This policy only covers Palantir's own website and hiring activities — it does not cover what Palantir's software does with data when deployed by government agencies or enterprise clients.
This analysis describes what Palantir's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Palantir's most significant data operations involve analyzing large datasets for government and corporate clients, and those processing activities are entirely outside the scope of this public privacy statement.
If data about you has been processed through Palantir's Gotham, Foundry, or AIP platforms — for example as part of a government surveillance or investigation program — your rights under those deployments are governed by contracts between Palantir and its clients, not by this consumer-facing policy. This means there may be no direct mechanism through this document to exercise privacy rights in that context.
Cross-platform context
See how other platforms handle Scope Carve-Out for Enterprise and Government Products and similar clauses.
Compare across platforms →Monitoring
Palantir has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"This privacy notice contains information on what personal data we collect, what we do with that information, and what rights you have. This notice applies to personal data processed by Palantir in connection with its website, marketing activities, recruitment, and business operations. It does not apply to personal data processed by Palantir on behalf of its customers through its software products.— Excerpt from Palantir's Palantir Privacy Statement
REGULATORY LANDSCAPE: The scope carve-out engages GDPR Articles 4(7) and 4(8), which distinguish between data controllers and data processors. Under GDPR, when Palantir processes data on behalf of enterprise or government clients, those clients are the controllers and Palantir acts as processor — meaning data subject rights requests from EU residents may need to be directed to those client controllers rather than Palantir directly. This structure also engages CCPA's service provider framework for California residents. GOVERNANCE EXPOSURE: High. The carve-out means Palantir's public privacy disclosures materially understate the full scope of its data processing activities. Organizations that are Palantir customers bear controller-level obligations and must ensure their data processing agreements with Palantir satisfy GDPR Article 28 requirements, including audit rights, subprocessor notifications, and data deletion obligations. JURISDICTION FLAGS: EU and UK data subjects whose data is processed in Palantir enterprise deployments may face difficulty exercising GDPR or UK GDPR data subject rights if they cannot identify the relevant client controller. US federal government deployments may involve data subject populations with limited civilian privacy recourse depending on the applicable federal legal framework. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams at organizations contracting with Palantir should ensure their Data Processing Agreements explicitly address Article 28 GDPR requirements, subprocessor lists, international transfer mechanisms, breach notification timelines, and audit rights. The carve-out as stated does not itself create liability for Palantir's customers but confirms that customer organizations assume controller responsibilities. COMPLIANCE CONSIDERATIONS: Compliance teams at Palantir client organizations should conduct data mapping exercises to identify all personal data categories processed through Palantir platforms, ensure Records of Processing Activities reflect Palantir as a sub-processor where applicable, and confirm that data subject rights request procedures account for the need to engage Palantir under DPA terms rather than through the public privacy statement.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Palantir's most significant data operations involve analyzing large datasets for government and corporate clients, and those processing activities are entirely outside the scope of this public privacy statement.
If data about you has been processed through Palantir's Gotham, Foundry, or AIP platforms — for example as part of a government surveillance or investigation program — your rights under those deployments are governed by contracts between Palantir and its clients, not by this consumer-facing policy. This means there may be no direct mechanism through this document to exercise privacy …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Palantir.