Noom keeps your personal data for as long as it needs to run the service and meet legal requirements, but does not specify exact retention periods for most data categories.
This analysis describes what Noom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause creates a operational framework where data persistence is tied to multiple institutional justifications rather than a fixed timeline, requiring Noom to apply differentiated retention standards across its data holdings.
Interpretive note: The policy's retention language is broadly stated without specific periods, making it difficult to assess whether actual practices align with GDPR storage limitation and CPRA disclosure requirements.
Your health and personal data may be retained by Noom for an indefinite period based on broadly stated business and legal needs, with no specific timeframes given for most categories; users who want their data deleted should submit an explicit deletion request rather than assuming data is purged after inactivity.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
Noom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your personal information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on the type of data and the purpose for which it was collected.— Excerpt from Noom's Noom Privacy Policy
REGULATORY LANDSCAPE: GDPR requires that personal data be kept for no longer than necessary for the specified purpose (storage limitation principle); CPRA requires businesses to disclose retention periods or the criteria used to determine them; vague retention language stating data is held as long as necessary without specifying criteria or periods may not fully satisfy GDPR or CPRA disclosure requirements; the FTC has also emphasized data minimization and retention limitation in its guidance on health data. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for health and sensitive data categories in the policy creates a compliance gap relative to GDPR storage limitation requirements and CPRA disclosure obligations; this is an area where regulatory guidance has increasingly required specificity rather than general statements. JURISDICTION FLAGS: EU/EEA and UK (GDPR and UK GDPR storage limitation principle requires defined or determinable retention periods); California (CPRA requires disclosure of retention periods or criteria); other US states with comprehensive privacy laws increasingly require similar disclosures. CONTRACT AND VENDOR IMPLICATIONS: Vendor contracts should specify data retention and deletion obligations to ensure that downstream processors do not retain Noom user data beyond permissible periods; particularly relevant for advertising and analytics partners who may maintain separate data stores. COMPLIANCE CONSIDERATIONS: Compliance teams should develop and publish category-specific data retention schedules that satisfy GDPR and CPRA disclosure requirements; automated deletion workflows for data past its retention period should be implemented and auditable; particular attention should be paid to health data retention given the heightened sensitivity of this category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause creates a operational framework where data persistence is tied to multiple institutional justifications rather than a fixed timeline, requiring Noom to apply differentiated retention standards across its data holdings.
Your health and personal data may be retained by Noom for an indefinite period based on broadly stated business and legal needs, with no specific timeframes given for most categories; users who want their data deleted should submit an explicit deletion request rather than assuming data is purged after inactivity.
ConductAtlas has identified this type of provision across 64 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Noom.