Medium keeps your personal data for as long as it considers necessary to run its services, without committing to specific deletion timelines in most cases.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
Interpretive note: The absence of specific retention periods creates ambiguity about how long different categories of data are held, and GDPR compliance of this provision depends on whether Medium's internal retention schedules satisfy the storage limitation principle.
Medium does not commit to specific timeframes for deleting most categories of your personal data, meaning your account information, reading history, and other data may be retained indefinitely unless you actively request deletion.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to provide you with our services and for the other purposes set out in this Privacy Policy. In some cases, we may retain personal information for longer periods as required by law or for legitimate business purposes.— Excerpt from Medium's Medium Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 5(1)(e), which requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed (storage limitation principle). The absence of specific retention periods in the policy may be insufficient to demonstrate compliance with this principle. EU data protection authorities have flagged vague retention language as a compliance concern in enforcement actions against other platforms. GOVERNANCE EXPOSURE: Medium to High for GDPR-covered users. The policy's open-ended retention language (as long as necessary) does not give users or regulators a clear basis for assessing compliance with the storage limitation principle. For CCPA purposes, retention of data beyond what is necessary for the stated purpose may also create exposure. JURISDICTION FLAGS: EU/EEA users face the highest exposure given GDPR's storage limitation requirements. UK GDPR imposes similar obligations. California's CPRA introduced a requirement that businesses retain personal information only as long as reasonably necessary, which this policy's language may not satisfy with sufficient specificity. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Medium as a vendor should request a data retention schedule and confirm that data subject deletion requests result in actual deletion from backup systems within a documented timeframe. Vendor assessments should include questions about retention policy implementation. COMPLIANCE CONSIDERATIONS: Legal teams should request Medium's internal data retention schedules and compare them against policy representations. Data mapping should identify which categories of personal data are subject to which retention triggers. Users wishing to limit data retention should submit a deletion request via privacy@medium.com, though the policy does not guarantee immediate deletion in all cases.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
Medium does not commit to specific timeframes for deleting most categories of your personal data, meaning your account information, reading history, and other data may be retained indefinitely unless you actively request deletion.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.