When you deactivate your X account, your data is not immediately deleted; X states it may retain personal data for up to 30 days before deletion and may keep certain data longer for legal or business reasons.
This analysis describes what X's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate business purposes, which affects the practical scope of users' right to erasure.
Interpretive note: The policy's reference to 'legitimate business purposes' as a basis for extended retention is broad and its application to specific data categories is not defined within the available document text.
Deactivating your X account does not immediately delete your personal data; the policy states X may retain it for up to 30 days and may keep some data longer. Users who want permanent deletion should submit a formal data deletion request rather than relying on deactivation alone.
How other platforms handle this
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
We retain your personal information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Even after you close your account, we may retain certain information as required by law or for our legitimate business purposes.
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
Monitoring
X has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We keep different types of information for different time periods. We keep your personal data for as long as we need to for the purposes described in this Privacy Policy. We may also keep personal data for longer periods if required by applicable laws and regulations, or to protect our legal interests. When you deactivate your X account, your posts become invisible within X, but we may retain your personal data for up to 30 days before deletion in case you reactivate, and may retain certain data for longer periods as required by law or for legitimate business purposes.— Excerpt from X's X Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 17 (right to erasure) and Article 5(1)(e) (storage limitation principle), which require that personal data not be retained longer than necessary for its original purpose. The 'legitimate business purposes' exception cited in the policy is broadly stated and may require further justification to satisfy GDPR's accountability principle. CCPA also grants California residents the right to request deletion, and retention exceptions must be specifically enumerated. GOVERNANCE EXPOSURE: Medium. The 30-day retention window following deactivation is a disclosed and relatively standard practice. However, the 'longer periods for legitimate business purposes' language is broad and may not satisfy the specificity required under GDPR Article 5(1)(e) for retention periods to be demonstrably necessary. JURISDICTION FLAGS: EU and UK users exercising the right to erasure may find that the 'legitimate business purposes' exception is interpreted more narrowly by EU supervisory authorities than the policy language suggests. California residents submitting deletion requests under CCPA/CPRA should verify that all applicable data categories are addressed in X's response. CONTRACT AND VENDOR IMPLICATIONS: Organizations that process X user data in downstream systems should account for X's retention practices in their own data retention schedules and erasure response procedures. COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that data deletion request workflows account for the 30-day retention window and document the legal basis for any retention beyond that period. Records of Processing Activities should reflect actual retention schedules for each data category rather than relying on the broadly stated policy language.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate business purposes, which affects the practical scope of users' right to erasure.
Deactivating your X account does not immediately delete your personal data; the policy states X may retain it for up to 30 days and may keep some data longer. Users who want permanent deletion should submit a formal data deletion request rather than relying on deactivation alone.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by X.