Palantir · Palantir Privacy Statement

Website Data vs. Customer Data Distinction

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Palantir treats data from website visitors differently from data its enterprise clients put into its platform — for client data, Palantir is just the processor following the client's instructions.

Consumer impact (what this means for users)

If your data ends up in a Palantir platform because a government agency or corporation is a Palantir client, your privacy rights must be directed to that organization (the data controller), not to Palantir directly.

Cross-platform context

See how other platforms handle Website Data vs. Customer Data Distinction and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This controller/processor distinction determines who is legally responsible for data and what rights individuals can exercise — it is a fundamental GDPR concept with significant compliance implications for enterprise clients.

View original clause language
Palantir distinguishes between personal data collected from visitors to our website ('Website Data') and personal data that our customers upload or input into Palantir's platforms ('Customer Data'). For Customer Data, Palantir acts as a data processor on behalf of the customer, who is the data controller.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implements the GDPR Art. 4(7)/(8) controller/processor distinction and Art. 28 requirements for data processing agreements. CCPA's service provider framework (§1798.140(ag)) creates an analogous distinction. The allocation of responsibility between controller and processor is foundational to EU and UK data protection law enforcement, with each party bearing distinct obligations.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC has authority to investigate whether controller/processor representations are accurate and whether service provider designations are being honored in practice.
    File a complaint →
  • Hhs Ocr
    If Palantir processes protected health information on behalf of HIPAA covered entities, HHS OCR has enforcement authority over Business Associate compliance.
    File a complaint →

Provision details

Document information
Document
Palantir Privacy Statement
Entity
Palantir
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004243
Document ID
CA-D-00496
Evidence Provenance
Source URL
https://www.palantir.com/privacy-and-security/
Wayback Machine
View archived versions →
SHA-256
eb927d9bd1bc02713391ebd4577b404a2136eba1e135746456110bc968e6e635
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Palantir | Document: Palantir Privacy Statement | Record: CA-P-004243
Captured: 2026-04-30 07:23:49 UTC | SHA-256: eb927d9bd1bc0271…
URL: https://conductatlas.com/platform/palantir/palantir-privacy-statement/website-data-vs-customer-data-distinction/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document