Provisions Index

The document states that data submitted through the API and ChatGPT Enterprise, including inputs and outputs, is not used to train OpenAI's models by default, distinguishing enterprise terms from standard consumer ChatGPT terms....

Why it matters: This provision directly affects enterprise customers' data minimization posture and their ability to represent AI data governance to regulators and auditors. The default exclusion from model training is a foundational representation that organizations should verify is active for their specific account configuration and contractually documented in an executed agreement....

View provision → Watch OpenAI →

The document states OpenAI offers a Data Processing Agreement incorporating EU Standard Contractual Clauses for enterprise and API customers, enabling international transfers of personal data from the EU/EEA to OpenAI's US-based infrastructure....

Why it matters: This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for any transfer of EU personal data to a third country; the availability of SCCs via an executed DPA is the operative compliance step for EU customers....

View provision → Watch OpenAI →

The document states that OpenAI can execute a Business Associate Agreement with API customers who require HIPAA compliance coverage, enabling use of the API in contexts involving protected health information....

Why it matters: This provision establishes that API-based deployments handling protected health information may be eligible for BAA coverage, which is a prerequisite for using a third-party vendor under HIPAA. The provision specifies API deployments; compliance teams should confirm whether ChatGPT Enterprise or other product tiers are also within scope of the BAA....

View provision → Watch OpenAI →

The document asserts that OpenAI is a CCPA service provider for enterprise and API customers, which under California law means OpenAI is contractually prohibited from using personal data for purposes other than performing the contracted services, and may not sell or share it for cross-context behavioral advertising....

Why it matters: The service provider designation under CCPA has direct implications for enterprise customers' compliance obligations: if OpenAI qualifies as a service provider, its processing is excluded from the definition of a sale or share under the CCPA, and customers can represent to their own users that data shared with OpenAI is covered by service provider restrictions. The designation must be reflected in a written contract to be legally operative....

View provision → Watch OpenAI →

The document states that API conversation data is not retained beyond 30 days by default except for safety purposes, while ChatGPT Enterprise stores conversations with administrator-level controls for data management and deletion....

Why it matters: Data retention terms directly affect enterprise customers' compliance with GDPR storage limitation principles, CCPA deletion rights obligations, and internal data governance policies. The distinction between API retention (30-day default) and ChatGPT Enterprise retention (stored with admin controls) creates different compliance profiles for the two product tiers....

View provision → Watch OpenAI →

The document discloses that OpenAI has obtained SOC 2 Type 2 certification, indicating that its security controls have been independently audited against the AICPA Trust Services Criteria for security, availability, and related categories....

Why it matters: SOC 2 Type 2 certification is a commonly required vendor security assurance standard in enterprise procurement and is relevant to due diligence under GDPR Article 32 (appropriate technical and organizational measures) and HIPAA security rule requirements. Enterprise customers may request OpenAI's SOC 2 report as part of their vendor risk assessment....

View provision → Watch OpenAI →

The document states that OpenAI uses third-party sub-processors in delivering its services and maintains a sub-processor list, with a commitment to notify customers of additions or changes to sub-processors....

Why it matters: GDPR Article 28 requires processors to obtain controller authorization before engaging sub-processors and to impose equivalent data protection obligations on them. The sub-processor notification mechanism is operationally significant for enterprise customers who must evaluate whether new sub-processors affect their own compliance posture or require updated data transfer assessments....

View provision → Watch OpenAI →

The policy establishes requirements for parental consent for users under 13 (or the applicable age of digital consent in the user's jurisdiction), consistent with COPPA requirements in the US and equivalent frameworks in the EU and UK. Child accounts are managed through Microsoft Family Safety, which requires parental or guardian authorization....

Why it matters: This provision creates compliance obligations under COPPA (enforced by the FTC), GDPR provisions applicable to children's data, and national implementations of child data protection requirements across the EU. Given Minecraft's demographic profile, this provision is operationally significant for verifying that consent collection and parental authorization mechanisms function as disclosed....

View provision → Watch Minecraft →

The policy authorizes sharing of personal data collected through Minecraft services with Microsoft affiliates and third-party service providers for purposes including service operation, analytics, safety, and other disclosed purposes. The scope of affiliate sharing reflects Minecraft's integration into Microsoft's corporate infrastructure following the acquisition of Mojang Studios....

Why it matters: This provision establishes that Minecraft user data, including account identifiers, gameplay data, and device information, may be processed across Microsoft's global affiliate network. Compliance teams should evaluate whether the categories of data shared with affiliates and the purposes for which sharing occurs are disclosed with sufficient specificity to meet GDPR transparency requirements....

View provision → Watch Minecraft →

The policy discloses that Minecraft collects categories of personal data including account identifiers (such as gamertag and Microsoft account data), device information, IP address, gameplay activity and usage data, and communications made through the platform. Collection occurs through gameplay, website interaction, and account registration....

Why it matters: This provision establishes the scope of data collection across Minecraft services. The integration of Microsoft account data means that Minecraft-specific data collection is linked to Microsoft's broader account ecosystem, which may include cross-service data associations depending on account configuration....

View provision → Watch Minecraft →

The policy establishes rights for EU residents under GDPR, UK residents under UK GDPR, and California residents under CCPA/CPRA to access, correct, delete, or restrict processing of their personal data, and to lodge complaints with relevant supervisory authorities. These rights are exercised through Microsoft's privacy request mechanisms....

Why it matters: This provision establishes the procedural mechanisms through which users in regulated jurisdictions can exercise their statutory privacy rights in relation to Minecraft data. The rights are administered through Microsoft's centralized privacy infrastructure, meaning request processing is governed by Microsoft's enterprise data subject request procedures....

View provision → Watch Minecraft →

The policy addresses retention periods for personal data collected through Minecraft services and the process for requesting account closure and associated data deletion. Account and data deletion is administered through Microsoft's account management tools....

Why it matters: This provision establishes the conditions under which personal data collected through Minecraft is retained and the mechanism for requesting its deletion, which is operationally relevant for users who discontinue use of the service and for compliance with GDPR Article 5(1)(e) storage limitation requirements....

View provision → Watch Minecraft →

The policy states that Meta combines user data across Facebook, Instagram, WhatsApp, Messenger, and Meta Quest, as well as from third-party sites and apps, to build a unified profile used for personalized advertising and product recommendations....

Why it matters: This provision establishes the legal basis and operational scope under which Meta links behavioral, interest, and activity data across its entire product family and external sources, creating a unified advertising profile that encompasses on-platform and off-platform user behavior....

View provision → Watch Meta Ads →

The policy states that Meta uses inferred sensitive attributes including religious views, political views, and health information in its advertising systems, describing the use as exclusionary rather than directly targeting on those bases, though the policy acknowledges these attributes inform ad delivery....

Why it matters: This provision discloses that sensitive personal data categories are processed within Meta's advertising infrastructure. The distinction between 'exclusionary' and 'targeting' use of special category data may require evaluation under GDPR Article 9, which restricts processing of such data regardless of the direction of its application in ad delivery....

View provision → Watch Meta Ads →

The policy states that Meta receives behavioral and transaction data from third-party data providers and from partner websites and apps through Meta's business tools such as Meta Pixel and Conversions API, and that Meta requires partners to have a lawful basis for sharing that data....

Why it matters: This provision establishes that Meta's data collection extends beyond its own products to include off-platform browsing, purchase, and behavioral data sourced from third parties, which is incorporated into user profiles used for advertising and personalization across Meta's services....

View provision → Watch Meta Ads →

The policy states that Meta shares user data with advertisers, measurement partners, and analytics companies to support ad targeting, campaign measurement, and reporting, and that advertisers may also supply additional user identifiers to Meta for audience matching and targeting purposes....

Why it matters: This provision establishes a bidirectional data flow in which Meta both shares user data with advertising partners and receives supplemental user data from those partners for audience matching, creating a data exchange that informs ad targeting and campaign performance measurement....

View provision → Watch Meta Ads →

The policy states that Meta does not permit users under 13 years of age (or a higher age threshold in certain jurisdictions) to use Meta's covered products, and that Meta does not knowingly collect personal information from users below the applicable age threshold....

Why it matters: This provision establishes the stated age restriction framework for Meta's products and the policy's asserted exclusion of child personal data collection, with the applicable minimum age varying by jurisdiction....

View provision → Watch Meta Ads →

The policy states that users have rights to access, correct, export, and delete their personal data, and to object to or restrict certain processing, with those rights subject to limitations including legal retention obligations and third-party rights....

Why it matters: This provision establishes the user-facing rights framework Meta asserts is available under applicable privacy law, while disclosing that those rights may be limited by competing legal obligations, Meta's own rights, or third-party interests....

View provision → Watch Meta Ads →

The policy states that Meta collects location data including precise device location (where permitted), IP-based location, and location inferred from user activity such as check-ins and events, and uses this data across the purposes described in the policy including advertising....

Why it matters: This provision establishes that Meta collects multiple categories of location data, ranging from precise GPS-level device location to inferred location from social activity, and applies this data to advertising and personalization purposes across Meta's products....

View provision → Watch Meta Ads →

The policy states that Meta retains personal data for as long as needed to provide services, comply with legal obligations, or protect its interests, with retention periods determined on a case-by-case basis according to the criteria listed....

Why it matters: This provision establishes that Meta does not apply fixed retention periods across data categories but instead determines retention duration on a case-by-case basis, with 'protection of interests' and 'other legitimate purposes' included as open-ended retention justifications alongside legal obligations and service delivery....

View provision → Watch Meta Ads →

The agreement authorizes RapidAPI to suspend or terminate user accounts for violations of acceptable use policies or other term breaches, which may interrupt access to API subscriptions and marketplace features without a defined cure period....

Why it matters: This provision establishes that platform access, including active API subscriptions and integrations brokered through the marketplace, can be interrupted by RapidAPI at its discretion upon a determination of policy violation, creating operational dependency risk for production systems....

View provision → Watch RapidAPI →

The agreement reserves RapidAPI's right to modify platform terms, subscription pricing, and API access tier conditions, typically with notice to users, and continued use of the platform following such modifications constitutes acceptance of updated terms....

Why it matters: This provision establishes a mechanism by which RapidAPI may alter the financial and operational conditions of platform access without requiring affirmative user consent, conditioning acceptance on continued platform use....

View provision → Watch RapidAPI →

The agreement asserts that users, including API providers who list their APIs on the marketplace, grant RapidAPI a license to use, display, and distribute submitted content and API listings through the platform....

Why it matters: This provision establishes a license grant from API providers to RapidAPI covering content submitted to the marketplace, which may include API documentation, specifications, and promotional materials, and the scope of that license affects how providers control the presentation and distribution of their intellectual property....

View provision → Watch RapidAPI →

The agreement establishes an acceptable use policy that defines prohibited activities on the platform, including unauthorized API access, scraping, resale of API access without authorization, and use of the platform for illegal purposes....

Why it matters: This provision defines the behavioral conditions under which account suspension or termination may be triggered, and its scope determines the operational boundaries for both API consumers and API providers using the platform....

View provision → Watch RapidAPI →

The agreement limits RapidAPI's aggregate liability to users, typically capping damages at the amount paid by the user in the preceding months, and excludes liability for indirect, incidental, or consequential damages....

Why it matters: This provision establishes the contractual ceiling on financial recovery available to users in the event of platform failure, API unavailability, or data loss, which is operationally significant for businesses that depend on RapidAPI-brokered APIs for revenue-generating services....

View provision → Watch RapidAPI →

The agreement establishes the governing law applicable to disputes arising from platform use, typically designating a US state jurisdiction, and may include provisions for mandatory arbitration or class action waiver for dispute resolution....

Why it matters: This provision determines the forum and legal framework under which disputes between users and RapidAPI are resolved, and any mandatory arbitration or class action waiver clause affects the procedural options available to users who have claims against the platform....

View provision → Watch RapidAPI →

The agreement authorizes RapidAPI to collect usage data, account information, and API call metadata from users operating on the platform, and may use this data for platform operation, analytics, and service improvement purposes....

Why it matters: This provision establishes the data collection permissions applicable to platform users, including developers and API providers, covering usage telemetry, account identifiers, and API transaction metadata, which is relevant to data protection compliance obligations for business users....

View provision → Watch RapidAPI →

The agreement establishes conditions under which API providers may list and monetize their APIs through the RapidAPI marketplace, including compliance with listing requirements, pricing disclosure obligations, and revenue share or commission arrangements with RapidAPI....

Why it matters: This provision governs the commercial and operational conditions for API providers participating in the marketplace, including any commission or revenue share structure that affects provider monetization, and the compliance requirements that determine continued listing eligibility....

View provision → Watch RapidAPI →

The page source contains initialization code for a Privacy SDK that includes a Global Privacy Control (GPC) signal processing configuration, with a linked privacy policy at /Privacy-Security-Policy-a-282.html. The SDK conditionally loads third-party advertising and analytics scripts based on consent state....

Why it matters: This provision indicates that Shein's consent management infrastructure is configured to recognize Global Privacy Control signals, which under the CPRA may constitute a valid opt-out of sale or sharing of personal information for California residents. The operational scope and compliance adequacy of this mechanism cannot be fully assessed from the submitted page source alone....

View provision → Watch Shein →

The policy states that Acorns collects financial account numbers, investment account data, transaction history, government-issued identification numbers including Social Security numbers, and standard contact identifiers from users who engage with its services....

Why it matters: This provision establishes the scope of sensitive financial and identity data Acorns collects as a condition of platform use, encompassing data categories that are subject to heightened regulatory obligations under GLBA and that carry elevated risk in the event of unauthorized access or disclosure....

View provision → Watch Acorns →

The policy states that Acorns automatically collects device identifiers, operating system and browser data, in-app and web usage activity, IP address-based location, and precise geolocation when permitted, along with data gathered through cookies, web beacons, and similar tracking technologies....

Why it matters: This provision establishes automated collection of behavioral, device, and location data through tracking technologies in addition to user-provided financial data, creating a dataset that may be used for advertising and analytics purposes as described elsewhere in the policy....

View provision → Watch Acorns →

The policy authorizes sharing of user personal information with service providers, business partners, advertising partners, and analytics providers, with advertising partners specifically described as receiving information to deliver targeted advertisements....

Why it matters: This provision authorizes disclosure of personal information, which may include financial account data, device identifiers, and behavioral data, to advertising partners for targeted advertising purposes, a practice that may constitute sale or sharing under CCPA and that engages GLBA's restrictions on sharing nonpublic personal information with nonaffiliated third parties....

View provision → Watch Acorns →

The policy discloses that California residents have CCPA rights to request disclosure of collected personal information categories and specific pieces, to request deletion of their personal information, to opt out of the sale or sharing of personal information, and to be free from discrimination for exercising those rights....

Why it matters: This provision establishes operative consumer rights under CCPA and CPRA for California residents, creating enforceable obligations for Acorns to respond to rights requests and to provide a functional opt-out-of-sale-and-sharing mechanism....

View provision → Watch Acorns →

The policy states that Acorns' general services are not directed at children under 13 and that the company does not knowingly collect personal information from such children, while separately acknowledging that the Acorns Early product involves accounts established by adults for minor beneficiaries....

Why it matters: The policy's acknowledgment that Acorns Early involves minor beneficiaries, alongside the general COPPA disclaimer, creates a compliance distinction requiring assessment of whether and what data is collected in connection with minor beneficiaries through that product and whether parental consent mechanisms satisfy COPPA's requirements....

View provision → Watch Acorns →

The policy states that personal information is retained for as long as necessary to provide services, meet legal obligations, resolve disputes, and enforce agreements, and that data will be deleted or anonymized when no longer needed....

Why it matters: The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations....

View provision → Watch Acorns →

The policy authorizes use of personal information for service delivery, communications about promotional offers, personalization of user experience, and internal research and analytics....

Why it matters: The authorization to use personal information for promotional communications and personalization, in the context of a financial services platform, engages both GLBA's marketing restrictions and CCPA's provisions on using data for targeted advertising, and may interact with CAN-SPAM and TCPA requirements depending on the communication channel used....

View provision → Watch Acorns →

GitHub reserves the right to remove content or suspend account access for any violation of the Acceptable Use Policies, with no stated prior-notice requirement or mandatory appeal procedure specified in this document....

Why it matters: This provision establishes GitHub's unilateral enforcement authority over all hosted content and accounts, which creates a material platform-dependency risk for developers, organizations, and businesses whose operational workflows rely on GitHub's infrastructure, as access may be suspended without a contractually guaranteed notice or reinstatement timeline....

View provision → Watch GitHub →

The agreement prohibits using GitHub's servers for cryptocurrency mining, excessive automated bulk activity, or any form of unsolicited advertising relay, characterizing these as placing undue burden on GitHub's infrastructure....

Why it matters: This provision directly restricts the use of GitHub Actions and other compute resources for cryptomining or automated bulk operations, which is operationally significant for DevOps teams and organizations running automated pipelines that may inadvertently approach the boundary of this prohibition....

View provision → Watch GitHub →

The agreement prohibits posting content that infringes patents, trademarks, trade secrets, copyrights, rights of publicity, or other proprietary rights, covering the full range of intellectual property categories....

Why it matters: This provision establishes user obligations regarding intellectual property across all content posted to GitHub, and violations may trigger content removal or account suspension under GitHub's DMCA takedown process and the broader AUP enforcement authority....

View provision → Watch GitHub →

The agreement prohibits uploading, hosting, or transmitting malicious code, and also prohibits using GitHub infrastructure as part of any system designed to deliver or amplify cyberattacks, including command-and-control infrastructure....

Why it matters: This provision prohibits not only direct malware hosting but also the use of GitHub repositories or infrastructure as attack support systems, which has particular relevance for security researchers whose dual-use tools or proof-of-concept exploit code may be assessed under this restriction....

View provision → Watch GitHub →

The agreement prohibits posting another person's personal information without their consent, characterizing such conduct as a privacy violation subject to enforcement under the AUP....

Why it matters: This provision establishes a consent-based standard for posting third-party personal information, which has operational significance for repositories that include user-generated data, research datasets, or scraped data that may contain personal identifiers....

View provision → Watch GitHub →

The agreement prohibits users under 13 from using GitHub's services and states that GitHub will terminate accounts of users determined to be under 13 immediately upon discovery....

Why it matters: This provision establishes a minimum age requirement consistent with COPPA obligations and authorizes immediate account termination for underage users, which is operationally relevant for educational institutions and organizations that facilitate student access to GitHub....

View provision → Watch GitHub →

The agreement prohibits using GitHub's systems to send spam, conduct excessive automated bulk activity, relay unsolicited advertising, or operate get-rich-quick solicitation schemes....

Why it matters: This provision restricts automated and bulk communications activity through GitHub infrastructure, which is relevant for organizations using GitHub Actions, bots, or API integrations for high-volume operations that may approach the threshold of prohibited bulk activity....

View provision → Watch GitHub →

The agreement prohibits posting information that is unlawful or that facilitates illegal activities, applying this restriction broadly across all content types and user contexts on the platform....

Why it matters: This provision establishes a broad prohibition on unlawful content that supplements the specific categorical prohibitions elsewhere in the AUP, and its broad framing means that the scope of prohibited content depends on applicable law in the user's jurisdiction, which may vary significantly across geographies....

View provision → Watch GitHub →

Section 14 requires that disputes between users and SIE be resolved through binding individual arbitration administered by AAA or NAM, rather than through court proceedings. Users waive the right to participate in class action lawsuits, and a 30-day written opt-out window applies from the date of first acceptance....

Why it matters: This provision requires all US users to resolve disputes with SIE individually through arbitration, precluding class action participation absent timely written opt-out. The delegation clause assigns threshold arbitrability questions to the arbitrator, which may affect users' ability to challenge the scope of the arbitration agreement in court....

View provision → Watch Sony PlayStation →

The agreement states that violations of the Terms may result in temporary or permanent suspension of the user's account and console, and that users may lose or have restricted access to content associated with those accounts, including digital purchases....

Why it matters: This provision asserts SIE's authority to suspend or permanently terminate both account and console access, with the consequence that users may lose access to previously purchased digital content. The scope of content access loss upon suspension is operationally significant given the digital-goods nature of PlayStation Store purchases....

View provision → Watch Sony PlayStation →

The agreement includes a section governing user information and user generated content, under which users grant SIE a license to content they submit or generate through PlayStation Services. The specific license scope, including royalty-free and sublicensable terms, is addressed in Section 6 of the agreement....

Why it matters: This provision establishes the scope of the license SIE holds over content users create or submit through PlayStation Services, including potential sublicensability and royalty-free terms. The breadth of the license grant affects user rights to their own created content across PlayStation platform features....

View provision → Watch Sony PlayStation →

The agreement states that continued use of PlayStation Services after notification of a change to the Terms constitutes acceptance of the amended Terms. Users who do not agree to the updated Terms are unable to access or use PlayStation Services....

Why it matters: This provision establishes that SIE may amend the Terms and that continued use of Services constitutes acceptance of amendments, without requiring affirmative re-consent. The mechanism applies to all material changes to the agreement, including changes to dispute resolution, data practices, and content license terms....

View provision → Watch Sony PlayStation →

The agreement requires that users under 18 have a parent or guardian review and agree to the Terms on their behalf, and that the parent or guardian accepts all liability for the minor's actions on PlayStation Services and compliance with the Terms....

Why it matters: This provision establishes that parents or legal guardians bear contractual liability for child users' actions on PlayStation Services. The agreement also references Child Account functionality and parental control features governed in Section 4, which are directly relevant to COPPA compliance for users under 13....

View provision → Watch Sony PlayStation →

Section 17 of the agreement contains warranty disclaimers and limitations on SIE's liability for PlayStation Services, which is standard in consumer platform agreements but operationally significant for users experiencing service disruptions or content access issues....

Why it matters: This provision limits the remedies available to users for service failures, content inaccessibility, or other platform issues. The interaction of the warranty disclaimer with the account suspension and digital content access loss provisions is particularly relevant to users who have made purchases through the PlayStation Store....

View provision → Watch Sony PlayStation →