Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Databricks' privacy practices for personal data collected from website visitors, event attendees, job applicants, and service users. The notice authorizes the sharing of personal information including name, email, company, job title, device identifiers, and behavioral data with advertising partners and analytics providers for targeted marketing purposes. Individuals may submit requests to limit the sale or sharing of personal data for cross-context behavioral advertising through the designated OneTrust portal or website mechanism.
This document is Databricks' Privacy Notice governing the collection, use, disclosure, and retention of personal information by Databricks, Inc. and its affiliates across its websites, products, services, and marketing activities, with a stated legal basis rooted in legitimate interests, contractual necessity, consent, and compliance with applicable law depending on jurisdiction. The notice states that Databricks collects categories of personal data including identifiers, professional and employment information, usage and technical data, inference data, and sensitive personal information such as Social Security numbers in limited employment contexts; the terms authorize sharing this data with service providers, business partners, affiliates, and third parties for advertising and analytics purposes, and permit cross-context behavioral advertising subject to opt-out rights. A notable operational distinction is the explicit carve-out establishing that customer data processed through Databricks' platform products is governed separately by the applicable customer agreement and Data Processing Addendum rather than this notice, which meaningfully limits the notice's scope for enterprise platform users. The notice explicitly engages GDPR and the UK GDPR by identifying Databricks as a data controller for certain processing, referencing lawful bases and data subject rights including access, rectification, erasure, portability, and objection; it also engages the California Consumer Privacy Act as amended by CPRA, the Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and several other US state privacy laws, with jurisdiction-specific rights sections and a do-not-sell or share opt-out mechanism. Material compliance considerations include the adequacy of Databricks' cross-border data transfer mechanisms from the EEA and UK, the sufficiency of consent for cookie-based advertising tracking, the handling of inference data as a distinct data category under CPRA, and the operationalization of state-specific universal opt-out signal recognition.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial2 important changes detected
3 versions captured · Last updated: June 2026
Explicitly discloses the collection and use of sophisticated profiling inferences derived from personal data, which was previously only obliquely referenced in behavioral advertising disclosures.
Provides transparency about routine sharing with service providers performing standard business functions, distinguishing this from advertising/analytics partner sharing.
New provision establishing notification procedures for material privacy policy changes, providing users with awareness mechanisms when updates occur.
Removal of explicit GDPR legal basis disclosure (legitimate interests) weakens transparency about the lawful grounds for processing under GDPR, potentially limiting user understanding of their protections.
Removal of the M&A data transfer provision eliminates disclosure about how personal data may be handled in business transactions, potentially leaving users unaware of data sharing in acquisition scenarios.
Simplified and streamlined the explanation of processor/controller distinction, removing the guidance to contact customers and focusing on the governing agreements (DPA added explicitly).
Replaced explicit mention of CCPA/CPRA compliance language and opt-out rights with more specific categorization of data types shared for behavioral advertising, removing state-specific legal framework references.
Expanded rights enumeration to include opt-out of sale/sharing, targeted advertising, and automated decision-making/profiling, while removing the specific instruction to contact privacy@databricks.com and use the privacy portal.
Added specific examples of collected data (IP address, browser type, OS, referral URL, email interaction data) while removing language about cookie preference center and user control mechanisms.
Restructured for clarity by separating general transfer statement from specific EEA/UK/Switzerland protections; simplified language and removed incomplete sentence about 'approved by the'.
1 provision unchanged.
View full change record →Monitoring
Databricks has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle AI and ML Model Training Use of Personal Data and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.