Uber keeps your personal data for as long as it decides is necessary for business, legal, or dispute resolution purposes, without specifying fixed retention periods for most data categories.
This analysis describes what Uber's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause defines the operational scope and duration of data retention by linking retention periods to specific business and legal functions rather than establishing fixed time limits, which affects the company's data management obligations and compliance framework.
Interpretive note: The notice does not specify retention periods for individual data categories, making it difficult to assess whether specific practices satisfy GDPR storage limitation requirements without reviewing Uber's internal retention schedules.
Your trip history, location data, and other personal information may be retained by Uber for extended and unspecified periods, which means older data could remain accessible for advertising, legal, or operational purposes long after a trip or account closure.
How other platforms handle this
We retain personal data for as long as necessary to provide our services, fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period for each category of personal data depends on the purpose fo...
We retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law. We may also retain and use your information to comply with our legal obligations, resolve disputes, and enforce our ...
Please note there are situations where Spotify is unable to delete your data, for example when: it's still necessary to process the data for the purpose we collected it for; we have an overriding interest in continuing to process the data, for example where we need the data to protect our services f...
Monitoring
Uber has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Uber retains personal data for as long as necessary to fulfill the purposes described in this notice, including for the purposes of satisfying any legal, accounting, or reporting requirements, to resolve disputes, or to enforce our agreements.— Excerpt from Uber's Uber Privacy Notice
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) establishes a storage limitation principle requiring that personal data be kept for no longer than necessary for its stated purpose. The absence of specific retention periods in the notice may create tension with this requirement, as data subjects are entitled to meaningful information about retention under GDPR Article 13/14. The UK GDPR imposes equivalent requirements. CCPA does not impose storage limitation requirements directly but requires disclosure of retention periods or the criteria used to determine them under CPRA amendments. GOVERNANCE EXPOSURE: Medium. Vague retention language creates compliance exposure in GDPR and CPRA jurisdictions where regulators expect specific and documented retention schedules. EU supervisory authorities have taken enforcement action against organizations with inadequate retention documentation. The use of open-ended criteria such as 'as long as necessary' without further specificity may not satisfy GDPR transparency requirements in practice. JURISDICTION FLAGS: EU/EEA users have the strongest regulatory basis to challenge retention practices that are not clearly justified and time-limited. California users have rights under CPRA to know the retention period or criteria. Jurisdictions with sector-specific data retention rules (such as financial services) may impose additional requirements on payment data held by Uber. CONTRACT AND VENDOR IMPLICATIONS: Vendor and partner contracts that involve Uber data should include retention and deletion obligations consistent with Uber's own stated practices. Enterprise clients should request specific retention schedules for employee data processed through Uber for Business accounts. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether Uber has documented internal retention schedules for each data category that can be disclosed upon regulatory request or data subject inquiry, even if those schedules are not published in full in the notice. A retention schedule review aligned with GDPR and CPRA requirements is advisable, particularly for location, trip history, and device data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause defines the operational scope and duration of data retention by linking retention periods to specific business and legal functions rather than establishing fixed time limits, which affects the company's data management obligations and compliance framework.
Your trip history, location data, and other personal information may be retained by Uber for extended and unspecified periods, which means older data could remain accessible for advertising, legal, or operational purposes long after a trip or account closure.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Uber.