Lime keeps your personal data for as long as it decides is necessary for its business, legal, and fraud prevention purposes, without stating a specific maximum retention period.
This analysis describes what Lime's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without a specified maximum retention period, your location history, trip records, and account data may be retained indefinitely, which has implications for both privacy risk and your rights to have data deleted.
Interpretive note: The document does not specify retention periods by data category, making it difficult to assess whether current practices satisfy GDPR Article 13(2)(a) or CPRA retention disclosure requirements.
The absence of a defined maximum retention period means Lime may retain your precise GPS trip history and personal account data for an extended and indeterminate duration, potentially limiting the practical effect of deletion requests depending on claimed legal or operational justifications.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Lime has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.— Excerpt from Lime's Lime Privacy Policy
REGULATORY LANDSCAPE: Open-ended data retention engages GDPR Article 5(1)(e) (storage limitation principle, which requires data be kept in a form permitting identification of data subjects no longer than necessary), CPRA requirements for defined retention periods disclosed in the privacy notice, and FTC guidance on reasonable data security and minimization. The storage limitation principle under GDPR is actively enforced by EU DPAs, which have issued fines for inadequate retention policies. GOVERNANCE EXPOSURE: Medium. The 'as long as necessary' formulation is common across the industry but may be insufficient to satisfy GDPR Article 13(2)(a), which requires disclosure of the envisaged retention period or criteria used to determine it. CPRA amendments effective 2023 require businesses to disclose retention periods by data category; if Lime's notice does not provide this granularity for California-facing disclosures, it may be out of compliance. Indefinite retention of precise geolocation data is particularly sensitive. JURISDICTION FLAGS: EU/EEA (GDPR storage limitation, DPA enforcement), California (CPRA retention period disclosure requirement), UK (UK GDPR equivalents). Jurisdictions with data minimization requirements may challenge retention of granular trip-level GPS data beyond the operational period needed to support the ride. CONTRACT AND VENDOR IMPLICATIONS: Vendor and processor contracts should include data deletion obligations aligned with Lime's retention schedules. If retention periods are undefined internally, downstream deletion propagation to processors and sub-processors cannot be reliably scheduled or audited. COMPLIANCE CONSIDERATIONS: Develop and document data retention schedules by category (location data, payment data, communications, account data), disclose retention periods per CPRA requirements for California-facing notices, confirm that GDPR-facing notices meet Article 13(2)(a) specificity, and implement automated deletion workflows for data past retention periods.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without a specified maximum retention period, your location history, trip records, and account data may be retained indefinitely, which has implications for both privacy risk and your rights to have data deleted.
The absence of a defined maximum retention period means Lime may retain your precise GPS trip history and personal account data for an extended and indeterminate duration, potentially limiting the practical effect of deletion requests depending on claimed legal or operational justifications.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Lime.