Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has oversight over data transfers in corporate transactions and has taken enforcement action where such transfers were inconsistent with prior privacy representations.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Corporate Transaction Data Transfer clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Corporate Transaction Data Transfer clauses across approximately 18 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Corporate Transaction Data Transfer — OpenRouter

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for OpenRouter Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

If OpenRouter is sold, merges with another company, or goes through bankruptcy or a similar business transaction, your personal data may be transferred to a new owner as part of that deal.

ⓘ

This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The policy authorizes transfer of user personal data, including account information and transaction records, to acquiring or successor entities as part of corporate transactions, without requiring user notification or consent at the time of transfer.

Consumer impact (what this means for users)

In the event of a sale, merger, or bankruptcy involving OpenRouter, personal data including account details, usage history, and transaction records may be transferred to a third party whose privacy practices may differ from those described in this policy.

Cross-platform context

See how other platforms handle Corporate Transaction Data Transfer and similar clauses.

Compare across platforms →

Monitoring

OpenRouter has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

— Excerpt from OpenRouter's OpenRouter Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: The FTC has previously taken enforcement action in cases where data was transferred in corporate transactions contrary to prior privacy representations. CCPA requires that data transferred in business transactions continue to be subject to CCPA obligations. GDPR requires that any change in data controller be communicated to data subjects and that a lawful basis for the new processing relationship be established. 2. GOVERNANCE EXPOSURE: Medium. This is a standard corporate transaction clause present in most privacy policies, but it creates exposure for users if an acquiring entity's privacy practices are materially different. The phrase 'as permitted by law and/or contract' provides some constraint but does not commit to specific protections post-transfer. 3. JURISDICTION FLAGS: EU and UK users have the strongest protections, as GDPR requires notification of a change in data controller. California users retain CCPA rights regardless of corporate transaction. US users generally have fewer protections and may not receive direct notification of a data transfer in a corporate transaction. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should include provisions in their contracts with OpenRouter requiring notification of any corporate transaction that would result in transfer of their data to a successor entity, and should request data return or deletion rights in that event. 5. COMPLIANCE CONSIDERATIONS: Legal teams onboarding OpenRouter should evaluate whether their data processing agreements include change of control provisions requiring notification and the ability to terminate or request data return. GDPR-subject organizations should ensure any successor entity is evaluated as a data processor or controller before data transfer occurs.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has oversight over data transfers in corporate transactions and has taken enforcement action where such transfers were inconsistent with prior privacy representations.
File a complaint →

Provision details

Document information

Document

OpenRouter Privacy Policy

Entity

OpenRouter

Document last updated

May 12, 2026

Tracking information

First tracked

May 12, 2026

Last verified

May 12, 2026

Record ID

CA-P-011904

Document ID

CA-D-00811

Evidence Provenance

Source URL

https://openrouter.ai/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

91717e659c28fa47150e1b31feba15f57c09644be2eb5595585f6bac16821776

Analysis generated

May 12, 2026 16:05 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: OpenRouter
Document: OpenRouter Privacy Policy
Record ID: CA-P-011904
Captured: 2026-05-12 16:05:01 UTC
SHA-256: 91717e659c28fa47…
URL: https://conductatlas.com/platform/openrouter/openrouter-privacy-policy/corporate-transaction-data-transfer/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Retroactive Policy Modification Without Prior Notice medium
Disclaimer of Responsibility for LLM Provider Handling of User Inputs high
Third-Party Data Sharing with Service Providers and Partners medium
CCPA Rights for California Residents medium
EEA and UK User Rights Under GDPR medium
Data Retention medium

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenRouter's Corporate Transaction Data Transfer clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 18 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenRouter?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.