NVIDIA keeps your personal data for as long as it determines necessary for business or legal purposes, without specifying fixed retention periods for most data categories.
This analysis describes what NVIDIA NIM's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify defined retention periods for most categories of personal data, instead relying on a purpose-based standard; this approach may require evaluation under GDPR's storage limitation principle and equivalent requirements in other jurisdictions.
Interpretive note: The absence of specific retention periods for individual data categories creates ambiguity about how long particular types of data including AI training inputs will be retained.
The updated Privacy Policy removes all disclosure language about how NVIDIA and third-party partners use cookies and other tracking technologies. Previously, the policy stated that cookies were used 'to collect and record information' for 'performance improvement, analytics, and to assist in our marketing efforts' and described consent mechanisms like 'Accept All' and 'Manage Settings'. The updated policy contains no equivalent disclosure of these tracking practices, data collection methods, or consent options. You can review NVIDIA's full Privacy Policy at their Privacy Center, though the updated version no longer describes cookie and tracking technology practices that were previously disclosed.
View change record →Personal data collected by NVIDIA may be retained indefinitely as long as NVIDIA determines a purpose exists; users wishing to limit retention periods can submit deletion requests through the privacy request portal, subject to applicable legal hold and business need exceptions.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
NVIDIA NIM has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements, or as required or permitted by applicable law. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, and the purposes for which we process your data.— Excerpt from NVIDIA NIM's NVIDIA Privacy Policy
1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 5(1)(e), which requires that personal data be kept in a form that permits identification for no longer than necessary for the purposes for which it is processed (storage limitation principle). The lack of specified retention periods for individual data categories may require evaluation against GDPR's requirement that retention periods be communicated to data subjects at the time of collection under Articles 13 and 14. CCPA/CPRA does not specify maximum retention periods but requires disclosure of retention practices; the CPPA has proposed rules requiring more granular retention period disclosure. 2) GOVERNANCE EXPOSURE: Medium. Purpose-based retention standards without defined periods are common in industry practice but create compliance exposure under GDPR's storage limitation principle, particularly for AI training data where the ongoing utility of retained data may be difficult to bound. Regulatory guidance from the EDPB and several EU DPAs has indicated that vague purpose-based retention language is insufficient without accompanying specific timeframes or criteria for determining retention periods. 3) JURISDICTION FLAGS: EU/EEA users are most exposed given GDPR Article 5(1)(e) and EDPB guidance on retention. California's proposed CPPA rules on retention period disclosure may create heightened obligations for California users. UK ICO guidance similarly requires more specific retention criteria than a general purpose-based standard. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise data processing agreements should specify contractual retention periods for data processed on the customer's behalf and require deletion or return of data upon contract termination. Where NVIDIA processes AI training data derived from enterprise customer inputs, the DPA should clarify whether and when such data is deleted from model training pipelines. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should request NVIDIA's data retention schedule for the specific data categories relevant to their engagement; assess whether retention periods for AI training data are defined and bounded; verify that deletion workflows are operationalized for consumer rights requests; and evaluate whether the policy's retention disclosure satisfies GDPR Articles 13 and 14 transparency requirements for specific categories of personal data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify defined retention periods for most categories of personal data, instead relying on a purpose-based standard; this approach may require evaluation under GDPR's storage limitation principle and equivalent requirements in other jurisdictions.
Personal data collected by NVIDIA may be retained indefinitely as long as NVIDIA determines a purpose exists; users wishing to limit retention periods can submit deletion requests through the privacy request portal, subject to applicable legal hold and business need exceptions.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by NVIDIA NIM.