When you deactivate your X account, your data is not immediately deleted; X states it may retain personal data for up to 30 days before deletion and may keep certain data longer for legal or business reasons.
This analysis describes what X's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate business purposes, which affects the practical scope of users' right to erasure.
Interpretive note: The policy's reference to 'legitimate business purposes' as a basis for extended retention is broad and its application to specific data categories is not defined within the available document text.
Deactivating your X account does not immediately delete your personal data; the policy states X may retain it for up to 30 days and may keep some data longer. Users who want permanent deletion should submit a formal data deletion request rather than relying on deactivation alone.
How other platforms handle this
Some operating system developers, such as Apple, allow mobile application users to request deletion of accounts created within an application. If you request deletion of your account, State Farm may still retain your information for legal, auditing, regulatory and business purposes. Retention period...
You may request deletion of your account at any time. When you request account deletion, we will delete or anonymize your personal information unless we are required to retain it by law, or unless we need to retain it for legitimate business purposes such as resolving disputes, enforcing our agreeme...
We generally retain your personal data as long as you keep your account open or as needed to provide you Services. This includes data you or others provided to us and data generated or inferred from your use of our Services. Even if you only use our Services when looking for a new job every few year...
Monitoring
X has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We keep different types of information for different time periods. We keep your personal data for as long as we need to for the purposes described in this Privacy Policy. We may also keep personal data for longer periods if required by applicable laws and regulations, or to protect our legal interests. When you deactivate your X account, your posts become invisible within X, but we may retain your personal data for up to 30 days before deletion in case you reactivate, and may retain certain data for longer periods as required by law or for legitimate business purposes.— Excerpt from X's X Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 17 (right to erasure) and Article 5(1)(e) (storage limitation principle), which require that personal data not be retained longer than necessary for its original purpose. The 'legitimate business purposes' exception cited in the policy is broadly stated and may require further justification to satisfy GDPR's accountability principle. CCPA also grants California residents the right to request deletion, and retention exceptions must be specifically enumerated. GOVERNANCE EXPOSURE: Medium. The 30-day retention window following deactivation is a disclosed and relatively standard practice. However, the 'longer periods for legitimate business purposes' language is broad and may not satisfy the specificity required under GDPR Article 5(1)(e) for retention periods to be demonstrably necessary. JURISDICTION FLAGS: EU and UK users exercising the right to erasure may find that the 'legitimate business purposes' exception is interpreted more narrowly by EU supervisory authorities than the policy language suggests. California residents submitting deletion requests under CCPA/CPRA should verify that all applicable data categories are addressed in X's response. CONTRACT AND VENDOR IMPLICATIONS: Organizations that process X user data in downstream systems should account for X's retention practices in their own data retention schedules and erasure response procedures. COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that data deletion request workflows account for the 30-day retention window and document the legal basis for any retention beyond that period. Records of Processing Activities should reflect actual retention schedules for each data category rather than relying on the broadly stated policy language.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate business purposes, which affects the practical scope of users' right to erasure.
Deactivating your X account does not immediately delete your personal data; the policy states X may retain it for up to 30 days and may keep some data longer. Users who want permanent deletion should submit a formal data deletion request rather than relying on deactivation alone.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by X.