This provision establishes Salesforce's legal framework for cross-border data transfers from European jurisdictions to the United States, creating accountability mechanisms through DPF certification that include liability for onward transfers to third parties. The certification satisfies regulatory requirements under EU and UK data protection law that would otherwise restrict such transfers.
The clause establishes the scope of permissible data processing activities internal to the service, defining operational functions that rely on information collection and use within YouTube Kids' systems.
Replit
· Replit Privacy Policy
The absence of specific retention periods for different data categories means users cannot readily assess how long their code, prompts, usage data, or account information will be retained, which is relevant to data minimization requirements under GDPR.
Slack
· Slack Privacy Policy
This provision establishes the operational framework for data retention lifecycle management, distinguishing between Customer Data (subject to customer-directed retention controls) and Other Information (retained under Slack's discretionary criteria). The provision clarifies that retention obligations are conditioned on both contractual terms and applicable law, and that control mechanisms vary by service tier.
Because retention periods vary significantly by data type and product and are not fixed, users cannot determine with certainty how long specific categories of their personal data will be held by Microsoft.
Twilio
· Twilio Privacy Notice
The notice does not state specific retention periods for most categories of personal data, meaning data collected from website visits and marketing interactions may be retained for extended periods at Twilio's discretion.
Waze
· Waze Privacy Policy
This provision asserts a purpose-based retention standard without specifying concrete retention periods for particular data types such as location history or driving behavior records, which limits users' ability to assess how long their data is held.
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
This clause establishes the legal basis for Threads' data retention practices and defines the retention scope by functional utility rather than explicit time limits. It authorizes retention of both directly provided data and inferred usage information as long as service delivery requires it.
The absence of specific retention periods for most data categories means users cannot easily determine how long their personal information is held, limiting their ability to make informed decisions about their data.
Notion
· Notion Privacy Policy
The retention provision uses open-ended language ('as long as we reasonably need it') without specifying retention periods for different data categories, which creates uncertainty about how long specific types of data such as usage logs, deleted content, or account information are held.
The retention clause does not specify fixed retention periods for any category of personal data, which may engage GDPR's storage limitation principle requiring that data not be kept longer than necessary for the specified purpose; the absence of defined retention schedules may be a point of inquiry for EU and UK supervisory authorities.
Open-ended retention language keyed to business purpose rather than fixed time limits provides limited consumer visibility into how long specific data categories are retained, which is relevant to consumer deletion rights and data minimization obligations under applicable state privacy laws.
Medium
· Medium Privacy Policy
The absence of defined retention periods for specific data categories may present a compliance consideration under GDPR's storage limitation principle, which requires that personal data be kept no longer than necessary for the specified processing purpose.
This provision establishes Zendesk's stated data retention framework, which engages GDPR Article 5(1)(e) storage limitation requirements and equivalent principles under other regional frameworks, and is relevant for organizations assessing vendor data lifecycle management practices.
Cohere
· Cohere Privacy Policy
The absence of specific retention periods means personal data including submitted inputs, account data, and usage data may be retained indefinitely as long as the account is active or legal obligations require it, without a fixed deletion timeline.
Steam
· Steam Privacy Policy
The policy does not specify fixed retention periods for most data categories, meaning your data may be retained for extended periods based on Valve's internal assessments of operational and legal necessity.
The clause defines the operational framework governing data lifecycle management, establishing both the primary retention period (service delivery and policy purposes) and extended retention categories (legal and regulatory obligations). This structure creates distinct retention pathways based on regulatory status and business necessity rather than user discretion.
Gusto
· Gusto Privacy Policy
Without specific retention periods disclosed for sensitive data categories like SSNs and bank account information, users cannot easily assess how long their most sensitive data remains in Gusto's systems.
The policy does not specify fixed retention periods for most data categories, meaning data could be retained for extended periods based on broadly defined business needs, which affects the practical value of deletion rights.
The policy does not specify defined retention periods for most categories of personal data, instead relying on a purpose-based standard; this approach may require evaluation under GDPR's storage limitation principle and equivalent requirements in other jurisdictions.
Square
· Square Privacy Notice
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
The absence of specific retention periods means your personal data, including purchase history and financial information, may be held indefinitely under broad business or legal justifications.
The absence of specific retention periods makes it difficult for users to know how long their data is held, and GDPR requires organizations to define and communicate retention periods with greater specificity than this clause provides.
Knowing how long Afterpay retains your financial transaction history, account data, and behavioral information matters because longer retention periods mean your data remains available for use, sharing, or potential breach exposure for extended periods.
The absence of specific retention periods makes it difficult for users to know how long their prompts, images, and account data are stored, and creates compliance ambiguity under GDPR's data minimization and storage limitation principles.
Figma
· Figma Privacy Policy
The retention standard of 'as long as necessary' is broad and gives Figma significant discretion over how long your data, including design file content, is kept after you stop using the service.
Auth0
· Auth0 Privacy Policy
The absence of specific retention periods for most data categories means users cannot easily determine how long their information is kept or plan deletion requests around a known timeline.
This provision establishes Amplitude's data retention framework but does not specify retention periods for particular categories of data, which may be relevant to GDPR Article 5(1)(e)'s storage limitation principle and to CCPA/CPRA's data minimization requirements.
Okta
· Okta Privacy Policy
The absence of specific, published retention periods for different data categories may make it harder for individuals to understand how long their data is held and may create compliance questions under GDPR's data minimization and storage limitation principles.