What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@synthesia.io', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacy@synthesia.io requesting deletion of your biometric data (facial and voice recordings) ahead of account closure, citing applicable law (BIPA §15(a) for Illinois residents, GDPR Art. 17 for EU/UK users, or CCPA §1798.105 for California residents).', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': 'Illinois, Texas, and California Attorneys General have enforcement authority over biometric data retention violations under BIPA, CUBI, and CPRA respectively.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Data Retention Policy clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Retention Policy clauses across approximately 64 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Retention Policy — Synthesia

Share 𝕏 Share in Share 🔒 PDF

What it is

Synthesia keeps your personal data, including biometric recordings for AI avatars, for as long as your account exists, unless you specifically ask for it to be deleted earlier.

Consumer impact (what this means for users)

Your facial and voice biometric recordings will be stored by Synthesia for the life of your account unless you proactively request deletion — this may conflict with BIPA's mandatory destruction timelines if you are in Illinois.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Email privacy@synthesia.io requesting deletion of your biometric data (facial and voice recordings) ahead of account closure, citing applicable law (BIPA §15(a) for Illinois residents, GDPR Art. 17 for EU/UK users, or CCPA §1798.105 for California residents).

Cross-platform context

See how other platforms handle Data Retention Policy and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Biometric data retained indefinitely until account closure creates significant legal risk under BIPA, which requires companies to delete biometric data within three years or when the purpose for collection is fulfilled — whichever comes first.

View original clause language

We retain your personal data for as long as your account is active or as needed to provide you with our services. We will retain and use your data to comply with legal obligations, resolve disputes, and enforce agreements. Biometric data collected for custom AI avatars will be retained for the duration of your account unless you request earlier deletion.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: GDPR Art. 5(1)(e) requires personal data not be kept longer than necessary (storage limitation principle); BIPA §15(a) requires a publicly available retention schedule and mandates destruction of biometric data within 3 years or when purpose is fulfilled; CCPA/CPRA does not impose specific retention limits but requires disclosure of retention periods. EU DPAs, Illinois AG, and CPPA are enforcement authorities. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

State AG

Illinois, Texas, and California Attorneys General have enforcement authority over biometric data retention violations under BIPA, CUBI, and CPRA respectively.
File a complaint →

Provision details

Document information

Document

Synthesia Privacy Policy

Entity

Synthesia

Document last updated

April 29, 2026

Tracking information

First tracked

April 30, 2026

Last verified

April 30, 2026

Record ID

CA-P-004287

Document ID

CA-D-00470

Evidence Provenance

Source URL

https://www.synthesia.io/privacy-policy

Wayback Machine

View archived versions →

SHA-256

7648d9071447f69ed848238281e6ab982ee2d650c8e20eb74c961b356314a183

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Synthesia | Document: Synthesia Privacy Policy | Record: CA-P-004287
Captured: 2026-04-30 07:49:32 UTC | SHA-256: 7648d9071447f69e…
URL: https://conductatlas.com/platform/synthesia/synthesia-privacy-policy/data-retention-policy/
Accessed: May 2, 2026

Classification

Severity

High

Data Retention Policy