Noom keeps your personal data for as long as it needs to run the service and meet legal requirements, but does not specify exact retention periods for most data categories.
This analysis describes what Noom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without specific retention periods, users cannot know how long their sensitive health data will be held, making it harder to assess long-term privacy exposure.
Interpretive note: The policy's retention language is broadly stated without specific periods, making it difficult to assess whether actual practices align with GDPR storage limitation and CPRA disclosure requirements.
Your health and personal data may be retained by Noom for an indefinite period based on broadly stated business and legal needs, with no specific timeframes given for most categories; users who want their data deleted should submit an explicit deletion request rather than assuming data is purged after inactivity.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Noom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on the type of data and the purpose for which it was collected.— Excerpt from Noom's Noom Privacy Policy
REGULATORY LANDSCAPE: GDPR requires that personal data be kept for no longer than necessary for the specified purpose (storage limitation principle); CPRA requires businesses to disclose retention periods or the criteria used to determine them; vague retention language stating data is held as long as necessary without specifying criteria or periods may not fully satisfy GDPR or CPRA disclosure requirements; the FTC has also emphasized data minimization and retention limitation in its guidance on health data. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for health and sensitive data categories in the policy creates a compliance gap relative to GDPR storage limitation requirements and CPRA disclosure obligations; this is an area where regulatory guidance has increasingly required specificity rather than general statements. JURISDICTION FLAGS: EU/EEA and UK (GDPR and UK GDPR storage limitation principle requires defined or determinable retention periods); California (CPRA requires disclosure of retention periods or criteria); other US states with comprehensive privacy laws increasingly require similar disclosures. CONTRACT AND VENDOR IMPLICATIONS: Vendor contracts should specify data retention and deletion obligations to ensure that downstream processors do not retain Noom user data beyond permissible periods; particularly relevant for advertising and analytics partners who may maintain separate data stores. COMPLIANCE CONSIDERATIONS: Compliance teams should develop and publish category-specific data retention schedules that satisfy GDPR and CPRA disclosure requirements; automated deletion workflows for data past its retention period should be implemented and auditable; particular attention should be paid to health data retention given the heightened sensitivity of this category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without specific retention periods, users cannot know how long their sensitive health data will be held, making it harder to assess long-term privacy exposure.
Your health and personal data may be retained by Noom for an indefinite period based on broadly stated business and legal needs, with no specific timeframes given for most categories; users who want their data deleted should submit an explicit deletion request rather than assuming data is purged after inactivity.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Noom.