Microsoft shares your personal data with affiliated companies, vendors working on its behalf, and others including in response to legal requirements or in connection with corporate transactions such as mergers or acquisitions. Some sharing requires your consent; other sharing occurs without it under the described conditions.
This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The statement identifies multiple categories of third parties with whom personal data may be shared, including affiliates, service vendors, and parties in legal or corporate transaction contexts, which determines the breadth of entities that may access user data.
The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.
View change record →The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.
View change record →The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.
View change record →Provision expanded with explicit enumeration of sharing scenarios (affiliates, vendors, legal requirements, merger/acquisition) but excerpt appears truncated in current version.
View full change record →Your personal data collected through Microsoft products may be shared with Microsoft subsidiaries, service providers, and others in circumstances including legal compliance and corporate transactions. Users seeking to understand who receives their data can review the statement's list of sharing categories.
How other platforms handle this
By using the Services, you authorize Affirm to share your information, including personal information and information related to your transactions and use of the Services, with merchants, service providers, and other third parties as further described in our Privacy Policy.
We may receive information, including the following, from third party sources and combine it with information we already directly collect from you. We will handle the information in accordance with this Privacy Policy. Game, social media, or other information, from those third parties or services yo...
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
Microsoft has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors or agents working on our behalf; when required by law or to respond to legal process; to protect the rights or property of Microsoft or our customers, including enforcing the agreements governing the use of the services; and in connection with a merger, acquisition, or sale of assets.— Excerpt from Microsoft's Microsoft Privacy Statement (Legacy)
REGULATORY LANDSCAPE: Third-party data sharing engages GDPR requirements on data transfers to third parties including processors and controllers, and EU standard contractual clauses for international transfers; CCPA requirements on disclosure of third-party sharing categories and opt-out rights for sharing constituting a sale; and FTC Act requirements on accuracy of sharing representations. Enforcement authorities include EU data protection authorities, the California Privacy Protection Agency, and the FTC. GOVERNANCE EXPOSURE: Medium. The statement's description of sharing categories is broad; compliance teams must assess whether specific sharing arrangements are covered by appropriate contractual protections, including data processing agreements for vendors and standard contractual clauses for international transfers. JURISDICTION FLAGS: GDPR Chapter V requirements for international data transfers apply where data is transferred outside the EU and EEA. CCPA requires disclosure of specific categories of third parties to whom personal information is disclosed. The merger and acquisition carve-out for data sharing is standard but warrants monitoring in the event of a significant corporate transaction. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Microsoft as a vendor should assess whether data processing agreements adequately address sub-processor relationships implied by the vendor sharing described in this provision. Sub-processor lists and notification obligations should be reviewed. COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a current sub-processor and third-party sharing inventory aligned with this provision; verify that international transfer mechanisms (standard contractual clauses or equivalent) are in place; and assess whether the merger and acquisition sharing carve-out requires notification obligations under applicable law.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The statement identifies multiple categories of third parties with whom personal data may be shared, including affiliates, service vendors, and parties in legal or corporate transaction contexts, which determines the breadth of entities that may access user data.
Your personal data collected through Microsoft products may be shared with Microsoft subsidiaries, service providers, and others in circumstances including legal compliance and corporate transactions. Users seeking to understand who receives their data can review the statement's list of sharing categories.
ConductAtlas has identified this type of provision across 9 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.