If you live outside the US, your personal data will be sent to and stored in the United States, where privacy laws may offer less protection than in your home country.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects what remedies are available if data is mishandled.
Interpretive note: The policy does not specify which GDPR-compliant transfer mechanism Medium relies upon, creating uncertainty about the adequacy of the legal basis for EU data transfers.
This provision means that personal data collected from non-US users, including EU residents, is processed in the United States without a guarantee of equivalent legal protections, which may limit the practical enforceability of rights granted under laws like GDPR.
How other platforms handle this
Where required by law, we provide adequate protection for the transfer of personal data in accordance with applicable law, such as by obtaining your consent, relying on the European Commission's adequacy decisions, or executing Standard Contractual Clauses. Where relevant, you may request a copy of ...
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Medium is headquartered in the United States, and we have operations and service providers in the United States and throughout the world. If you are located outside of the United States, please be aware that information we collect, including personal data, will be transferred to, and processed, stored, and used in the United States and other jurisdictions. Data protection laws in the United States and other jurisdictions may differ from those in your country of residence.— Excerpt from Medium's Medium Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V, which governs transfers of personal data to third countries. Following the Court of Justice of the EU's Schrems II decision, transfers to the United States require either an adequacy decision, standard contractual clauses (SCCs), or another valid transfer mechanism. The policy does not specify which transfer mechanism Medium relies upon, which may require evaluation under GDPR Article 46. Enforcement authority rests with EU data protection authorities and national supervisory authorities in each EU member state. GOVERNANCE EXPOSURE: High for EU/EEA-based users and organizations. The absence of explicit disclosure of the transfer mechanism used (SCCs, adequacy decision, binding corporate rules) creates compliance uncertainty. If Medium relies on SCCs, supplementary measures may be required depending on the sensitivity of the data transferred. JURISDICTION FLAGS: EU/EEA users face the highest exposure given GDPR Chapter V requirements. UK users post-Brexit are subject to UK GDPR, which has similar transfer requirements. Users in countries with national data localization requirements may face additional constraints not addressed by this provision. CONTRACT AND VENDOR IMPLICATIONS: B2B customers and enterprise accounts using Medium for publishing should assess whether their use of the platform triggers their own obligations as data controllers to ensure adequate transfer mechanisms are in place for any employee or customer data processed by Medium. COMPLIANCE CONSIDERATIONS: Legal teams should request clarification from Medium on the specific transfer mechanisms in use for EU/EEA data, and confirm that SCCs or other mechanisms are current and valid. Data mapping should identify categories of EU personal data transferred and assess proportionality. Any DPA with Medium should specify the applicable transfer mechanism.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects what remedies are available if data is mishandled.
This provision means that personal data collected from non-US users, including EU residents, is processed in the United States without a guarantee of equivalent legal protections, which may limit the practical enforceability of rights granted under laws like GDPR.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.