What specific account data does Proton retain and how long is it stored?
Executive summary
Proton retains a narrow set of account metadata necessary to operate its services (message counts, storage usage, last login times), temporary verification data for anti-spam and security, limited payment traces (last four digits), and service-specific encrypted content that Proton cannot decrypt; some deletion windows—most notably for free and over-quota accounts—are explicit, while many other retention periods are governed by admin rules, legal requirements or “legitimate interests” and are not listed as fixed timelines in public policies [1] [2] [3] [4]. Organizational customers can set their own retention rules, and Proton’s inactive-account and over-quota policies provide the clearest fixed timelines: typically 12 months for free inactive accounts and for unresolved over-quota situations [5] [4] [6].
1. What account-level metadata Proton explicitly retains
Proton states it retains non-content account activity records such as the number of messages sent, total number of messages, amount of storage used, and last login time; these are the service-level metadata Proton can access even when message content is end-to-end encrypted [1]. For Proton Pass the company reiterates that account activity exists but that the stored credentials, passwords and notes are end‑to‑end encrypted and not technically accessible to Proton [7]. The privacy sub-policies make clear that metadata and operational records are processed to run the service and are not used for advertising [1].
2. Temporary verification and anti-abuse data
When verification is required—during signup or sensitive operations—Proton may collect and temporarily store IP addresses, email addresses and phone numbers to send verification codes or for anti‑spam/anti‑brute‑force measures; the policy ties the retention length of these items to Proton’s “legitimate interests” and applicable Swiss legal requirements, rather than publishing fixed durations [2]. The privacy policy therefore signals purpose-limited temporary retention rather than an indefinite archive for these verification artifacts [2].
3. Payment and billing traces
Payment-related processing deliberately minimizes retained card data: Proton says it does not retain full credit card details and keeps only the last four digits, while transactional records and account-linked payment data are used for billing and service notices [3]. This is consistent with Proton’s stated design principle of collecting as little personal data as possible for payment processing [3].
4. Encrypted user content and Proton’s access limits
Content stored in Proton Mail, Proton Drive, and Proton Pass is held encrypted on servers in Switzerland, Germany or Norway and Proton emphasizes it does not have the technical ability to decrypt end-to-end encrypted content; for Proton Pass specifically, credentials and notes are end-to-end encrypted and Proton cannot decrypt them [1] [7]. That limits the actionable account data Proton can retain to metadata and service logs rather than message contents for encrypted channels [1] [7].
5. Retention controls for organizations and admins’ authority
For organization accounts Proton provides retention rules that let admins decide how long to keep emails and when to automatically delete them; admins can set different timelines (including indefinitely) per user or group, and rules apply to private members within an organization as well [5]. This places substantive retention control in the hands of organization administrators rather than Proton’s default settings [5].
6. Clear deletion windows: inactivity and exceeding free limits
Proton’s clearest, public retention timelines are operational policies: free accounts inactive for one year (12 consecutive months) may have the account and associated data deleted, with a transitional extended grace period for accounts created before April 9, 2024; similarly, free accounts that exceed Mail or Drive storage limits face data deletion if the situation is unresolved after 12 months [4] [6]. The Terms of Service reiterate Proton’s right to suspend or delete free accounts under this policy [8]. Independent reporting has also noted Proton will not delete accounts that ever had a paid subscription, a practical exemption users have cited [9].
7. What remains unclear or governed by policy language
Several retention durations are described functionally rather than numerically: the “temporary” retention of verification data, the lifecycle of offline encrypted backups, and many product-specific processing timelines are tied to legal, security or “legitimate interests” criteria rather than fixed dates in the public docs, so precise timelines cannot be confirmed from Proton’s published policies alone [2] [1] [7]. Where available, the clearest, user-visible retention rules are the inactive-account and over-quota 12‑month thresholds and the admin-configurable organization retention rules [4] [6] [5].