This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the geographic scope and legal mechanisms governing where user personal data may be processed. By referencing specific regulatory frameworks (DPF and SCCs), the provision defines the compliance structure Microsoft applies to international data transfers, which determines the legal protections applicable to data movement across jurisdictions.
The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.
View change record →The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.
View change record →The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.
View change record →Users' personal data may be transferred to and processed in countries outside their origin jurisdiction, including the United States. The provision specifies that such transfers operate under designated legal frameworks (Data Privacy Framework agreements and Standard Contractual Clauses) that establish contractual and regulatory protections for cross-border processing.
How other platforms handle this
Roblox is based in the United States, and your personal information may be transferred to and processed in the United States or other countries where Roblox or its service providers operate. These countries may have data protection laws that differ from the laws of your home country. By using the Ro...
Uber operates globally and may transfer the personal data of drivers and delivery people to countries other than the country in which they reside. These countries may have different and less protective data protection laws than those of your country of residence. Uber uses standard contractual claus...
Shopify is a global business. We may transfer your personal information to countries other than the country in which it was originally collected, including to Canada and the United States where our servers are located. These countries may not have the same data protection laws as your country. When ...
Monitoring
Microsoft has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Personal data collected by Microsoft may be stored and processed in the United States or any other country where Microsoft or its affiliates, subsidiaries, or service providers maintain facilities. Microsoft complies with applicable legal frameworks relating to the transfer of data across borders, including the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US DPF. For transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland to countries that have not received an adequacy decision, we use Standard Contractual Clauses approved by the European Commission.— Excerpt from Microsoft's Microsoft Privacy Statement (Legacy)
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the geographic scope and legal mechanisms governing where user personal data may be processed. By referencing specific regulatory frameworks (DPF and SCCs), the provision defines the compliance structure Microsoft applies to international data transfers, which determines the legal protections applicable to data movement across jurisdictions.
Users' personal data may be transferred to and processed in countries outside their origin jurisdiction, including the United States. The provision specifies that such transfers operate under designated legal frameworks (Data Privacy Framework agreements and Standard Contractual Clauses) that establish contractual and regulatory protections for cross-border processing.
ConductAtlas has identified this type of provision across 79 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.