The policy discloses that personal information may be transferred to and processed in countries outside the user's country of residence, including countries with different data protection standards, and asserts that appropriate safeguards have been implemented.
This analysis describes what Whatnot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision addresses cross-border data transfers, which for EU and UK users require specific transfer mechanisms under GDPR and UK GDPR; the policy's reference to 'appropriate safeguards' without specifying the mechanism (such as standard contractual clauses or adequacy decisions) leaves the specific legal basis for transfers unspecified in the publicly available policy text.
Interpretive note: The policy references 'appropriate safeguards' without specifying the legal transfer mechanism relied upon for EU and UK data flows; the specific mechanism may be documented in supplementary materials not included in the policy text reviewed.
The updated terms require all disputes arising from the Strategic Seller Agreement or a seller's relationship with Whatnot to be resolved through arbitration as defined in the main Terms of Service, rather than through litigation in California courts. Previously, sellers could bring claims in federal or state courts located in Los Angeles; under the revised language, this option is eliminated except where the Terms of Service arbitration section expressly permits court proceedings. The change applies to the relationship between individual sellers and Whatnot, affecting how contract disputes, payment disagreements, or other claims are processed and adjudicated.
View change record →The updated terms establish a new Creator Program for UK users that allows them to submit content (videos, shopping hauls, seller spotlights) and potentially receive program benefits including cash payments, shopping credit, or promotional support. The terms grant Whatnot a one-year non-exclusive license to use submitted content across all marketing channels worldwide for promotion, advertising, and derivative works without additional compensation beyond the stated program benefit. Creators must be at least 18 years old, maintain a valid Whatnot account, and complete identity verification and tax documentation before receiving any payment. The terms state explicitly that submission does not guarantee content will be selected, used, featured, or rewarded, and Whatnot retains discretion to reject, remove, or stop using content at any time.
View change record →The provision was generalized from a US-centric transfer model to any international transfer and added an assurance about safeguards, while removing the specific mention of US as the destination and the comparative language about protective laws.
View full change record →Under this provision, personal information of all users, including EU and UK residents, may be transferred to and processed in the United States or other countries; the policy asserts that safeguards are in place but does not specify the legal mechanism relied upon for EU and UK transfers in the policy text reviewed.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Whatnot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal information may be transferred to and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country. We have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy.— Excerpt from Whatnot's Whatnot Privacy Policy
1) REGULATORY LANDSCAPE: GDPR Chapter V and UK GDPR require that transfers of personal data to third countries use an adequacy decision, standard contractual clauses, binding corporate rules, or another approved transfer mechanism. The policy's generic reference to 'appropriate safeguards' does not, in the text reviewed, identify the specific mechanism, which may be addressed in supplementary documentation not included in this analysis. The relevant enforcement authorities are EU national data protection authorities and the UK ICO. 2) GOVERNANCE EXPOSURE: Medium. If Whatnot relies on standard contractual clauses for EU/UK to US transfers, post-Schrems II requirements for transfer impact assessments apply and must be documented. The adequacy of the EU-US Data Privacy Framework as an alternative mechanism should be confirmed if relied upon. 3) JURISDICTION FLAGS: EU and UK users face the highest exposure from inadequately documented transfer mechanisms. Swiss users are subject to the revised Swiss Federal Act on Data Protection, which similarly requires appropriate transfer safeguards. 4) CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with US-based vendors receiving EU or UK personal data must include appropriate transfer mechanism clauses; procurement teams should confirm that all sub-processors handling EU/UK data have executed SCCs or equivalent instruments. 5) COMPLIANCE CONSIDERATIONS: Legal teams should document the specific transfer mechanisms relied upon for each cross-border data flow involving EU and UK personal data, confirm that transfer impact assessments have been conducted where required, and ensure that the privacy policy is updated to reference the specific mechanism relied upon to provide transparency to data subjects.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision addresses cross-border data transfers, which for EU and UK users require specific transfer mechanisms under GDPR and UK GDPR; the policy's reference to 'appropriate safeguards' without specifying the mechanism (such as standard contractual clauses or adequacy decisions) leaves the specific legal basis for transfers unspecified in the publicly available policy text.
Under this provision, personal information of all users, including EU and UK residents, may be transferred to and processed in the United States or other countries; the policy asserts that safeguards are in place but does not specify the legal mechanism relied upon for EU and UK transfers in the policy text reviewed.
ConductAtlas has identified this type of provision across 55 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whatnot.