When the service ends, Mistral AI will delete or return your personal data. After 30 days from termination, the data will no longer be accessible.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 30-day post-termination accessibility window defines a hard cutoff after which data retrieval or portability may not be possible, which customers must account for in their own data retention and business continuity planning. The provision defers to Mistral AI's internal deletion policies and procedures rather than specifying a deletion standard, which may limit customer visibility into the actual deletion process.
Business customers must complete any data export or retrieval within 30 days of service termination. The agreement states that deletion is conducted in accordance with Mistral AI's internal policies, which are referenced but not fully detailed in the DPA itself.
How other platforms handle this
Managing And Deleting Your Information. You have the right to access, correct, or delete your information in certain circumstances. We store information until it is no longer necessary to provide our Services or until your account is deleted, whichever comes first. You can delete your WhatsApp accou...
Depending on your location, you may have certain rights regarding your personal information, including the right to access, correct, or delete your personal information, the right to data portability, and the right to opt out of certain data processing activities. To exercise these rights, please co...
Please note there are situations where Spotify is unable to delete your data, for example when: it's still necessary to process the data for the purpose we collected it for; we have an overriding interest in continuing to process the data, for example where we need the data to protect our services f...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"After the end of the provision of the Mistral AI Products, Mistral AI will delete or return to Customer all Personal Data Processed on Customer's behalf, in accordance with Mistral AI's deletion policies and procedures. Customer acknowledges that the Personal Data will no longer be accessible upon the expiry of a thirty (30) days period following the termination of the Customer's access to and use of the Mistral AI Products.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 28(3)(g), which requires processor agreements to address data deletion or return at the end of services. The provision is structured to satisfy this requirement but references Mistral AI's internal deletion policies rather than specifying a technical deletion standard (e.g., cryptographic erasure, secure overwrite). GDPR does not mandate a specific deletion timeline post-termination, but the 30-day window and internal policy reference may be evaluated by supervisory authorities in the context of controller accountability. (2) GOVERNANCE EXPOSURE: Low. The provision is consistent with standard industry practice for processor agreements. The primary risk is operational rather than regulatory: customers that fail to plan for data export before termination may lose access to data they need for their own compliance obligations (e.g., audit logs, records retention). (3) JURISDICTION FLAGS: Customers in regulated sectors (financial services, healthcare, public sector) may have data retention obligations that require access to data beyond 30 days post-termination, creating a conflict between their regulatory requirements and the DPA's deletion timeline. This is particularly relevant in the EU under sector-specific regulations and in the US under HIPAA, SEC, or FINRA record retention rules. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should assess whether 30 days is sufficient for data export operations at the scale their deployment requires. The reference to Mistral AI's internal deletion policies should prompt a request for documentation of those policies as part of vendor due diligence, to ensure deletion standards meet the customer's own regulatory obligations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should establish a data export protocol to be executed upon any notice of termination, and should request written confirmation of data deletion from Mistral AI following the 30-day period. Records of the deletion confirmation should be maintained as evidence of GDPR Article 28 compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 30-day post-termination accessibility window defines a hard cutoff after which data retrieval or portability may not be possible, which customers must account for in their own data retention and business continuity planning. The provision defers to Mistral AI's internal deletion policies and procedures rather than specifying a deletion standard, which may limit customer visibility into the actual deletion process.
Business customers must complete any data export or retrieval within 30 days of service termination. The agreement states that deletion is conducted in accordance with Mistral AI's internal policies, which are referenced but not fully detailed in the DPA itself.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.