Even after the firestorm of criticism over Uber’s apparent lack of respect for passenger privacy during the past month, the popular ride-hailing company’s written privacy policy remains troubling.

The company reserves the right to use your routes, transaction, and demographic data in almost any way it chooses, and there isn’t much you can do about it. You can stop using the service and delete the app, but even then your data remains on the Uber servers.

From the company’s privacy policy:

“We will retain your Personal Information and Usage Information (including geo-location) for as long as your account with the Services is active and as needed to provide you services. Even after your account is terminated, we will retain your Personal Information and Usage Information (including geo-location, trip history, credit card information and transaction history) . . .”

There are some legitimate uses for this data, to be sure. In the policy, Uber says it’ll use your data to:

” . . . resolve disputes, conclude any activities related to cancellation of an account (such as addressing chargebacks from your credit card companies), investigate or prevent fraud and other inappropriate activity, to enforce our agreements, and for other business reasons.”

Fair enough, right? Well, it’s the “for other business reasons” part the lawyers threw in at the end that poses a problem. Just about anything the company does, including the infamous “God View” (a tool which allows employees to monitor riders in real time), could be justified by saying it was done for a business reason.

The other major problem here, as most privacy experts would tell you, is that there is no time clock mentioned in Uber’s statement. Companies should hold onto user data only for as long as they reasonably need it, and that finite period of time should be clearly communicated to customers.

Instead, Uber’s policy leaves things open-ended, allowing the company to hold onto user data indefinitely.

“After a period of time, your data may be anonymized and aggregated, and then may be held by us as long as necessary for us to provide our Services effectively, but our use of the anonymized data will be solely for analytic purposes,” the statement reads.

After a period of time? What period of time? Twenty minutes? Twenty years?

Another interesting legal question here is whether or not Uber can be required to share its “anonymized” route data with city officials. Taxi services are currently required to do this to prove that they are providing service to all parts of town equally — both sides of the tracks.

Despite the privacy flap over journalist tracking threats and the “God View” Uber’s business remains strong. The service has become available in 30 new cities in the past 30 days.

This comes after a week of challenges in major cities around the world. The district attorneys of Los Angeles and San Francisco each challenged Uber on its assurance to customers that it properly background-checks its drivers. Portland, Oregon has sued Uber for violating city codes. And in New Delhi India, the service was suspended after an Uber driver allegedly raped a passenger.