Lime keeps your personal data for as long as it decides is necessary for its business, legal, and fraud prevention purposes, without stating a specific maximum retention period.
This analysis describes what Lime's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without a specified maximum retention period, your location history, trip records, and account data may be retained indefinitely, which has implications for both privacy risk and your rights to have data deleted.
Interpretive note: The document does not specify retention periods by data category, making it difficult to assess whether current practices satisfy GDPR Article 13(2)(a) or CPRA retention disclosure requirements.
The absence of a defined maximum retention period means Lime may retain your precise GPS trip history and personal account data for an extended and indeterminate duration, potentially limiting the practical effect of deletion requests depending on claimed legal or operational justifications.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Lime has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.— Excerpt from Lime's Lime Privacy Policy
REGULATORY LANDSCAPE: Open-ended data retention engages GDPR Article 5(1)(e) (storage limitation principle, which requires data be kept in a form permitting identification of data subjects no longer than necessary), CPRA requirements for defined retention periods disclosed in the privacy notice, and FTC guidance on reasonable data security and minimization. The storage limitation principle under GDPR is actively enforced by EU DPAs, which have issued fines for inadequate retention policies. GOVERNANCE EXPOSURE: Medium. The 'as long as necessary' formulation is common across the industry but may be insufficient to satisfy GDPR Article 13(2)(a), which requires disclosure of the envisaged retention period or criteria used to determine it. CPRA amendments effective 2023 require businesses to disclose retention periods by data category; if Lime's notice does not provide this granularity for California-facing disclosures, it may be out of compliance. Indefinite retention of precise geolocation data is particularly sensitive. JURISDICTION FLAGS: EU/EEA (GDPR storage limitation, DPA enforcement), California (CPRA retention period disclosure requirement), UK (UK GDPR equivalents). Jurisdictions with data minimization requirements may challenge retention of granular trip-level GPS data beyond the operational period needed to support the ride. CONTRACT AND VENDOR IMPLICATIONS: Vendor and processor contracts should include data deletion obligations aligned with Lime's retention schedules. If retention periods are undefined internally, downstream deletion propagation to processors and sub-processors cannot be reliably scheduled or audited. COMPLIANCE CONSIDERATIONS: Develop and document data retention schedules by category (location data, payment data, communications, account data), disclose retention periods per CPRA requirements for California-facing notices, confirm that GDPR-facing notices meet Article 13(2)(a) specificity, and implement automated deletion workflows for data past retention periods.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without a specified maximum retention period, your location history, trip records, and account data may be retained indefinitely, which has implications for both privacy risk and your rights to have data deleted.
The absence of a defined maximum retention period means Lime may retain your precise GPS trip history and personal account data for an extended and indeterminate duration, potentially limiting the practical effect of deletion requests depending on claimed legal or operational justifications.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Lime.