Midjourney states it retains personal data only as long as necessary for the purposes described in the policy, and may retain data longer to comply with legal obligations, resolve disputes, or improve service security and functionality.
This analysis describes what Midjourney's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify fixed retention periods for most data categories, instead using purpose-based retention language; the carve-out allowing extended retention to improve service functionality could cover a broad range of operational activities.
Interpretive note: The policy uses purpose-based retention language without specifying retention periods for individual data categories; the breadth of the service improvement carve-out is not operationally defined in the document.
The updated privacy policy removed language describing how Midjourney shares personal data, the security measures protecting that data, children's privacy safeguards, procedures for notifying users of policy changes, and links to related policies. Users no longer have explicit disclosure of these practices within the privacy policy itself. The removal of language on how policy changes are communicated may mean users have less notice of future privacy modifications than previously stated.
View change record →Personal data may be retained beyond the initial service purpose if Midjourney determines it is needed for legal obligations, dispute resolution, or service improvement; users who wish to request deletion before natural retention expiry can do so through account settings.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Midjourney has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.— Excerpt from Midjourney's Midjourney Privacy Policy
1) REGULATORY LANDSCAPE: GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept no longer than necessary for the specified purpose, and that retention periods be communicated to data subjects. The policy's use of purpose-based retention without specific timeframes may not fully satisfy GDPR transparency requirements. CCPA also requires disclosure of retention periods or the criteria used to determine them under CPRA. 2) GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for key data categories (prompts, uploaded images, inferences, usage data) creates compliance exposure under GDPR and CPRA transparency requirements. The carve-out for retention to improve service functionality is broad and could be interpreted to extend retention for data used in ML model training. 3) JURISDICTION FLAGS: EEA and UK users face heightened exposure given GDPR's storage limitation requirements. California users may have rights under CPRA to receive disclosure of specific retention periods, which the policy does not fully address. Other state privacy law frameworks with retention disclosure requirements may also apply. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request specific retention schedules from Midjourney, particularly for data categories including user prompts and uploaded images, to support their own internal data governance and records management obligations. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether documented retention schedules exist for each data category identified in the CCPA table, whether those schedules are operationally enforced, whether the service improvement carve-out is scoped and documented, and whether CPRA's retention disclosure requirements are met in the California-specific section of the policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify fixed retention periods for most data categories, instead using purpose-based retention language; the carve-out allowing extended retention to improve service functionality could cover a broad range of operational activities.
Personal data may be retained beyond the initial service purpose if Midjourney determines it is needed for legal obligations, dispute resolution, or service improvement; users who wish to request deletion before natural retention expiry can do so through account settings.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Midjourney.