Zoom keeps your personal data for as long as it needs to provide its services or as required by law, and may retain some data longer for business reasons such as fraud prevention or resolving disputes.
This analysis describes what Zoom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that Zoom does not commit to a fixed retention period for most personal data, instead tying retention to service needs and legal requirements. The carve-out for legitimate business purposes means some data may be retained beyond the period you actively use the service.
Interpretive note: The document does not specify retention periods for individual data categories, making it difficult to assess the practical duration of data retention for specific types of personal data.
Personal data including account information, usage data, and potentially meeting content may be retained by Zoom indefinitely as long as Zoom determines it serves a legitimate business purpose, even after you stop using the service. Data deletion requests may be limited by these retention exceptions.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Zoom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Zoom retains personal data for as long as needed to provide services and fulfill the purposes described in this privacy statement, unless a longer retention period is required by law. We may retain certain information for legitimate business purposes, such as fraud prevention, legal compliance, and resolving disputes.— Excerpt from Zoom's Zoom Privacy Statement
REGULATORY LANDSCAPE: This provision engages GDPR's data minimization and storage limitation principles under Article 5(1)(c) and (e), which require that personal data be kept no longer than necessary. CCPA deletion rights may be subject to the exceptions stated in this provision. Sector-specific retention requirements may also apply for healthcare or financial services contexts. GOVERNANCE EXPOSURE: Medium. The open-ended retention language combined with broad legitimate business purpose exceptions may create tension with GDPR storage limitation requirements. Organizations acting as data controllers using Zoom as a processor should specify retention periods in their DPA rather than relying on Zoom's general policy language. JURISDICTION FLAGS: EU and UK users have the strongest grounds to challenge open-ended retention under GDPR Article 17 (right to erasure). California residents' deletion rights under CCPA are subject to the same exceptions noted in this provision. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should negotiate specific data retention and deletion schedules in their Zoom Data Processing Agreements, particularly for meeting content, transcripts, and recordings. Relying solely on Zoom's general policy language may be insufficient for GDPR compliance. COMPLIANCE CONSIDERATIONS: Organizations should map Zoom-held data categories to their own retention schedules and request confirmation from Zoom of actual retention periods for each data category. Deletion workflows should be tested to confirm that Zoom's legitimate business purpose exceptions do not result in indefinite retention of personal data subject to deletion requests.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that Zoom does not commit to a fixed retention period for most personal data, instead tying retention to service needs and legal requirements. The carve-out for legitimate business purposes means some data may be retained beyond the period you actively use the service.
Personal data including account information, usage data, and potentially meeting content may be retained by Zoom indefinitely as long as Zoom determines it serves a legitimate business purpose, even after you stop using the service. Data deletion requests may be limited by these retention exceptions.
ConductAtlas has identified this type of provision across 15 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zoom.