The litigation hold carve-out means Squarespace may retain your data beyond the period you would expect or request deletion, and the retention periods are not specified with defined timeframes.
Open-ended retention periods tied to broadly defined purposes such as 'legal obligations' and 'enforcing agreements' may result in personal data being retained for extended periods without a clear maximum duration disclosed to consumers.
The policy does not specify fixed retention periods for different data categories, meaning personal data and submitted content could be retained for extended periods unless you actively request deletion.
Lyft
· Lyft Privacy Policy
This provision establishes the data retention framework by defining multiple legitimate bases for retaining personal information beyond the active service period, including compliance obligations and operational security functions that extend retention timelines.
The clause defines the operational framework for data lifecycle management, establishing that retention is conditioned on service delivery necessity and legal compliance rather than indefinite retention. This creates a structured basis for determining when personal information will be deleted from Wix systems.
GitHub
· GitHub Privacy Statement
The policy does not specify retention periods for individual data categories, stating instead that retention is based on necessity and legal obligation; this means users cannot determine from this document alone how long specific types of data will be held.
Chegg
· Chegg Privacy Policy
The absence of specific retention periods means Chegg may hold your personal data indefinitely under broad justifications, limiting users' ability to predict when their data will be deleted.
Open-ended retention criteria mean personal data may be kept for extended periods, and users cannot easily predict when their data will be deleted without submitting a specific deletion request.
Airbnb
· Airbnb Privacy Policy
The clause defines the operational scope and duration of data retention by tying retention periods to specific functional and legal purposes rather than establishing fixed time limits, which affects the duration and conditions under which personal information remains in Airbnb's systems.
The absence of specific retention periods for individual data categories, particularly voice recordings and voice models, creates potential tension with GDPR's data minimization and storage limitation principles, which require that retention periods be specified or determinable.
Open-ended retention language tied to 'business needs' and 'legal obligations' without specific retention periods means consumers have limited visibility into how long sensitive data such as location records, call logs, and financial information is actually stored.
Intuit
· Intuit Privacy Statement
Open-ended retention language tied to legal obligations and dispute resolution means sensitive financial data, including tax records and government identifiers, could be retained for extended periods without a specific deletion deadline.
This provision establishes the operational framework governing how long Ancestry maintains user data and the circumstances under which retention continues post-deletion. The clause creates exceptions to deletion requests based on legal requirements and specified business operations, which affects the scope and timeline of data removal.
Uber
· Uber Privacy Notice
The clause defines the operational scope and duration of data retention by linking retention periods to specific business and legal functions rather than establishing fixed time limits, which affects the company's data management obligations and compliance framework.
The clause establishes the operational framework for data retention periods, conditioning retention duration on three categories: service functionality, legal compliance obligations, and explicit notice to users. This structure creates multiple retention basises rather than a fixed retention window.
The clause establishes the operational data retention framework for a regulated financial services entity, which requires maintaining records beyond the active relationship period to satisfy compliance obligations. This multi-year retention structure reflects requirements imposed by financial regulatory frameworks.
This provision establishes the temporal scope and forms under which LinkedIn maintains user-generated and inferred data. The authorization to retain depersonalized or aggregated data creates a distinction between identifiable and non-identifiable data retention practices that may extend beyond active account status.
Upwork
· Upwork Privacy Policy
Users who close their Upwork accounts may assume their data is deleted, but the policy reserves the right to retain personal data for unspecified periods for broad business purposes, which can frustrate data deletion expectations.
This provision establishes that account closure does not result in immediate or complete deletion of personal data. The retention of data post-closure for undefined 'legitimate business purposes' introduces ambiguity regarding the specific categories of data retained, the duration of retention, and the uses to which retained data may be put.
Gusto
· Gusto Privacy Policy
The clause establishes that data retention obligations are determined by regulatory requirements rather than user preference, creating a structural limitation on data deletion capabilities within the service architecture.
The clause defines the data retention timeline and establishes operational procedures for post-account data management, affecting the duration of data persistence in Shopify's systems after merchant account relationships end.
This provision establishes that account closure does not necessarily result in immediate deletion of all user data, which is a material consideration for users seeking to exercise deletion rights and for compliance teams assessing storage limitation obligations under GDPR.
The clause establishes the operational basis for post-closure data retention, distinguishing between retention periods driven by service necessity versus those mandated by regulatory or legal requirements. This framework allocates responsibility for retention decisions between business operations and legal compliance obligations.
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate business purposes, which affects the practical scope of users' right to erasure.
Hinge
· Hinge Privacy Policy
Users who delete their accounts expecting a clean break may not realize that interaction and safety-related data persists, which affects any right to erasure requests and means your history on the platform continues to influence enforcement decisions.
The clause establishes that data retention obligations and regulatory compliance requirements take precedence over account deletion requests, and clarifies that deletion requests are scoped to a single application account rather than comprehensive deletion across all State Farm customer records.
This provision establishes the operational scope of data deletion following account termination and creates categories of information exempt from deletion requirements. It establishes Meta's authority to maintain data retention practices based on legal, safety, security, and abuse prevention rationales.
GitHub
· GitHub Privacy Statement
The clause creates a framework where data retention extends beyond account deletion based on operational and legal necessity rather than account status alone. This operational approach reflects common compliance requirements across multiple regulatory regimes and contractual enforcement needs.
Tinder
· Tinder Privacy Policy
Users who delete their accounts expecting their data to be erased may be surprised to learn that Tinder retains personal information, potentially including sensitive data, for up to five years, which may conflict with users' expectations and rights in some jurisdictions.
The clause operationalizes account deletion procedures while establishing exceptions that preserve data in backup infrastructure and under legal retention obligations, creating a tiered deletion timeline rather than immediate purge across all systems.