Midjourney states it retains personal data only as long as necessary for the purposes described in the policy, and may retain data longer to comply with legal obligations, resolve disputes, or improve service security and functionality.
This analysis describes what Midjourney's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision defines the operational scope and duration of data storage practices, establishing both retention limitations based on necessity and exceptions for legal compliance, dispute resolution, and service improvement purposes. This creates a tiered retention structure where personal data and usage data operate under different retention timeframes based on their respective purposes.
Interpretive note: The policy uses purpose-based retention language without specifying retention periods for individual data categories; the breadth of the service improvement carve-out is not operationally defined in the document.
The updated privacy policy removed language describing how Midjourney shares personal data, the security measures protecting that data, children's privacy safeguards, procedures for notifying users of policy changes, and links to related policies. Users no longer have explicit disclosure of these practices within the privacy policy itself. The removal of language on how policy changes are communicated may mean users have less notice of future privacy modifications than previously stated.
View change record →Personal data may be retained beyond the initial service purpose if Midjourney determines it is needed for legal obligations, dispute resolution, or service improvement; users who wish to request deletion before natural retention expiry can do so through account settings.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
Midjourney has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.— Excerpt from Midjourney's Midjourney Privacy Policy
1) REGULATORY LANDSCAPE: GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept no longer than necessary for the specified purpose, and that retention periods be communicated to data subjects. The policy's use of purpose-based retention without specific timeframes may not fully satisfy GDPR transparency requirements. CCPA also requires disclosure of retention periods or the criteria used to determine them under CPRA. 2) GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for key data categories (prompts, uploaded images, inferences, usage data) creates compliance exposure under GDPR and CPRA transparency requirements. The carve-out for retention to improve service functionality is broad and could be interpreted to extend retention for data used in ML model training. 3) JURISDICTION FLAGS: EEA and UK users face heightened exposure given GDPR's storage limitation requirements. California users may have rights under CPRA to receive disclosure of specific retention periods, which the policy does not fully address. Other state privacy law frameworks with retention disclosure requirements may also apply. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request specific retention schedules from Midjourney, particularly for data categories including user prompts and uploaded images, to support their own internal data governance and records management obligations. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether documented retention schedules exist for each data category identified in the CCPA table, whether those schedules are operationally enforced, whether the service improvement carve-out is scoped and documented, and whether CPRA's retention disclosure requirements are met in the California-specific section of the policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision defines the operational scope and duration of data storage practices, establishing both retention limitations based on necessity and exceptions for legal compliance, dispute resolution, and service improvement purposes. This creates a tiered retention structure where personal data and usage data operate under different retention timeframes based on their respective purposes.
Personal data may be retained beyond the initial service purpose if Midjourney determines it is needed for legal obligations, dispute resolution, or service improvement; users who wish to request deletion before natural retention expiry can do so through account settings.
ConductAtlas has identified this type of provision across 64 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Midjourney.