Medium keeps your personal data for as long as it considers necessary to run its services, without committing to specific deletion timelines in most cases.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
Interpretive note: The absence of specific retention periods creates ambiguity about how long different categories of data are held, and GDPR compliance of this provision depends on whether Medium's internal retention schedules satisfy the storage limitation principle.
Medium does not commit to specific timeframes for deleting most categories of your personal data, meaning your account information, reading history, and other data may be retained indefinitely unless you actively request deletion.
How other platforms handle this
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. The criteria used to determine our retention periods include the length of time we have an ongoing relationsh...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Slack (Sees no code data): We use Slack for internal communications. We may discuss logs of data for debugging purposes from users that are not using Zero-data retention mode. Google Workspace (Sees no code data): We use Google Workspace for collaboration. We may discuss logs of data for debugging p...
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to provide you with our services and for the other purposes set out in this Privacy Policy. In some cases, we may retain personal information for longer periods as required by law or for legitimate business purposes.— Excerpt from Medium's Medium Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 5(1)(e), which requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed (storage limitation principle). The absence of specific retention periods in the policy may be insufficient to demonstrate compliance with this principle. EU data protection authorities have flagged vague retention language as a compliance concern in enforcement actions against other platforms. GOVERNANCE EXPOSURE: Medium to High for GDPR-covered users. The policy's open-ended retention language (as long as necessary) does not give users or regulators a clear basis for assessing compliance with the storage limitation principle. For CCPA purposes, retention of data beyond what is necessary for the stated purpose may also create exposure. JURISDICTION FLAGS: EU/EEA users face the highest exposure given GDPR's storage limitation requirements. UK GDPR imposes similar obligations. California's CPRA introduced a requirement that businesses retain personal information only as long as reasonably necessary, which this policy's language may not satisfy with sufficient specificity. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Medium as a vendor should request a data retention schedule and confirm that data subject deletion requests result in actual deletion from backup systems within a documented timeframe. Vendor assessments should include questions about retention policy implementation. COMPLIANCE CONSIDERATIONS: Legal teams should request Medium's internal data retention schedules and compare them against policy representations. Data mapping should identify which categories of personal data are subject to which retention triggers. Users wishing to limit data retention should submit a deletion request via privacy@medium.com, though the policy does not guarantee immediate deletion in all cases.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
Medium does not commit to specific timeframes for deleting most categories of your personal data, meaning your account information, reading history, and other data may be retained indefinitely unless you actively request deletion.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.