TaskRabbit keeps your personal data for as long as it needs to provide the service or meet legal requirements, and will delete or de-identify it when it is no longer needed, but no specific maximum retention period is stated.
This analysis describes what TaskRabbit's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes TaskRabbit's operational framework for personal information lifecycle management, defining both the retention period (necessity-based) and the disposition mechanism (deletion or deidentification) that governs when personal data transitions out of active use.
Your personal data, including sensitive categories such as criminal background check results and government ID documents, may be retained indefinitely under the policy's flexible 'as long as necessary' standard, with no stated maximum period for any data category.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
TaskRabbit has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your Personal Information for as long as necessary to provide you with our products or services and fulfill the purposes described in this Privacy Policy. When we no longer need to use your information and there is no need for us to keep it to comply with our legal obligations or to the extent permitted under applicable laws, we'll either delete it from our systems or deidentify it so that we can't use it to reidentify you.— Excerpt from TaskRabbit's TaskRabbit Privacy Policy
1. REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary for the processing purposes (storage limitation principle). Specific retention schedules are considered best practice and may be required under sector-specific regulations. CCPA does not mandate specific retention periods but requires that the purposes for collection be disclosed, and retaining data beyond those purposes may create risk. 2. GOVERNANCE EXPOSURE: Medium. The policy's open-ended retention language without category-specific schedules does not satisfy GDPR storage limitation best practices and may be questioned by EEA or UK supervisory authorities during audits or complaint investigations. For criminal history data subject to GDPR Article 10, the absence of a retention limit is a notable gap. 3. JURISDICTION FLAGS: EEA and UK supervisory authorities (including the UK ICO) have taken enforcement action against controllers who retain data without documented, purpose-limited retention schedules. California's CCPA requires that personal information not be retained 'longer than reasonably necessary for the disclosed purpose.' Quebec Law 25 requires disclosure of retention periods or criteria used to determine them. 4. CONTRACT AND VENDOR IMPLICATIONS: Service provider and processor agreements should include contractual retention limits aligned with Taskrabbit's retention policy, and processors should be required to certify deletion upon contract termination. The policy's de-identification alternative to deletion should be verified against applicable standards (GDPR recital 26, CCPA definition of deidentified information) to confirm re-identification risk is adequately mitigated. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should develop and publish category-specific retention schedules, particularly for sensitive data categories including government ID, SSN, criminal history, and financial data. A periodic data inventory and deletion audit process should be documented. For EEA and UK operations, a records of processing activities document under GDPR Article 30 should include retention periods or criteria for each processing purpose.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes TaskRabbit's operational framework for personal information lifecycle management, defining both the retention period (necessity-based) and the disposition mechanism (deletion or deidentification) that governs when personal data transitions out of active use.
Your personal data, including sensitive categories such as criminal background check results and government ID documents, may be retained indefinitely under the policy's flexible 'as long as necessary' standard, with no stated maximum period for any data category.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TaskRabbit.