One Identity keeps your personal data for as long as it considers necessary for business or legal reasons, without committing to a specific maximum retention period.
This analysis describes what OneLogin's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
Interpretive note: The practical retention period for any specific data category depends on One Identity's internal schedules, which are not disclosed in the policy, creating uncertainty about actual data lifespans.
The updated policy discloses that OneLogin may record calls with consent and use AI to analyze call transcripts, chat conversations, and sales emails for multiple purposes including follow-up task id…
Your personal data may be retained indefinitely if One Identity determines it remains necessary for business purposes, making it difficult to predict when data will be deleted even after you stop using the service. This open-ended retention language may create tension with data minimization principles in jurisdictions like the EU.
How other platforms handle this
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. The criteria used to determine our retention periods include the length of time we have an ongoing relationsh...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Slack (Sees no code data): We use Slack for internal communications. We may discuss logs of data for debugging purposes from users that are not using Zero-data retention mode. Google Workspace (Sees no code data): We use Google Workspace for collaboration. We may discuss logs of data for debugging p...
Monitoring
OneLogin has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).— Excerpt from OneLogin's OneLogin Privacy Policy
1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 5(1)(e), which requires that personal data be kept in a form permitting identification no longer than necessary for the purposes for which it is processed (storage limitation principle). The relevant enforcement authorities are EU and UK Data Protection Authorities. The open-ended retention formulation, while common in privacy policies, may be insufficient under GDPR without documented retention schedules specifying concrete periods or criteria for each data category. 2) GOVERNANCE EXPOSURE: Medium. The provision does not specify retention periods by data category or processing purpose, which makes it difficult for regulators or data subjects to assess compliance. DPA guidance in several EU member states requires that retention periods or the criteria used to determine them be disclosed to data subjects in the privacy notice itself. 3) JURISDICTION FLAGS: EU/EEA and UK users face the highest exposure given GDPR and UK GDPR storage limitation requirements. California users have CPRA rights to request deletion, which indirectly pressures defined retention practices. Organizations subject to sector-specific retention requirements (financial services, healthcare) should verify that One Identity's retention practices align with applicable legal minimums and maximums. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using One Identity as a data processor should ensure that their DPA specifies concrete retention and deletion timelines for customer-controlled data, and includes contractual obligations for One Identity to delete or return data upon contract termination. The policy's open-ended language may not satisfy processor obligations under GDPR Article 28. 5) COMPLIANCE CONSIDERATIONS: Legal teams should request One Identity's internal data retention schedule and verify that retention criteria are documented for each category of personal data processed. If One Identity is used as a processor, DPAs should specify deletion timelines and confirm that these are operationally implemented. Any discrepancy between the policy's open-ended language and regulatory requirements for documented retention criteria should be flagged for remediation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
Your personal data may be retained indefinitely if One Identity determines it remains necessary for business purposes, making it difficult to predict when data will be deleted even after you stop using the service. This open-ended retention language may create tension with data minimization principles in jurisdictions like the EU.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OneLogin.