Your personal data may be transferred to the United States or other countries where privacy laws are less protective than where you live. MetaMask says it uses standard contractual clauses as a safeguard where legally required.
This analysis describes what MetaMask's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU and UK users, data transferred to the US must be protected by appropriate legal mechanisms; while SCCs are an accepted GDPR transfer tool, their adequacy in practice depends on the specific supplementary measures implemented alongside them.
Interpretive note: The specific SCC modules used and whether supplementary measures have been implemented are not disclosed in the policy text, creating uncertainty about the adequacy of transfer protections in practice.
EU and UK users' personal data, including IP addresses and wallet addresses, may be transferred to the United States and stored there, subject to US law, with GDPR-required protections theoretically in place through standard contractual clauses.
How other platforms handle this
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Monitoring
MetaMask has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Consensys operates globally and may transfer your personal information to countries outside of your own, including to the United States, where data protection laws may differ from those in your country. Where required, we use appropriate safeguards such as standard contractual clauses to protect your personal information during such transfers.— Excerpt from MetaMask's MetaMask Privacy Policy
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers and requires either an adequacy decision, standard contractual clauses, or other approved mechanisms. The EU-US Data Privacy Framework (established 2023) may also be relevant if Consensys has self-certified. Following Schrems II, supplementary measures alongside SCCs are required where US surveillance laws create risk to EU data subject rights. UK GDPR has parallel transfer restriction requirements. GOVERNANCE EXPOSURE: Medium. SCC reliance is standard practice, but the adequacy of supplementary measures for financial data transfers is a recurring area of regulatory scrutiny. The Irish DPA and other EU supervisory authorities have ongoing enforcement interest in US-based technology companies' transfer mechanisms. JURISDICTION FLAGS: EU/EEA users face the most direct exposure. UK users face similar requirements under the UK GDPR's international transfer regime, including the UK's International Data Transfer Agreement. Users in other jurisdictions with cross-border transfer restrictions (e.g., Brazil, India) may also be affected. CONTRACT AND VENDOR IMPLICATIONS: Organizations processing EU employee data through MetaMask should verify that Consensys's SCC implementation includes appropriate supplementary measures, particularly given the financial and location data involved. Request transfer impact assessments from Consensys if available. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm whether Consensys participates in the EU-US Data Privacy Framework, the specific SCC modules used (controller-to-controller or controller-to-processor), and whether a transfer impact assessment has been conducted for Infura's US-based processing of EU user data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU and UK users, data transferred to the US must be protected by appropriate legal mechanisms; while SCCs are an accepted GDPR transfer tool, their adequacy in practice depends on the specific supplementary measures implemented alongside them.
EU and UK users' personal data, including IP addresses and wallet addresses, may be transferred to the United States and stored there, subject to US law, with GDPR-required protections theoretically in place through standard contractual clauses.
ConductAtlas has identified this type of provision across 48 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by MetaMask.