR IMPLICATIONS: Vendor and service provider contracts should include matching retention and deletion obligations to ensure that data shared with third parties is not retained beyond Grubhub's own stated periods. Procurement teams should audit whether data processor agreements include defined deletion timelines aligned with Grubhub's retention schedule. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should develop and document specific, category-level retention schedules for each personal information type collected, including geolocation, payment data, commercial information, and inferences. The phrase 'as Grubhub determines is necessary' should be supplemented with defined maximum retention periods in updated policy language to reduce regulatory exposure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The additional retention period beyond account closure is not defined by a specific timeframe, meaning your data may be retained for an indeterminate period after you close your account, which limits the practical effect of account deletion.
Closing your Grubhub account does not guarantee immediate deletion of your personal data; Grubhub may retain your information for an unspecified additional period it determines necessary for legal compliance and defense, which could mean years of continued data storage.
ConductAtlas has identified this type of provision across 66 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Grubhub.