If your threat model is "vendor willing to ignore contracts and laws to steal your data" I can't see how a zero-retention contract helps.