If you are an enterprise customer and PlanetScale processes data on your behalf, that data is not covered by this privacy policy and is governed by a separate agreement.
This analysis describes what PlanetScale's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
End users whose data resides in databases hosted on PlanetScale by enterprise customers have no rights or protections under this policy; their recourse lies with the enterprise customer who controls that data, not PlanetScale directly.
How other platforms handle this
Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Custom...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
Monitoring
PlanetScale has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"This Privacy Policy does not apply to our handling of personal information that we process on behalf of our enterprise customers as a service provider or processor.— Excerpt from PlanetScale's PlanetScale Privacy Policy
(1) REGULATORY LANDSCAPE: This carve-out engages GDPR Articles 4(8), 28, and 29, which govern the controller-processor relationship and require a written data processing agreement specifying the subject matter, nature, purpose, and duration of processing. Under CCPA/CPRA, a parallel concept exists through the 'service provider' designation, which also requires a written contract limiting the service provider's use of personal information. The FTC may also have jurisdiction over representations made to enterprise customers regarding data handling scope. (2) GOVERNANCE EXPOSURE: High. The absence of this policy's coverage for enterprise customer data means that the data processing agreement (DPA) between PlanetScale and each enterprise customer becomes the sole governing instrument for GDPR and CCPA compliance in that relationship. If no DPA exists or is outdated, the enterprise customer faces direct regulatory exposure, particularly under GDPR which mandates a compliant DPA as a prerequisite for lawful processor engagement. (3) JURISDICTION FLAGS: EU and EEA enterprise customers face the highest exposure, as GDPR Article 28 requires specific contractual provisions; failure to have a compliant DPA is itself a violation subject to supervisory authority enforcement. California-based enterprise customers face similar exposure under CPRA's service provider contract requirements. UK enterprise customers must additionally consider UK GDPR requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams onboarding PlanetScale must ensure a current, GDPR-compliant DPA is in place before processing any personal data through the platform. The carve-out language effectively shifts all compliance responsibility for end-user data to the enterprise customer as controller. Teams should confirm whether PlanetScale's standard DPA covers sub-processor obligations, audit rights, and breach notification timelines consistent with GDPR Article 33 and contractual commitments. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request and review PlanetScale's standard DPA, assess whether it meets applicable jurisdictional requirements, and ensure it is executed prior to any live data processing. Data mapping exercises should clearly distinguish data flowing through the platform as a processor engagement versus data collected directly by PlanetScale as a controller under this policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
End users whose data resides in databases hosted on PlanetScale by enterprise customers have no rights or protections under this policy; their recourse lies with the enterprise customer who controls that data, not PlanetScale directly.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PlanetScale.