User Rights to Access, Deletion, and Portability

What it is

Depending on where you live, you may have the right to see the data Uber holds about you, ask for it to be corrected or deleted, receive a copy you can transfer elsewhere, or object to certain uses of your data.

Why it matters (compliance & governance perspective)

The provision establishes a procedural mechanism through which users can exercise data subject rights under applicable privacy regulations. It defines the scope of requests Uber will process and ties authorization to legal applicability, which determines enforceable obligations in different jurisdictions.

Consumer impact (what this means for users)

Riders in the EU, UK, California, and other jurisdictions with comprehensive privacy laws can formally request access to, deletion of, or a portable copy of their Uber data, which includes trip history, location records, and inferred attributes, though the scope of these rights varies by location.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: GDPR Articles 15-22 establish rights of access, rectification, erasure, restriction, portability, and objection for EU/EEA users. The UK GDPR mirrors these rights for UK users. The CCPA/CPRA establishes similar rights for California residents, including the right to know, delete, correct, and opt out of sale or sharing. The California Privacy Protection Agency and EU Data Protection Authorities are the relevant enforcement bodies. The notice's qualification that rights apply 'to the extent applicable law allows' is standard but means the practical scope varies significantly by jurisdiction. GOVERNANCE EXPOSURE: Medium. The operationalization of data subject rights at scale represents a significant compliance requirement. Failure to respond to valid requests within statutory timeframes (30 days under CCPA, one month under GDPR) or to fulfill rights completely can result in regulatory action. The breadth of data Uber holds, including location history and inferred attributes, makes complete and accurate responses to access requests operationally complex. JURISDICTION FLAGS: EU/EEA and UK users have the broadest statutory rights and access to supervisory authority complaints processes. California residents have CCPA/CPRA rights enforced by the California Privacy Protection Agency. Users in other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, and others) have varying rights depending on their state's legislation. Users in jurisdictions without comprehensive privacy laws may have limited statutory rights beyond those Uber voluntarily extends. CONTRACT AND VENDOR IMPLICATIONS: Enterprise Uber for Business clients may receive data subject requests from employees relating to data generated through business accounts, creating a need to coordinate with Uber on fulfillment responsibilities and establish clear contractual obligations around request handling. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Uber's data subject request handling processes meet the response timeframes and completeness requirements of each applicable jurisdiction. The portal at privacy.uber.com should be assessed for accessibility and whether it adequately surfaces all available rights to users in each jurisdiction. Identity verification processes for data subject requests should be reviewed to confirm they are not so burdensome as to effectively deter legitimate rights exercises.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Background and Continuous Location Collection medium
• Advertising Data Sharing With Third-Party Platforms medium
• Data Sharing With Drivers and Merchants low
• Government and Law Enforcement Data Disclosure medium
• Data Retention medium
• Cross-Border Data Transfers medium