HomeFix guides → Retention statement present

gdpr

How to fix: Retention statement present

GDPR Art. 5(1)(e)

Why this matters

GDPR's storage-limitation principle says you must not keep personal data longer than needed. The privacy policy has to state how long — vague 'as long as necessary' isn't enough.

Background

GDPR requires personal data is kept no longer than necessary for the purposes collected. Your privacy policy must state the retention period for each category of data (e.g. 'account data: until account deletion + 6 years for accounting records').

References

GDPR Art. 5(1)(e) — storage limitation

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
No server config — content edit.
apache
Same.
cloudflare
Same.
wordpress
Edit Privacy Policy. Add a 'How long we keep your data' section listing each data category + its retention period + the legal/business reason.
flask
Same.
express
Same.
rails
Same.

Verify it's working

Search privacy policy for 'retention' or 'how long we keep'. Should find specific periods per data category.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →