The policy states that Medium retains personal information for as long as necessary to provide services and for legal, dispute, and enforcement purposes, without specifying defined retention periods for individual data categories.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The absence of defined retention periods for specific data categories may present a compliance consideration under GDPR's storage limitation principle, which requires that personal data be kept no longer than necessary for the specified processing purpose.
Interpretive note: The policy does not specify retention periods by data category, creating ambiguity about the practical duration of retention for specific data types such as reading history or payment information.
Replaced vague 'legitimate business purposes' with specific enumerated purposes (legal compliance, dispute resolution, agreement enforcement), providing greater clarity.
View full change record →The agreement establishes an open-ended retention standard tied to service provision and legal purposes, meaning personal data including reading history, identifiers, and payment information may be retained for indeterminate periods absent a specific user deletion request.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to provide you with our Services, and for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.— Excerpt from Medium's Medium Privacy Policy
1. REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form permitting identification no longer than necessary for processing purposes (storage limitation). CCPA grants California residents the right to request deletion of personal information subject to applicable exceptions. The policy's open-ended retention language may require evaluation against GDPR's storage limitation principle by EU supervisory authorities. 2. GOVERNANCE EXPOSURE: Low to Medium. Open-ended retention is a commonly observed disclosure pattern, but the absence of category-specific retention schedules may complicate responses to data subject access and deletion requests under GDPR and CCPA, particularly for inactive accounts. 3. JURISDICTION FLAGS: EU and EEA users have heightened exposure due to GDPR storage limitation requirements. California users retain deletion rights under CCPA subject to exceptions for legal obligation compliance, which the policy references. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations with contractual data protection obligations should assess whether Medium's retention practices for B2B-related user data align with their own retention policies and DPA terms. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should request Medium's retention schedule documentation if available, particularly for categories of data collected about EEA users. Data deletion requests from EEA users should be assessed against Medium's stated legal obligation and dispute resolution retention exceptions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The absence of defined retention periods for specific data categories may present a compliance consideration under GDPR's storage limitation principle, which requires that personal data be kept no longer than necessary for the specified processing purpose.
The agreement establishes an open-ended retention standard tied to service provision and legal purposes, meaning personal data including reading history, identifiers, and payment information may be retained for indeterminate periods absent a specific user deletion request.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.