Uber keeps your personal data for as long as it needs to for its services, legal obligations, and dispute resolution, without specifying a fixed deletion timeline for most data categories.
This analysis describes what Uber's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause defines the temporal scope of Uber's data retention authority by tying retention duration to specific operational and legal purposes rather than establishing a fixed retention period, which permits retention to extend across different timeframes depending on the applicable purpose.
Interpretive note: The notice does not specify maximum retention periods for individual data categories, and the 'as long as necessary' standard's practical duration depends on Uber's internal determination, which is not disclosed in the consumer-facing document.
The notice states that Uber retains personal data, including trip records and location history, for as long as necessary for stated purposes without specifying maximum retention periods for most data categories. Users who wish to limit retention can submit a deletion request through privacy.uber.com.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
Uber has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Uber retains user personal data for as long as necessary to fulfill the purposes outlined in this notice, including for the purposes of satisfying any legal, accounting, or reporting requirements, or to resolve disputes.— Excerpt from Uber's Uber Privacy Notice
1. REGULATORY LANDSCAPE: GDPR's storage limitation principle requires that personal data not be retained longer than necessary for the specified purpose, and requires data controllers to document retention schedules. CCPA does not impose a specific retention limit but requires disclosure of the retention period or the criteria used to determine it. The notice's 'as long as necessary' standard is a commonly used formulation but may face scrutiny under GDPR if not supported by documented retention schedules. 2. GOVERNANCE EXPOSURE: Medium. Regulators in EU jurisdictions have issued guidance and enforcement actions regarding indefinite or overly broad retention language. The absence of specific retention periods in the notice may require supplementary documentation to satisfy GDPR Article 13 transparency requirements. 3. JURISDICTION FLAGS: EU/EEA data protection authorities have required specific retention schedules in enforcement contexts. The Irish Data Protection Commission, as Uber's lead supervisory authority in the EU, would assess retention practices in the context of any GDPR investigation. California's CPRA requires disclosure of the retention period or the criteria used to determine it for each category of personal information collected. 4. CONTRACT AND VENDOR IMPLICATIONS: Data processor agreements should specify retention and deletion obligations for each data category. Third-party processors holding Uber user data should be contractually required to delete data upon termination of the processing relationship or upon receipt of a valid deletion request. 5. COMPLIANCE CONSIDERATIONS: A documented data retention schedule mapping each data category to a specific retention period and legal justification should be maintained internally even if not fully disclosed in the consumer-facing notice. CPRA compliance requires that the retention criteria be included in the privacy notice or a linked document. Deletion request workflows should be tested to confirm data is purged from all systems within required timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause defines the temporal scope of Uber's data retention authority by tying retention duration to specific operational and legal purposes rather than establishing a fixed retention period, which permits retention to extend across different timeframes depending on the applicable purpose.
The notice states that Uber retains personal data, including trip records and location history, for as long as necessary for stated purposes without specifying maximum retention periods for most data categories. Users who wish to limit retention can submit a deletion request through privacy.uber.com.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Uber.