Instacart states that personal information collected from Canadian users may be transferred to and processed in the United States, where privacy laws differ from those in Canada.
This analysis describes what Instacart's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Canadian users' data may be subject to U.S. legal process and law enforcement access once transferred to the United States, and the protections available under Canadian law may not apply in full to data held in the U.S.
Interpretive note: The full text of the cross-border transfers section was not included in the provided document excerpt; the specific safeguards and mechanisms described in the section cannot be confirmed from the available text.
The policy discloses that personal information from Canadian users is transferred to the United States; Canadian residents should be aware that their data is processed in a jurisdiction with different privacy protections, and that Quebec Law 25 requires Instacart to conduct transfer impact assessments for such transfers.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Instacart has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Cross-Border Transfers— Excerpt from Instacart's Instacart Privacy Policy
REGULATORY LANDSCAPE: Cross-border transfers of Canadian personal information to the United States engage Canada's PIPEDA and, for Quebec residents, Law 25 (formerly Bill 64). Law 25 requires organizations to conduct privacy impact assessments before transferring personal information outside Quebec and to implement contractual protections equivalent to those provided under Quebec law. PIPEDA requires comparable protection for information transferred to third parties. The Office of the Privacy Commissioner of Canada is the primary federal enforcement authority. GOVERNANCE EXPOSURE: Medium. Instacart's disclosure of U.S. processing of Canadian data creates an obligation to demonstrate that appropriate safeguards are in place. Quebec Law 25's transfer impact assessment requirement is operationally specific and requires documented analysis. JURISDICTION FLAGS: Quebec creates the highest compliance exposure due to Law 25's explicit transfer impact assessment and contractual protection requirements. British Columbia and Alberta have substantially similar provincial privacy laws (PIPA) that may impose comparable obligations. Cross-border transfer from Canada to the U.S. does not benefit from an adequacy framework equivalent to the EU-U.S. Data Privacy Framework. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements between Maplebear Canada Inc. and Maplebear Inc. (U.S.) should include contractual safeguards meeting PIPEDA and Law 25 standards. Vendor agreements with U.S.-based subprocessors handling Canadian data should be reviewed for adequacy of protective terms. COMPLIANCE CONSIDERATIONS: Legal teams should confirm that transfer impact assessments have been completed for Canadian data flows to the U.S.; review contractual terms between the Canadian and U.S. Instacart entities; ensure that the privacy policy's cross-border transfer disclosure meets Law 25's transparency requirements; and assess whether Canadian users' opt-out and access rights are technically operable for data held in U.S. systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Canadian users' data may be subject to U.S. legal process and law enforcement access once transferred to the United States, and the protections available under Canadian law may not apply in full to data held in the U.S.
The policy discloses that personal information from Canadian users is transferred to the United States; Canadian residents should be aware that their data is processed in a jurisdiction with different privacy protections, and that Quebec Law 25 requires Instacart to conduct transfer impact assessments for such transfers.
ConductAtlas has identified this type of provision across 83 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Instacart.