Midjourney shares your data with service providers, business partners, and payment processors, and may transfer it if the company is sold; it states it does not sell your data under California law.
This analysis describes what Midjourney's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy authorizes sharing personal information with service providers, business partners, and payment processors, and permits data transfer in the event of a business acquisition; the categories of business partners are not fully enumerated, which limits user visibility into who may receive their data.
Interpretive note: The policy does not enumerate all business partners or specify the data categories shared with each, limiting the ability to assess the full scope of third-party sharing.
Your personal information, including account identifiers and potentially behavioral and content data, may be shared with service providers and business partners whose identities are not fully specified in the policy; in the event of a company sale or merger, your data may transfer to a new entity.
Cross-platform context
See how other platforms handle Third-Party Data Sharing and similar clauses.
Compare across platforms →Monitoring
Midjourney has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may share your personal information with third parties in the following circumstances: with service providers who assist us in operating the Services; with business partners; with payment processors; in connection with a merger, acquisition, or sale of assets; when required by law or to protect our rights; and with your consent. We do not sell your personal information as that term is defined under the California Consumer Privacy Act.— Excerpt from Midjourney's Midjourney Data Retention & Privacy FAQ
REGULATORY LANDSCAPE: Third-party data sharing engages GDPR data processing agreement requirements (Article 28) for service providers acting as processors, and GDPR Article 46 transfer mechanisms for international data flows. CCPA/CPRA distinguishes between service providers (restricted use) and third parties (unrestricted sharing); the policy's reference to business partners without enumerated restrictions may require evaluation as to whether sharing constitutes CPRA-regulated sharing for cross-context behavioral advertising. The FTC's data broker and sharing practices guidance is relevant. GOVERNANCE EXPOSURE: Medium. The non-enumeration of business partners creates auditability challenges. GDPR Article 28 requires written contracts with processors specifying permissible use; compliance teams should verify that all service providers and business partners operate under appropriate data processing agreements. The business transfer clause creates a risk of data flowing to an entity with different privacy practices following an acquisition. JURISDICTION FLAGS: EU/EEA jurisdictions require Standard Contractual Clauses or equivalent transfer mechanisms for international data transfers. California's CPRA requires opt-out rights for sharing of personal information with third parties for cross-context behavioral advertising. The business partner category should be assessed under both frameworks. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request a list of sub-processors and business partners. Contracts with Midjourney should include provisions addressing data transfer obligations in the event of a merger or acquisition, and should specify data destruction or return obligations upon contract termination. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the business partner sharing described constitutes CPRA-regulated sharing requiring a disclosed opt-out right. GDPR transfer impact assessments may be required for international sharing. Data flow mapping should document all third-party recipients and applicable legal bases.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy authorizes sharing personal information with service providers, business partners, and payment processors, and permits data transfer in the event of a business acquisition; the categories of business partners are not fully enumerated, which limits user visibility into who may receive their data.
Your personal information, including account identifiers and potentially behavioral and content data, may be shared with service providers and business partners whose identities are not fully specified in the policy; in the event of a company sale or merger, your data may transfer to a new entity.
ConductAtlas has identified this type of provision across 24 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Midjourney.