Third-Party Data Sharing

What it is

Stability AI states it may share your personal data with outside companies that help run its services, with advertising and analytics partners, and with any company that acquires Stability AI in a business deal.

Why it matters (compliance & governance perspective)

The clause establishes the scope of permissible data recipients under the privacy policy and specifies categories of third parties who may receive personal information in both operational and transactional contexts.

Consumer impact (what this means for users)

The policy authorizes sharing of personal information with service providers, analytics providers, advertising partners, and business transfer recipients, meaning your account details, usage data, and potentially your prompts and outputs may be disclosed to these parties under the terms stated.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Third-party data sharing implicates GDPR Articles 26 and 28 (controller and processor obligations), CCPA requirements regarding disclosure of data sales and sharing with third parties for cross-context behavioral advertising, and FTC Act provisions on unfair or deceptive practices if disclosures are inadequate. Sharing with advertising partners in particular may constitute a sale or sharing of personal information under CCPA/CPRA, triggering opt-out rights. 2) GOVERNANCE EXPOSURE: Medium. The breadth of third-party sharing categories authorized in the policy, particularly advertising partners, creates compliance obligations under CCPA/CPRA and GDPR that require clear disclosure, appropriate contractual protections, and in some cases user consent or opt-out mechanisms. Business transfer disclosures are standard but should be evaluated in the context of GDPR Article 6 lawful basis. 3) JURISDICTION FLAGS: California users have CPRA rights to opt out of sharing of personal information with advertising partners. EU and UK users may have rights to object to sharing based on legitimate interests. The business transfer provision applies globally but may face constraints under GDPR in the event of a cross-border acquisition. 4) CONTRACT AND VENDOR IMPLICATIONS: Data Processing Agreements with service providers should be confirmed to meet GDPR Article 28 requirements. Advertising partner relationships should be assessed for CCPA compliance, including whether they constitute third-party data sales or sharing. In a business transfer scenario, successor entities must be assessed for their own compliance posture. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should maintain an up-to-date vendor list mapping third-party data recipients to data categories shared; ensure Data Processing Agreements are in place with all processors; evaluate whether advertising partner data flows constitute CCPA-regulated sharing; and assess whether business transfer notification obligations to users and regulators are addressed in internal procedures.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• AI Model Training Using User Inputs high
• Data Retention medium
• Cross-Border Data Transfers medium
• User Rights (GDPR, UK GDPR, and CCPA) medium
• Cookies and Tracking Technologies medium
• Business Transfer Data Disclosure medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.