If you are an enterprise customer and PlanetScale processes data on your behalf, that data is not covered by this privacy policy and is governed by a separate agreement.
This analysis describes what PlanetScale's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
End users whose data resides in databases hosted on PlanetScale by enterprise customers have no rights or protections under this policy; their recourse lies with the enterprise customer who controls that data, not PlanetScale directly.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
PlanetScale has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Policy does not apply to our handling of personal information that we process on behalf of our enterprise customers as a service provider or processor.— Excerpt from PlanetScale's PlanetScale Privacy Policy
(1) REGULATORY LANDSCAPE: This carve-out engages GDPR Articles 4(8), 28, and 29, which govern the controller-processor relationship and require a written data processing agreement specifying the subject matter, nature, purpose, and duration of processing. Under CCPA/CPRA, a parallel concept exists through the 'service provider' designation, which also requires a written contract limiting the service provider's use of personal information. The FTC may also have jurisdiction over representations made to enterprise customers regarding data handling scope. (2) GOVERNANCE EXPOSURE: High. The absence of this policy's coverage for enterprise customer data means that the data processing agreement (DPA) between PlanetScale and each enterprise customer becomes the sole governing instrument for GDPR and CCPA compliance in that relationship. If no DPA exists or is outdated, the enterprise customer faces direct regulatory exposure, particularly under GDPR which mandates a compliant DPA as a prerequisite for lawful processor engagement. (3) JURISDICTION FLAGS: EU and EEA enterprise customers face the highest exposure, as GDPR Article 28 requires specific contractual provisions; failure to have a compliant DPA is itself a violation subject to supervisory authority enforcement. California-based enterprise customers face similar exposure under CPRA's service provider contract requirements. UK enterprise customers must additionally consider UK GDPR requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams onboarding PlanetScale must ensure a current, GDPR-compliant DPA is in place before processing any personal data through the platform. The carve-out language effectively shifts all compliance responsibility for end-user data to the enterprise customer as controller. Teams should confirm whether PlanetScale's standard DPA covers sub-processor obligations, audit rights, and breach notification timelines consistent with GDPR Article 33 and contractual commitments. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request and review PlanetScale's standard DPA, assess whether it meets applicable jurisdictional requirements, and ensure it is executed prior to any live data processing. Data mapping exercises should clearly distinguish data flowing through the platform as a processor engagement versus data collected directly by PlanetScale as a controller under this policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
End users whose data resides in databases hosted on PlanetScale by enterprise customers have no rights or protections under this policy; their recourse lies with the enterprise customer who controls that data, not PlanetScale directly.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PlanetScale.