If you live outside the US, your personal data will be sent to and stored in the United States, where privacy laws may offer less protection than in your home country.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects what remedies are available if data is mishandled.
Interpretive note: The policy does not specify which GDPR-compliant transfer mechanism Medium relies upon, creating uncertainty about the adequacy of the legal basis for EU data transfers.
This provision means that personal data collected from non-US users, including EU residents, is processed in the United States without a guarantee of equivalent legal protections, which may limit the practical enforceability of rights granted under laws like GDPR.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Medium is headquartered in the United States, and we have operations and service providers in the United States and throughout the world. If you are located outside of the United States, please be aware that information we collect, including personal data, will be transferred to, and processed, stored, and used in the United States and other jurisdictions. Data protection laws in the United States and other jurisdictions may differ from those in your country of residence.— Excerpt from Medium's Medium Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V, which governs transfers of personal data to third countries. Following the Court of Justice of the EU's Schrems II decision, transfers to the United States require either an adequacy decision, standard contractual clauses (SCCs), or another valid transfer mechanism. The policy does not specify which transfer mechanism Medium relies upon, which may require evaluation under GDPR Article 46. Enforcement authority rests with EU data protection authorities and national supervisory authorities in each EU member state. GOVERNANCE EXPOSURE: High for EU/EEA-based users and organizations. The absence of explicit disclosure of the transfer mechanism used (SCCs, adequacy decision, binding corporate rules) creates compliance uncertainty. If Medium relies on SCCs, supplementary measures may be required depending on the sensitivity of the data transferred. JURISDICTION FLAGS: EU/EEA users face the highest exposure given GDPR Chapter V requirements. UK users post-Brexit are subject to UK GDPR, which has similar transfer requirements. Users in countries with national data localization requirements may face additional constraints not addressed by this provision. CONTRACT AND VENDOR IMPLICATIONS: B2B customers and enterprise accounts using Medium for publishing should assess whether their use of the platform triggers their own obligations as data controllers to ensure adequate transfer mechanisms are in place for any employee or customer data processed by Medium. COMPLIANCE CONSIDERATIONS: Legal teams should request clarification from Medium on the specific transfer mechanisms in use for EU/EEA data, and confirm that SCCs or other mechanisms are current and valid. Data mapping should identify categories of EU personal data transferred and assess proportionality. Any DPA with Medium should specify the applicable transfer mechanism.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects what remedies are available if data is mishandled.
This provision means that personal data collected from non-US users, including EU residents, is processed in the United States without a guarantee of equivalent legal protections, which may limit the practical enforceability of rights granted under laws like GDPR.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.