Your personal data is stored and processed primarily in the US, and may also be sent to PlanetScale's partners in other countries with potentially weaker privacy protections; PlanetScale commits to using legal transfer mechanisms such as adequacy decisions or Standard Contractual Clauses.
This analysis describes what PlanetScale's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF and contractual protections suggests a layered approach, but the adequacy of those protections depends on which mechanism is applied and whether it remains legally valid.
Personal data from EU, UK, and Swiss users is transferred to and processed in the United States under the Data Privacy Framework or Standard Contractual Clauses; users in these regions should be aware that US national security law may permit governmental access to this data in ways that may not be available under their home country's laws.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Monitoring
PlanetScale has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You will provide personal information directly to our website in the United States. We may also transfer personal information to our partners and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data protection laws in your home country. When we engage in cross-border data transfers, we will ensure that relevant safeguards are in place to afford adequate protection for personal information and we will comply with applicable data protection laws, in particular by relying on an EU Commission or UK government adequacy decision or on contractual protections for the transfer of personal information.— Excerpt from PlanetScale's PlanetScale Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Chapter V governs international data transfers, requiring either an adequacy decision, appropriate safeguards (such as Standard Contractual Clauses under Article 46), or specific derogations. The EU-US DPF adequacy decision of July 2023 is currently operative but has faced legal challenges and may be subject to further scrutiny. UK GDPR has parallel requirements with UK-specific mechanisms including UK SCCs and the UK's International Data Transfer Agreement (IDTA). Swiss data transfers are governed by the Swiss Federal Act on Data Protection. (2) GOVERNANCE EXPOSURE: Medium. The policy's dual reliance on adequacy decisions and contractual protections is prudent but somewhat imprecise; in practice, organizations need to document which mechanism applies to each transfer. The acknowledgment that 'such jurisdictions may not provide the same protections as the data protection laws in your home country' is a transparency measure but also serves as a notice-based risk allocation. (3) JURISDICTION FLAGS: EU and EEA transfers carry the highest regulatory scrutiny, particularly given the history of EU-US transfer mechanism invalidations (Safe Harbor 2015, Privacy Shield 2020). UK transfers require assessment under the UK's own adequacy and transfer mechanism framework post-Brexit. Switzerland's updated FADP came into force in September 2023 and introduces GDPR-adjacent requirements for international transfers. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request documentation of the specific transfer mechanisms used for their data, including executed SCCs or DPF documentation, rather than relying on the general policy statement. Sub-processor transfer chains should be mapped to ensure each link uses an approved mechanism. (5) COMPLIANCE CONSIDERATIONS: Legal teams should maintain a record of processing activities (ROPA) entry for transfers to PlanetScale, specifying the applicable transfer mechanism. If SCCs are relied upon, the transfer impact assessment (TIA) required post-Schrems II should be documented. DPF certification should be verified periodically given the history of transfer mechanism invalidation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF and contractual protections suggests a layered approach, but the adequacy of those protections depends on which mechanism is applied and whether it remains legally valid.
Personal data from EU, UK, and Swiss users is transferred to and processed in the United States under the Data Privacy Framework or Standard Contractual Clauses; users in these regions should be aware that US national security law may permit governmental access to this data in ways that may not be available under their home country's laws.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PlanetScale.