Provisions Index

Poshmark shares your personal data with its parent company Naver Corporation, which is based in South Korea. This means your data may be processed outside the United States under different privacy laws....

Why it matters: South Korea is not automatically recognized as providing GDPR-adequate data protection for all transfer scenarios, meaning your EU or UK personal data may be sent abroad without the full protections European law requires....

Your Poshmark profile, listings, purchase history, and social activity are visible to the public by default — anyone can see what you buy and sell without being your follower or connection....

Why it matters: Most social commerce platforms offer privacy controls, but making transaction history publicly visible by default exposes users to unwanted scrutiny of their purchasing habits without requiring any action by third parties....

Poshmark shares your personal information — including browsing behavior, purchase history, and device identifiers — with third-party advertisers and analytics companies, which California law classifies as a 'sale' or 'sharing' of personal data....

Why it matters: California residents have a legal right to opt out of this sharing, and exercising this right can reduce the amount of targeted advertising you receive based on your Poshmark activity....

Poshmark states it does not knowingly collect personal information from children under 13, but the platform is accessible without strict age verification, and users between 13-18 are subject to the general privacy policy....

Why it matters: Without robust age verification, minors may use the platform and have their data collected and shared with advertisers in ways that COPPA prohibits for under-13 users and that raise concerns for teens under state privacy laws....

Poshmark uses cookies, web beacons, pixel tags, and similar tracking technologies on its platform and through third-party advertising networks to track your behavior across the internet and deliver targeted advertising....

Why it matters: These tracking tools allow Poshmark and its advertising partners to build a detailed profile of your online activity — both on and off Poshmark — and use it to target you with ads, which you can partially control through browser settings or platform opt-outs....

Microsoft states that it uses personal data, including content you create and interact with, to train and improve its AI-powered products and features such as Copilot....

Why it matters: Your personal data — including things you type, say, or create — may be used to improve Microsoft's AI systems, often without a clear opt-out mechanism surfaced at the point of collection....

Microsoft collects voice data when you use voice-enabled features like Xbox voice commands or Cortana, and may use this data to improve speech recognition services....

Why it matters: Voice data is biometric-adjacent and is subject to strict state laws in Illinois (BIPA) and Texas (CUBI) that require written consent before collection and provide private rights of action....

Microsoft states that it requires parental consent for children under 13 to use Xbox services, and parents can manage their child's privacy settings and data through Microsoft Family Safety....

Why it matters: Children under 13 are a protected class under COPPA, and if Microsoft's parental consent mechanisms are insufficient or if data collection from child accounts exceeds what is permitted, both Microsoft and parents face legal exposure, and children's data may be at risk....

When voice reporting is enabled in a voice channel, snippets of your voice chat are stored on your device and the devices of other participants. If someone reports a policy violation, those snippets may be sent to Epic for review....

Why it matters: Users may not realize their voice is being recorded in snippets and that a third party reporting them can trigger transmission of audio to Epic, raising serious concerns about audio surveillance and wiretapping laws....

If you use the MetaHuman feature to create in-game characters, Epic collects images of your face to generate a face mesh. Epic states this is solely to provide the requested functionality and not to identify you....

Why it matters: Facial images are biometric data under several laws including Illinois BIPA and GDPR Article 9, and collection of such data — even with a stated limited purpose — creates significant legal exposure and requires explicit consent in many jurisdictions....

Users who indicate they are children are placed in a 'Cabined Account' with restricted features and limited data collection until a parent provides consent for a full account, verified through Epic's subsidiary Kids Web Services (KWS)....

Why it matters: The use of an Epic subsidiary (KWS) to conduct parental verification for COPPA purposes raises questions about the independence and adequacy of the consent mechanism, and the upgrade pathway from Cabined to full account significantly expands data collection....

Epic shares your personal data with third-party advertising partners to promote the Epic Services, manage advertising, and conduct analytics. This includes data collected automatically such as IP address, device ID, and usage behavior....

Why it matters: Sharing behavioral and device-level data with third-party advertisers is one of the broadest forms of data disclosure in this policy, and under CCPA it may constitute a 'sale' or 'sharing' of personal information requiring an opt-out mechanism....

By default, Google saves every conversation you have with Gemini for 18 months, even if you later delete your account. This is automatic unless you manually turn it off....

Why it matters: An 18-month retention window means your AI conversations — which may include sensitive personal, medical, or financial details — are stored far longer than most users would expect, and persist even after account deletion....

Google employees and contractors can read samples of your Gemini conversations to improve the AI. While Google says it tries to separate your name from the conversation, human beings can still see what you typed....

Why it matters: Most users assume AI chat conversations are only processed by automated systems; learning that human reviewers can read their conversations — even in pseudonymised form — fundamentally changes the privacy expectation for Gemini....

Google uses your Gemini conversations to train and improve its AI by default. You have to actively opt out — it is not off by default....

Why it matters: An opt-out model for AI training data use means most users' conversations contribute to AI model development without their active knowledge or consent, which raises significant concerns under GDPR's requirements for a valid lawful basis for processing....

Google itself warns you not to share private, confidential, or sensitive information in Gemini, because it may be read by humans and used to train AI systems....

Why it matters: This warning, buried within the privacy policy, signals that Gemini is not a secure or confidential communication channel — a fact that many users who share medical, financial, or professional information may not realize....

Unless you opt out within 30 days of creating your account, you must resolve any dispute with Strava through private binding arbitration rather than in court, and you cannot join a class action lawsuit against Strava. EU residents are exempt from this requirement....

Why it matters: This clause removes your right to sue Strava in court or join other users in a class action, which is typically the only practical way individuals can hold large companies accountable for widespread harms like data breaches....

When you post or share any content — including your workout data, GPS routes, photos, and activity information — you give Strava a worldwide, royalty-free license to use, copy, modify, distribute, and commercially exploit that content, including in aggregated or de-identified forms....

Why it matters: This license means Strava can use your fitness routes, workout patterns, and health data to build commercial data products and sell insights derived from your activity, even if you later delete your account....

Your Strava subscription automatically renews every billing period until you cancel, and you must cancel at least 24 hours before the renewal date to avoid being charged. Strava does not provide refunds except for a 14-day cooling-off period available to users outside the United States....

Why it matters: If you forget to cancel before the 24-hour cutoff, you will be charged for the next full billing period with no right to a refund — and US users have no cooling-off period at all....

Strava's total financial liability to you for any claim — including data breaches, privacy violations, or service failures — is capped at the greater of the fees you paid in the last 12 months or $100, whichever is more....

Why it matters: If Strava's mishandling of your sensitive GPS or health data causes you real harm, the most you can recover under this Terms is $100 or one year of subscription fees, which is likely far less than any actual damages....

If you have a dispute with Cash App, you must resolve it through private arbitration with a single arbitrator — not through a court or jury trial. This applies to virtually all disputes about your account, transactions, or Cash App's services....

Why it matters: Arbitration is typically faster and cheaper for large companies, but it removes your access to courts, limits discovery, and results in decisions that are nearly impossible to appeal — meaning Cash App has a significant structural advantage in any dispute....

You agree to resolve disputes with Cash App only as an individual — you cannot join or lead a class action lawsuit or any group legal proceeding against Cash App....

Why it matters: Class actions are the primary legal mechanism consumers use to hold financial companies accountable for widespread but individually small harms — like improper fees charged to millions of users — and waiving this right means Cash App faces no collective accountability risk....

Cash App's maximum financial responsibility to you for any claim is limited to either the fees you paid in the last 12 months or $200 — whichever is greater — even if you suffered a much larger financial loss....

Why it matters: If Cash App makes an error that costs you thousands of dollars — for example, a wrongful account freeze or a transaction error — this clause means you may only recover a tiny fraction of your actual loss....

Cash App can restrict, suspend, or close your account at any time, with or without notice, including if they suspect policy violations or illegal activity — and any balance in your account may be temporarily or permanently held....

Why it matters: Many Cash App users rely on their Cash App Balance as a primary financial account for payroll deposits, bill payments, and daily spending — an unexpected account closure with a held balance could leave users without access to their own money for an indefinite period....

Once you send money through Cash App's peer-to-peer service, the transaction is generally final and cannot be cancelled or reversed — Cash App does not guarantee recovery of funds sent to the wrong person....

Why it matters: Unlike credit card payments or bank wire recalls, Cash App P2P payments are treated as final — if you send money to the wrong person by mistake or are a victim of a scam, you likely cannot get your money back....

If you have a dispute with Target, you must resolve it through private arbitration rather than going to court. This means a private arbitrator — not a judge or jury — decides the outcome of your dispute....

Why it matters: Arbitration removes your ability to have a public court hearing, limits discovery rights, and the decision is typically final and binding with very limited appeal rights....

You agree to give up your right to participate in any class action lawsuit or class-wide arbitration against Target. All disputes must be handled individually....

Why it matters: Class action lawsuits are often the only practical way for consumers to hold large companies accountable for small-dollar harms — without them, the cost of individual litigation typically exceeds any potential recovery....

Target's financial liability to you for any claim is capped at the greater of the amount you paid in the relevant transaction or $100, regardless of the nature or severity of the harm....

Why it matters: Even if Target causes significant harm — such as a data breach exposing sensitive personal information — your ability to recover damages is severely limited to $100 or your transaction amount....

California residents have the right to opt out of the sale or sharing of their personal information with third parties for advertising purposes, exercisable through Target's privacy controls....

Why it matters: Target's page source reveals integrations with DoubleVerify and Google advertising platforms, meaning personal data may be shared with ad networks — California residents can exercise their right to stop this....

Zelle shares your browsing history, IP address, and unique online identifiers with third-party advertising networks to show you targeted ads on zelle.com and across other websites, even though they state they do not 'sell' your data....

Why it matters: This practice means your online behavior is being monetized to fund targeted advertising, and the 'we don't sell data' claim may be misleading since CPRA treats this type of sharing the same as a sale for opt-out purposes....

Formal data rights requests — including the right to know, correct, or delete personal information — are only available to California residents acting in a business-to-business (B2B) capacity, not to ordinary consumers who visit the website....

Why it matters: Most consumers who visit zelle.com are not B2B contacts, meaning the majority of website visitors have no formal mechanism to access, correct, or delete the personal data Zelle has collected about them....

Uber collects your precise GPS location continuously while the driver app is open, including when it is running in the background on your device. This means Uber knows where you are even when you are not actively on a trip....

Why it matters: This goes beyond what most consumers expect — your location is tracked persistently, not just during rides, enabling Uber to build a detailed picture of your daily movements....

Uber uses a feature called Real-Time ID Check that requires drivers to periodically submit a selfie photo, which is then matched against their profile photo using facial recognition technology. This is used to verify identity and prevent fraud....

Why it matters: Biometric data including facial geometry is among the most sensitive personal information — it cannot be changed if compromised, and collection without explicit written consent and a documented retention schedule may violate state biometric privacy laws....

Uber uses automated systems to make decisions that affect drivers, including fraud detection, account deactivation, and performance scoring. These automated decisions can result in your account being suspended or terminated without prior human review....

Why it matters: Automated deactivation decisions can instantly end a driver's ability to earn income on the platform, and the policy does not clearly guarantee a meaningful right to human review of such decisions in all jurisdictions....

Uber shares driver personal data with marketing and advertising partners, including third-party analytics companies and advertising technology vendors. This means your personal information may be used to deliver targeted advertising....

Why it matters: Drivers may not expect their personal data collected in an employment-like context to be shared with advertisers, and this sharing may constitute a 'sale' or 'sharing' of personal information under California law, triggering opt-out rights....

Uber transfers driver personal data internationally, including to the United States and other countries that may not have the same level of data protection as the country where you are located. Uber uses standard contractual clauses and other transfer mechanisms to enable these transfers....

Why it matters: When your data is transferred to countries with weaker privacy laws — including the US from the EU's perspective — you may have fewer legal protections and less practical recourse if your data is misused....

When you post photos, videos, or other content on Snapchat, you give Snap a permanent, worldwide, royalty-free license to use, copy, modify, distribute, and create derivative works from that content. This license continues even after you delete the content in some cases, particularly where it has be...

Why it matters: This provision means Snap can use your personal photos, videos, and creative content for its own commercial purposes without paying you or asking further permission, which goes beyond what many users expect when sharing privately....

US users must resolve any legal disputes with Snap through binding individual arbitration rather than in court, and cannot join class action lawsuits against Snap. This means if Snap harms many users in the same way, each person must individually pursue their claim in arbitration rather than joining...

Why it matters: This provision substantially limits your legal options against Snapchat — arbitration is typically more favorable to corporations than courts, and class actions are the primary way consumers effectively challenge large companies over small-dollar widespread harms....

Snap can suspend or terminate your Snapchat account at any time, for any reason, without prior notice. If your account is terminated, you may lose access to all of your content, friends lists, Snap Score, and any digital items or purchases associated with your account....

Why it matters: Without appeal rights or advance notice, users who have significant data, memories, or digital purchases stored in Snapchat can lose everything if Snap decides to terminate their account, including content that may not be recoverable....

Snap limits its responsibility to you for any damages or losses you suffer while using Snapchat. In most cases, Snap's total financial liability to you is capped at the greater of $100 or the amount you paid Snap in the past 12 months — even if you suffer much larger actual losses....

Why it matters: If Snapchat's service causes you harm — such as a data breach exposing your private photos, or loss of content — you can only recover a maximum of $100 from Snap in most circumstances, regardless of the actual damage caused....

Snapchat requires users to be at least 13 years old to create an account. Users under 18 in some regions may require parental consent, and Snap represents that it does not knowingly collect data from children under 13. However, the platform relies primarily on users self-reporting their age....

Why it matters: Snapchat's age verification relies on self-reported age rather than technical verification, which means children under 13 may access the platform without parental knowledge, and COPPA protections may not be effectively enforced....

Target operates an advertising business called Roundel that uses your purchase history, browsing behavior, and other personal data to serve you targeted ads — and to help other companies target you with ads both on and off Target's platforms....

Why it matters: This provision means your shopping data is not just used to improve your Target experience — it is monetized through an advertising network, which is a significant expansion of data use that many consumers would not expect....

Target allows consumers — particularly those in California and other states with privacy laws — to opt out of the sale or sharing of their personal information for targeted advertising purposes, including through a web form or phone call....

Why it matters: Without actively opting out, your personal data continues to be used for cross-context behavioral advertising by default, meaning Target and its partners can profit from your data unless you take affirmative steps to stop them....

Target collects information that qualifies as 'sensitive' under privacy law, including precise geolocation, financial account details, and health or wellness inferences derived from purchase history (e.g., buying baby products or medications)....

Why it matters: Sensitive personal information carries heightened legal protections under CPRA and analogous state laws, and Target's collection of health-adjacent purchase inferences and precise location data creates significant privacy risks if used for profiling or shared with third parties....

Figma states that it may use the content you upload to its platform — including design files and other materials — to train, develop, and improve its AI and machine learning features and products....

Why it matters: This provision means that proprietary designs, client work, brand assets, or confidential prototypes you store in Figma could be used to improve Figma's AI products, potentially beyond what users and enterprise customers expect when they sign up for a design tool....

Strava collects health data like heart rate, HRV, and VO2max from connected devices and uses this data — along with your location — to train AI and machine learning models that power Strava's features....

Why it matters: Health and biometric data is among the most sensitive personal information, and using it to train AI models creates risks of re-identification, unintended disclosure, and processing beyond the original purpose for which you shared it....

Strava uses your GPS activity data to contribute to its Global Heatmap, a publicly accessible map showing aggregated movement patterns of all Strava users around the world....

Why it matters: Even though the Heatmap is described as aggregated, individual users' frequent routes can be inferred from it — potentially revealing home addresses, workplaces, and daily routines — as demonstrated by real-world security incidents in 2018....

Strava requires permission to track your device's precise GPS location for core features to function, including activity tracking, routes, and segments....

Why it matters: Granting precise location access to Strava means the app continuously collects your exact movement data — routes, timing, pace — which when aggregated over time creates a detailed record of your physical movements and daily patterns....

Strava's Flyby feature lets other users who were near you during an activity see your identity and activity data, unless you opt out in your privacy controls....

Why it matters: By default, Flyby can expose your location and identity to strangers who happened to be near you during an exercise, creating personal safety and stalking risks — particularly for solo runners or cyclists....

Strava uses your health data, GPS location, and activity information — depending on your privacy settings — to develop and run AI and machine learning models that provide personalized training recommendations and other AI-powered features....

Why it matters: The use of sensitive health and location data to train and run AI models introduces risks of opaque automated decision-making, potential processing beyond original purpose, and exposure to sub-processors who may have different data governance standards....