Figma
· Figma Privacy Policy
The retention standard of 'as long as necessary' is broad and gives Figma significant discretion over how long your data, including design file content, is kept after you stop using the service.
Acorns
· Acorns Privacy Policy
The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations.
Square
· Square Privacy Notice
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
This provision establishes a purpose-based retention framework without specifying fixed retention periods for different data categories, which may affect compliance with GDPR storage limitation requirements and user ability to predict how long their data is held.
The absence of specific retention periods for most data categories means consumers have limited visibility into how long their purchase history, location data, and behavioral profiles are kept, which affects the practical scope of deletion rights.
The policy does not specify fixed retention periods for individual data categories, instead relying on a purpose-based standard, which may make it difficult for consumers to know how long their data is held and may require evaluation under state laws that mandate retention period disclosures.
The policy does not specify defined retention periods for most categories of personal data, instead relying on a purpose-based standard; this approach may require evaluation under GDPR's storage limitation principle and equivalent requirements in other jurisdictions.
The absence of specific retention periods makes it difficult for users to know how long their prompts, images, and account data are stored, and creates compliance ambiguity under GDPR's data minimization and storage limitation principles.
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
Writer
· Writer Privacy Policy
The policy does not specify exact retention periods for each data category, meaning users cannot easily determine how long their content and account data will be held.
The policy does not specify fixed retention periods for different categories of data, which under GDPR requires that retention periods or criteria be communicated to users; the absence of specific timeframes creates ambiguity about how long learning and behavioral data is retained.
Notion
· Notion Privacy Policy
The retention provision uses open-ended language ('as long as we reasonably need it') without specifying retention periods for different data categories, which creates uncertainty about how long specific types of data such as usage logs, deleted content, or account information are held.
Replit
· Replit Privacy Policy
The absence of specific retention periods for different data categories means users cannot readily assess how long their code, prompts, usage data, or account information will be retained, which is relevant to data minimization requirements under GDPR.
Brex
· Brex Privacy Policy
This retention framework engages GDPR storage limitation principles and CCPA/CPRA deletion right obligations, and the reference to regulatory and accounting requirements reflects Brex's financial services context where regulatory retention mandates may extend beyond standard privacy retention periods.
The absence of specific retention periods for most data categories means users cannot easily determine how long their personal information is held, limiting their ability to make informed decisions about their data.
The absence of specific retention periods means your personal data, including purchase history and financial information, may be held indefinitely under broad business or legal justifications.
Auth0
· Auth0 Privacy Policy
The absence of specific retention periods for most data categories means users cannot easily determine how long their information is kept or plan deletion requests around a known timeline.
Affirm
· Affirm Privacy Policy
An open-ended retention standard without specific timelines means your financial and behavioral data may be retained indefinitely unless you affirmatively request deletion.
Okta
· Okta Privacy Policy
The absence of specific, published retention periods for different data categories may make it harder for individuals to understand how long their data is held and may create compliance questions under GDPR's data minimization and storage limitation principles.
Cohere
· Cohere Privacy Policy
The absence of specific retention periods means personal data including submitted inputs, account data, and usage data may be retained indefinitely as long as the account is active or legal obligations require it, without a fixed deletion timeline.
The policy does not specify fixed retention periods for most data categories, meaning data could be retained for extended periods based on broadly defined business needs, which affects the practical value of deletion rights.
Twilio
· Twilio Privacy Notice
The notice does not state specific retention periods for most categories of personal data, meaning data collected from website visits and marketing interactions may be retained for extended periods at Twilio's discretion.
Waze
· Waze Privacy Policy
This provision asserts a purpose-based retention standard without specifying concrete retention periods for particular data types such as location history or driving behavior records, which limits users' ability to assess how long their data is held.
Retention periods for financial and identity data are often long due to regulatory requirements in the payments sector, and understanding how long data is held affects the practical utility of deletion requests.
This provision establishes Zendesk's stated data retention framework, which engages GDPR Article 5(1)(e) storage limitation requirements and equivalent principles under other regional frameworks, and is relevant for organizations assessing vendor data lifecycle management practices.
Without specific retention periods stated in the policy, users cannot easily determine how long their prompt data, account information, or behavioral data will be stored, which limits their ability to manage their own data lifecycle.
Without specific retention timeframes, it is difficult to know how long your data will be held, and the open-ended criteria could mean data is retained for extended periods beyond what users might reasonably expect.
The policy does not specify fixed retention periods for individual data categories, instead relying on purpose-based retention criteria; this approach is consistent with GDPR storage limitation principles but may limit users' ability to predict when their data will be deleted.
This provision establishes a purpose-based and legally required retention framework without specifying concrete retention periods for any category of personal data. The absence of defined retention timelines may complicate data subject deletion requests and may require evaluation under GDPR's storage limitation principle, which requires that data not be kept longer than necessary.
This provision establishes Amplitude's data retention framework but does not specify retention periods for particular categories of data, which may be relevant to GDPR Article 5(1)(e)'s storage limitation principle and to CCPA/CPRA's data minimization requirements.