Data retention periods are disclosed in the privacy policy

ab-000482 · app-store-privacy-data.data-handling.data-retention-disclosure

Severity: lowactive

Why it matters

GDPR Art.13(2)(a) requires disclosure of 'the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.' Without a retention disclosure, every EU user your app collects data from is covered by an incomplete privacy notice — a regulatory gap that multiplies with each new user. Beyond GDPR, App Store Connect and Google Play Console both require a live, accessible privacy policy URL before you can submit — an incomplete policy causes submission failure even if it exists.

Severity rationale

Low because absent retention disclosure is a regulatory gap that creates legal risk at scale but does not enable direct data exfiltration or account compromise.

Remediation

Add specific retention periods to your privacy policy for each data type your app collects. Concrete language:

'Account data is retained until you delete your account, after which it is permanently deleted within 30 days.'
'Crash reports are retained for 90 days.'
'Analytics data is retained for 24 months.'

For GDPR, include retention periods in the 'Data We Collect' section, one per data category. Verify the privacy policy URL is live and resolves before submission — App Store Connect → App Information → Privacy Policy URL validation checks the URL. Cross-reference the stated timeframes against your actual deletion implementation to ensure they are consistent.

Detection

ID: data-retention-disclosure
Severity: low
What to look for: Count all relevant instances and enumerate each. Check the privacy policy file (privacy-policy.md, PRIVACY.md, docs/legal/privacy.md, or any file with "privacy" in the name). Search for retention language: "retain", "retention", "how long we keep", "data deletion", "storage period". Verify: (a) a specific retention period is stated for at least the primary data types collected (account data, usage logs, crash reports); (b) the stated period is reasonable and consistent with the app's actual deletion implementation (cross-reference with the deletion API check); (c) for apps targeting EU users, GDPR requires disclosure of retention periods for each data category. Also look for any time-based deletion logic in the codebase: created_at < NOW() - INTERVAL '90 days' queries, cron jobs with log rotation, scheduled Edge Functions. Flag if no privacy policy file is found at all (separate issue from retention disclosure).
Pass criteria: Privacy policy exists and includes specific retention periods for the main categories of collected data. At least 1 implementation must be verified. Stated retention is consistent with the deletion implementation.
Fail criteria: Not applicable — this is a low-severity check. Result is pass, fail (with detail), or skip. Fail if no privacy policy file exists at all, or if the policy has no retention language for an app that clearly collects data.
Skip (N/A) when: App collects no user data and has no analytics, no auth, no PII collection of any kind.
Detail on fail: "No privacy policy file found in repository — privacy URL is required in App Store Connect and Google Play Console before submission" or "Privacy policy found at PRIVACY.md but contains no data retention periods — GDPR requires disclosure of how long each data type is retained"
Remediation: A privacy policy is required by both Apple and Google for any app that collects data.
1. Include specific retention periods for each data type:
  - "Account data is retained until you delete your account, after which it is permanently deleted within 30 days."
  - "Crash reports are retained for 90 days."
  - "Analytics data is retained for 24 months."
2. Make the privacy policy URL live and accessible before submitting — App Store Connect validation checks that the URL resolves
3. For GDPR, include retention periods for every data category in the "Data We Collect" section
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.

External references

gdpr · Art.13(2)(a) — Period for which personal data will be stored must be disclosed
gdpr · Art.5(1)(e) — Storage limitation
ccpa · §1798.100 — Right to know about personal information collected, including retention periods

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-privacy-data·automated

Why it matters

Remediation

Add specific retention periods to your privacy policy for each data type your app collects. Concrete language:

'Account data is retained until you delete your account, after which it is permanently deleted within 30 days.'
'Crash reports are retained for 90 days.'
'Analytics data is retained for 24 months.'

Detection

ID: data-retention-disclosure
Severity: low
What to look for: Count all relevant instances and enumerate each. Check the privacy policy file (privacy-policy.md, PRIVACY.md, docs/legal/privacy.md, or any file with "privacy" in the name). Search for retention language: "retain", "retention", "how long we keep", "data deletion", "storage period". Verify: (a) a specific retention period is stated for at least the primary data types collected (account data, usage logs, crash reports); (b) the stated period is reasonable and consistent with the app's actual deletion implementation (cross-reference with the deletion API check); (c) for apps targeting EU users, GDPR requires disclosure of retention periods for each data category. Also look for any time-based deletion logic in the codebase: created_at < NOW() - INTERVAL '90 days' queries, cron jobs with log rotation, scheduled Edge Functions. Flag if no privacy policy file is found at all (separate issue from retention disclosure).
Pass criteria: Privacy policy exists and includes specific retention periods for the main categories of collected data. At least 1 implementation must be verified. Stated retention is consistent with the deletion implementation.
Fail criteria: Not applicable — this is a low-severity check. Result is pass, fail (with detail), or skip. Fail if no privacy policy file exists at all, or if the policy has no retention language for an app that clearly collects data.
Skip (N/A) when: App collects no user data and has no analytics, no auth, no PII collection of any kind.
Detail on fail: "No privacy policy file found in repository — privacy URL is required in App Store Connect and Google Play Console before submission" or "Privacy policy found at PRIVACY.md but contains no data retention periods — GDPR requires disclosure of how long each data type is retained"
Remediation: A privacy policy is required by both Apple and Google for any app that collects data.
1. Include specific retention periods for each data type:
  - "Account data is retained until you delete your account, after which it is permanently deleted within 30 days."
  - "Crash reports are retained for 90 days."
  - "Analytics data is retained for 24 months."
2. Make the privacy policy URL live and accessible before submitting — App Store Connect validation checks that the URL resolves
3. For GDPR, include retention periods for every data category in the "Data We Collect" section
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.