Data Sharing with Business Partners and Third Parties

What it is

Grammarly shares your personal data with outside companies that help run its services, as well as with business partners for joint marketing or co-branded offerings.

Why it matters (compliance & governance perspective)

Your account information and usage data may reach a range of third parties beyond Grammarly itself, including companies involved in analytics, hosting, marketing, and business partnerships, expanding the number of entities that hold your data.

Consumer impact (what this means for users)

Personal data including account details and usage information may be shared with Grammarly's service providers and business partners, and the term 'business partners' is not exhaustively defined in the policy, creating some uncertainty about the full scope of third-party recipients.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: GDPR Articles 13 and 14 require disclosure of recipients or categories of recipients of personal data; the use of a broad 'business partners' category without specific enumeration may create tension with transparency requirements. CCPA and CPRA require disclosure of categories of third parties to whom personal information is disclosed and may treat certain sharing arrangements as 'sale' or 'sharing' requiring opt-out mechanisms. The FTC Act's prohibition on unfair or deceptive practices is also relevant if sharing practices differ materially from disclosures. GOVERNANCE EXPOSURE: Medium. The breadth of the 'business partners' category creates moderate compliance exposure, particularly under CPRA, where sharing personal information with third parties for cross-context behavioral advertising requires a clear opt-out mechanism. The policy does not specify all categories of business partners, which may complicate records of processing activities and vendor management. JURISDICTION FLAGS: California users have the most specific statutory rights, including the right to know the categories of third parties receiving their data and the right to opt out of sharing under CPRA. EEA users have GDPR-based rights to detailed disclosure of recipients. Organizations in regulated industries should assess whether data flows to business partners are compatible with sector-specific confidentiality obligations. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request a current list of sub-processors and business partners from Grammarly, particularly for enterprise deployments. Data processing agreements should include provisions governing onward transfers to business partners and require equivalent data protection standards. This provision may trigger data transfer impact assessments for EEA users. COMPLIANCE CONSIDERATIONS: Organizations should map what user data categories flow to Grammarly and assess whether those flows are compatible with their own privacy notices and consents. Updates to records of processing activities and data flow maps may be required. Privacy teams should verify that Grammarly's opt-out mechanisms for data sharing are functional and compliant with applicable state law requirements.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• User Content Used for AI Model Training high
• Corporate Transaction Data Transfer medium
• California Resident Rights and Opt-Out of Sale or Sharing medium
• EEA and UK User Rights under GDPR medium
• Age Restriction and Children's Data medium
• Cross-Border Data Transfers medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.