Mercury keeps your data for as long as it needs to in order to run its services and meet legal requirements, using a risk-based assessment to determine how long each type of data is held.
This analysis describes what Mercury's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
There is no fixed maximum retention period stated in the policy, meaning some categories of financial and personal data could be held for extended periods tied to legal and regulatory timelines.
Interpretive note: The policy does not specify maximum retention periods by data category, creating interpretive uncertainty about when deletion obligations arise under CCPA and after account closure.
Mercury does not commit to specific maximum retention periods for personal or financial data, which means sensitive information such as transaction history and identity documents may be retained for years beyond when you stop using the service.
How other platforms handle this
We retain data as needed to facilitate and personalize your use of CL, combat fraud/abuse and/or as required by law.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. When we no longer need to use your personal ...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Monitoring
Mercury has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. When determining how long to retain information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, and applicable legal requirements.— Excerpt from Mercury's Mercury Privacy Policy
REGULATORY LANDSCAPE: Data retention in financial services is governed by a combination of GLBA requirements, IRS recordkeeping obligations, Bank Secrecy Act and FinCEN rules requiring retention of certain records for minimum periods, and state-level requirements. While these create minimum retention floors, they do not necessarily authorize indefinite retention beyond those minimums. Under CCPA, California residents may request deletion of data subject to exemptions for legally required retention, which interacts with these financial services recordkeeping requirements. GOVERNANCE EXPOSURE: Medium. The absence of stated maximum retention periods creates ambiguity about when data is eligible for deletion in response to consumer requests or after account closure. Compliance teams should verify that retention schedules are documented, applied consistently by data category, and defensible under applicable law. JURISDICTION FLAGS: California's CCPA right to deletion is subject to exemptions for data retained to comply with legal obligations, which in Mercury's context includes BSA and FinCEN recordkeeping. However, data retained beyond legally required minimums may be subject to deletion requests. The EU's GDPR storage limitation principle would apply to any EU data subjects, though Mercury appears to be a US-focused service. CONTRACT AND VENDOR IMPLICATIONS: Service providers and vendors who receive Mercury customer data should have retention terms in their data processing agreements aligned with Mercury's retention schedules. Upon account closure, deletion or return of data by vendors should be contractually required. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should develop and maintain a formal data retention schedule mapping each personal data category to its applicable legal basis for retention and maximum retention period. This schedule should be reviewed annually and used to automate deletion of data whose retention period has expired.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
There is no fixed maximum retention period stated in the policy, meaning some categories of financial and personal data could be held for extended periods tied to legal and regulatory timelines.
Mercury does not commit to specific maximum retention periods for personal or financial data, which means sensitive information such as transaction history and identity documents may be retained for years beyond when you stop using the service.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mercury.