Privacy

Data Retention

The policies and practices governing how long personal data is stored before being deleted or anonymized.

Data retention refers to the policies and practices that determine how long personal data is kept before it is deleted or anonymized.

Key Principles

  • Data should only be retained for as long as necessary for its stated purpose (storage limitation)
  • Retention periods should be documented and communicated in the privacy policy
  • Automated deletion mechanisms should be implemented where possible
  • Legal or regulatory requirements may mandate minimum retention periods

Examples of Retention Periods

  • Session data: minutes to hours
  • API usage logs: 30–90 days
  • Financial records: 7–10 years (legal requirement)
  • User accounts: until the user requests deletion

GDPR Article 5(1)(e).

Related Terms

Storage LimitationPrivacy

Personal data should be kept only for as long as necessary for its stated purpose.

Right to ErasurePrivacy

The right to have your personal data deleted — also known as the "right to be forgotten."

AnonymizationPrivacy

The irreversible process of altering data so that individuals can no longer be identified, even indirectly.

Privacy PolicyCompliance

A public document that explains how an organisation collects, uses, stores, and shares personal data.

Data ProcessorData Subject