Unity keeps your personal data for as long as it says it needs it, based on its own assessment of the purposes, legal requirements, and risk factors, without specifying fixed retention periods for most data types.
This analysis describes what Unity's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The absence of specific, published retention periods for key data types such as advertising identifiers and behavioral data makes it difficult for users to know when their information will be deleted, and regulators in some jurisdictions require more granular retention schedules.
Interpretive note: The criteria-based retention approach creates ambiguity about actual retention durations for specific data types including advertising identifiers and behavioral data; practical retention periods are not disclosed in the consumer-facing policy.
Because the policy does not specify fixed retention periods for advertising identifiers or gameplay data, your behavioral profile may be retained for extended periods determined by Unity's internal criteria, reducing your ability to predict when your data will be deleted without submitting a deletion request.
How other platforms handle this
We retain data as needed to facilitate and personalize your use of CL, combat fraud/abuse and/or as required by law.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. When we no longer need to use your personal ...
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Monitoring
Unity has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or to resolve disputes. The criteria used to determine our retention periods include the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your data, whether we can achieve those purposes through other means, and applicable legal requirements.— Excerpt from Unity's Unity Privacy Policy
REGULATORY LANDSCAPE: GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept for no longer than necessary for specified purposes, and GDPR recital 39 indicates that specific retention periods or criteria should be documented. The policy's criteria-based approach rather than fixed-period approach is technically permissible but may require fuller documentation in privacy records of processing activities (Article 30) to satisfy supervisory authority scrutiny. CCPA and CPRA do not impose specific retention limits but require disclosure of retention practices. GOVERNANCE EXPOSURE: Medium. Criteria-based retention without published periods is a common industry practice but creates audit risk if internal retention schedules do not exist or are not consistently applied. Supervisory authorities in the EU have issued guidance expecting controllers to document specific retention periods in their Article 30 records even if these are not published in consumer-facing policies. JURISDICTION FLAGS: EU and EEA users have the strongest protection under GDPR's storage limitation principle. California users may request disclosure of retention practices under CPRA. UK ICO guidance similarly expects documented retention periods. CONTRACT AND VENDOR IMPLICATIONS: Organizations with data processing agreements with Unity should consider contractually requiring disclosure of Unity's internal retention schedules for data types relevant to their products. This is particularly important for organizations subject to sector-specific retention limits. COMPLIANCE CONSIDERATIONS: Compliance teams should request Unity's internal data retention schedule as part of vendor due diligence and verify that it is consistent with the company's GDPR Article 30 records. The absence of published retention periods for advertising identifiers should be flagged for review in the context of the storage limitation principle.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The absence of specific, published retention periods for key data types such as advertising identifiers and behavioral data makes it difficult for users to know when their information will be deleted, and regulators in some jurisdictions require more granular retention schedules.
Because the policy does not specify fixed retention periods for advertising identifiers or gameplay data, your behavioral profile may be retained for extended periods determined by Unity's internal criteria, reducing your ability to predict when your data will be deleted without submitting a deletion request.
ConductAtlas has identified this type of provision across 65 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unity.