-
Affirm Privacy Policy
Added detailed privacy disclosures including data sharing with fraud prevention and identity verification providers; clarified GLBA regulatory status.
Why it matters: The updated policy establishes that Affirm qualifies as a financial institution under federal banking law, which may limit the applicability of state privacy laws to Affirm's core lending operations. The policy also newly discloses sharing of personal information with fraud prevention and identity verification providers, expanding transparency about third parties that receive consumer data.
-
ClickUp Privacy Policy
Replaced general privacy opt-out language with formal GDPR-aligned data subject rights framework including access, rectification, erasure, restriction, portability, objection, consent withdrawal, and
Why it matters: The updated policy formalizes ClickUp's recognition of data subject rights under GDPR and equivalent frameworks, providing users and regulators with explicit legal reference points for exercising control over personal data. Organizations that process customer data through ClickUp should verify the formalized rights are reflected in their DPAs and privacy notices to ensure compliance obligations are accurately stated.
-
Threads Privacy Policy
Removes AI support assistant references and data collection/sharing disclosures from privacy policy
Why it matters: The removal of explicit statements about AI training and data disclosure reduces the policy's stated transparency regarding how user data informs Meta's AI systems and which parties receive user information. Under GDPR and CCPA, privacy policies are required to clearly disclose data collection, processing purposes, and automated decision-making practices. The absence of these previously stated disclosures may create compliance ambiguity and complicates user understanding of how their data is used.
-
Gusto Privacy Policy
Expanded privacy policy scope to cover 401(k) and SEP IRA accounts; added Stripe as financial data collector; clarified when separate privacy notices apply.
Why it matters: The updated policy formally expands Gusto's privacy disclosures to cover retirement account management and establishes Stripe as a named financial data processor, requiring users to understand that bank data flows to Stripe under Stripe's terms. The restructured guidance on when separate notices apply (service provider, employer, co-employer contexts) clarifies governance boundaries, but also implies that different privacy rules may apply depending on the user's relationship to Gusto, which customers and users should verify. For organizations contracting with Gusto, these changes may require updates to vendor documentation, employee privacy notices, and data processing agreements.
-
Whatnot Privacy Policy
Redirects strategic seller disputes from California courts to mandatory arbitration under main Terms of Service
Why it matters: The updated terms eliminate the ability for sellers to litigate contract disputes in California courts and instead require all disputes to proceed through arbitration as defined in Whatnot's main Terms of Service. This change affects how sellers can seek remedies for breach of contract, payment disputes, or other claims, and likely reduces their access to discovery, jury trial, and appeal procedures available through traditional litigation. Additionally, the explicit definition of a 30-day programming/content gap as a material breach clarifies grounds for suspension or termination that previously may have been less defined.
-
AWS Service Terms
Adds database engine upgrade requirements and scanning rights for RDS extensions
Why it matters: The updated terms establish new customer obligations to manage database engine lifecycle and upgrade to supported versions, with AWS authorized to take unilateral action (delete instances) on unsupported software after notice. This creates operational risk for customers with legacy databases or limited maintenance resources, and shifts liability for extension-related failures from AWS to customers.
-
Bumble Privacy Policy
Adds privacy policy disclosure for BeePitched feature, processing names, phone numbers, and photos in user-generated pitch content.
Why it matters: The updated terms establish that BeePitched processes personal data from users and non-users, including names, phone numbers, and photos, in a feature that enables shared profiles about individuals. The disclosure describes what data is collected and how it is used, which addresses transparency requirements under privacy frameworks like GDPR and CCPA. However, the disclosure does not explicitly describe consent mechanisms, user rights, or controls to opt out of being featured, which may create compliance gaps depending on jurisdiction.
-
SoFi Privacy Notice
Expanded tracking disclosures and shifted consent from opt-in to opt-out for pixels, cookies, and ad partner data sharing
Why it matters: The updated terms establish a material change in how SoFi collects consent for tracking technologies. The shift from opt-in to opt-out consent means users must now affirmatively decline tracking rather than affirmatively accept it. The explicit disclosure of data sharing with advertising partners provides clarity about downstream data destinations, but the opt-out consent structure may create compliance risk under CCPA/CPRA, which generally requires affirmative opt-in consent for nonessential tracking.