Whatnot transfers your personal data to the United States for processing, and US privacy laws may offer fewer protections than those in your home country.
This analysis describes what Whatnot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For users in the EU, UK, and other jurisdictions with strong data protection laws, this transfer must be covered by a lawful mechanism such as Standard Contractual Clauses, and the policy does not specify which transfer mechanism is used.
Interpretive note: The policy does not specify the legal transfer mechanism used for EU and UK data flows, creating uncertainty about whether all required GDPR safeguards are in place.
EU and UK users' personal data is transferred to the US, where it may be subject to US government access rights and different privacy standards, and the specific safeguards in place for this transfer are not detailed in the policy.
How other platforms handle this
You will provide personal information directly to our website in the United States. We may also transfer personal information to our partners and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data prote...
Notion is based in the United States and the information we collect is governed by U.S. law. If you are accessing our Services from outside of the United States, please be aware that information collected through the Services may be transferred to, processed, stored, and used in the United States an...
Your personal information may be transferred to and processed in countries other than your country of residence, including Canada and the United States, where our servers are located and our central database is operated. These countries may have data protection laws that are different from those in ...
Monitoring
Whatnot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Your information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including Personal Information, to the United States and process it there.— Excerpt from Whatnot's Whatnot Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Chapter V, which requires that personal data transferred outside the EU/EEA be covered by an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism. Following Schrems II, transfers to the US require additional technical and contractual safeguards. UK GDPR imposes analogous requirements for transfers from the UK. The relevant enforcement authorities are EU supervisory authorities (coordinated through EDPB) and the UK ICO. GOVERNANCE EXPOSURE: High for EU and UK user populations. The policy discloses the transfer but does not identify the specific transfer mechanism in use, which may be insufficient for GDPR transparency requirements and could create exposure in the event of a supervisory authority inquiry or complaint. JURISDICTION FLAGS: EU and UK users face the highest exposure. EU member state supervisory authorities have taken enforcement action against companies that failed to document or implement adequate transfer mechanisms. Switzerland, Brazil, and other jurisdictions with GDPR-equivalent laws may impose similar obligations. CONTRACT AND VENDOR IMPLICATIONS: DPAs and SCCs with US-based processors and sub-processors must be current and include the supplementary measures required post-Schrems II. Procurement teams should confirm that transfer impact assessments have been conducted for US data flows. COMPLIANCE CONSIDERATIONS: Legal teams should identify and document the specific transfer mechanism used for EU and UK data flows, update the privacy notice to reflect this, and conduct or update a transfer impact assessment. If the EU-US Data Privacy Framework is relied upon, confirm Whatnot's certification status.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For users in the EU, UK, and other jurisdictions with strong data protection laws, this transfer must be covered by a lawful mechanism such as Standard Contractual Clauses, and the policy does not specify which transfer mechanism is used.
EU and UK users' personal data is transferred to the US, where it may be subject to US government access rights and different privacy standards, and the specific safeguards in place for this transfer are not detailed in the policy.
ConductAtlas has identified this type of provision across 78 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whatnot.