One Identity keeps your personal data for as long as it considers necessary for business or legal reasons, without committing to a specific maximum retention period.
This analysis describes what OneLogin's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
Interpretive note: The practical retention period for any specific data category depends on One Identity's internal schedules, which are not disclosed in the policy, creating uncertainty about actual data lifespans.
The updated policy discloses that OneLogin may record calls with consent and use AI to analyze call transcripts, chat conversations, and sales emails for multiple purposes including follow-up task identification, call summarization, sales analytics, communication effectiveness analysis, and forecast modeling. Under the revised terms, recorded call audio and video may be reviewed for employee training, monitoring, and coaching purposes. The policy also states that OneLogin will save chat and call conversation data to inform future interactions. These practices apply when you communicate with OneLogin via phone calls, chat, email, text, or other teleconference solutions. You should review the updated disclosure to understand how your communication data will be processed and retained.
View change record →The updated policy removes explicit language describing how OneLogin uses AI to analyze customer communications. Previously, the policy stated that call audio and video would be recorded with consent and analyzed using AI to identify follow-up tasks, summarize calls, and conduct sales analytics; that chatbot conversations would be analyzed and saved; and that sales emails would be analyzed to determine communication efficacy and forecast next steps. These specific AI analysis practices are no longer described in the updated policy. The revised language also narrows one stated data use purpose, changing 'answers or services you have asked or licensed' to 'services you have purchased.' No consumer opt-out mechanisms or alternative disclosures are provided in the change text.
View change record →Your personal data may be retained indefinitely if One Identity determines it remains necessary for business purposes, making it difficult to predict when data will be deleted even after you stop using the service. This open-ended retention language may create tension with data minimization principles in jurisdictions like the EU.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
OneLogin has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).— Excerpt from OneLogin's OneLogin Privacy Policy
1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 5(1)(e), which requires that personal data be kept in a form permitting identification no longer than necessary for the purposes for which it is processed (storage limitation principle). The relevant enforcement authorities are EU and UK Data Protection Authorities. The open-ended retention formulation, while common in privacy policies, may be insufficient under GDPR without documented retention schedules specifying concrete periods or criteria for each data category. 2) GOVERNANCE EXPOSURE: Medium. The provision does not specify retention periods by data category or processing purpose, which makes it difficult for regulators or data subjects to assess compliance. DPA guidance in several EU member states requires that retention periods or the criteria used to determine them be disclosed to data subjects in the privacy notice itself. 3) JURISDICTION FLAGS: EU/EEA and UK users face the highest exposure given GDPR and UK GDPR storage limitation requirements. California users have CPRA rights to request deletion, which indirectly pressures defined retention practices. Organizations subject to sector-specific retention requirements (financial services, healthcare) should verify that One Identity's retention practices align with applicable legal minimums and maximums. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using One Identity as a data processor should ensure that their DPA specifies concrete retention and deletion timelines for customer-controlled data, and includes contractual obligations for One Identity to delete or return data upon contract termination. The policy's open-ended language may not satisfy processor obligations under GDPR Article 28. 5) COMPLIANCE CONSIDERATIONS: Legal teams should request One Identity's internal data retention schedule and verify that retention criteria are documented for each category of personal data processed. If One Identity is used as a processor, DPAs should specify deletion timelines and confirm that these are operationally implemented. Any discrepancy between the policy's open-ended language and regulatory requirements for documented retention criteria should be flagged for remediation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
Your personal data may be retained indefinitely if One Identity determines it remains necessary for business purposes, making it difficult to predict when data will be deleted even after you stop using the service. This open-ended retention language may create tension with data minimization principles in jurisdictions like the EU.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OneLogin.