If you interact with a product or service built by an Anyscale customer on top of the Anyscale platform, your data is governed by that customer's privacy policy, not this one. Anyscale is not responsible for how its customers handle your data.
This analysis describes what Anyscale's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This carve-out means that if you are an end user of a business that uses Anyscale's infrastructure, your data rights must be exercised with that business directly, not with Anyscale. Anyscale will not process your rights requests for data it holds on behalf of its customers.
End users of businesses built on the Anyscale platform may not be able to exercise data rights directly against Anyscale for data processed under the Platform Agreement. Rights requests for such data must be directed to the customer organization that collected the data.
Cross-platform context
See how other platforms handle Customer Data Carve-Out and similar clauses.
Compare across platforms →Monitoring
Anyscale has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"This Privacy Notice does not apply to (i) Customer Data (as defined in the Platform Agreement); or (ii) any products, services, websites, or content that are offered by third parties or that have their own privacy notice. Our Customers' respective privacy policies govern their collection and use of Customer Data. Any questions or requests relating to Customer Data should be directed to our customer.— Excerpt from Anyscale's Anyscale Privacy Policy
REGULATORY LANDSCAPE: This provision reflects the controller/processor distinction under GDPR, where Anyscale operates as a data processor for its business customers who are data controllers. Under GDPR, data subjects must exercise their Article 15-22 rights against the data controller (the Customer), not the processor (Anyscale). Under CCPA/CPRA, a similar service provider distinction applies. The FTC's oversight of deceptive practices is relevant if the carve-out is not clearly communicated to end users. GOVERNANCE EXPOSURE: Medium. The carve-out is structurally appropriate for a B2B platform provider, but creates risk if end users of Anyscale-powered products are unaware that their rights must be directed to the Customer. If a Customer fails to maintain an adequate privacy policy or respond to data subject requests, end users may have no practical recourse against either party. JURISDICTION FLAGS: EU/EEA data subjects have strong GDPR rights against data controllers, and failure by a Customer to honor those rights could implicate both the Customer and, in some interpretations, Anyscale as processor. UK GDPR and Swiss data protection law create similar obligations. California's CPRA service provider framework requires documented data processing agreements between Anyscale and its Customers. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Anyscale as a platform vendor must ensure their own privacy policies accurately describe data processing occurring on the Anyscale platform and that their DPA with Anyscale includes appropriate sub-processing disclosures, data subject rights assistance obligations, and breach notification procedures. COMPLIANCE CONSIDERATIONS: Procurement teams should review the Platform Agreement to confirm it functions as a GDPR-compliant data processing agreement and includes Standard Contractual Clauses or DPF-based transfer mechanisms. Customers should conduct data mapping exercises to identify what categories of end-user data flow through Anyscale's infrastructure and ensure their privacy notices accurately reflect this processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This carve-out means that if you are an end user of a business that uses Anyscale's infrastructure, your data rights must be exercised with that business directly, not with Anyscale. Anyscale will not process your rights requests for data it holds on behalf of its customers.
End users of businesses built on the Anyscale platform may not be able to exercise data rights directly against Anyscale for data processed under the Platform Agreement. Rights requests for such data must be directed to the customer organization that collected the data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Anyscale.