Provisions Index

The policy states that personal information is retained for as long as necessary to fulfill collection purposes, satisfy legal obligations, resolve disputes, and enforce agreements, with retention periods varying by data type and purpose....

Why it matters: Retention period disclosures are required under CCPA/CPRA and are relevant to consumer deletion rights; indefinite or purpose-based retention policies without specific timeframes may be subject to regulatory scrutiny in jurisdictions requiring retention limitation disclosures....

View provision → Watch Zillow →

The policy authorizes sharing of contact information and inquiry details with real estate professionals when users initiate or receive contact through the platform, characterizing this as consent-based sharing....

Why it matters: This provision establishes a consent-based data sharing mechanism with real estate professionals that is operationally central to Zillow's business model and relevant to users' expectations about who receives their contact and transaction inquiry information....

View provision → Watch Zillow →

Uber disclaims responsibility for third-party services and content accessible through its platform, noting that separate terms and privacy policies apply to those third-party services. Uber explicitly disclaims endorsement of and liability for third-party products or services....

Why it matters: This provision establishes that Uber's contractual obligations and liability do not extend to third-party services integrated into or accessible through the platform. Users accessing third-party services through Uber are subject to those providers' separate terms and privacy policies, which Uber does not control or guarantee....

View provision → Watch Uber →

The document discloses that OpenAI has obtained SOC 2 Type 2 certification, indicating that its security controls have been independently audited against the AICPA Trust Services Criteria for security, availability, and related categories....

Why it matters: SOC 2 Type 2 certification is a commonly required vendor security assurance standard in enterprise procurement and is relevant to due diligence under GDPR Article 32 (appropriate technical and organizational measures) and HIPAA security rule requirements. Enterprise customers may request OpenAI's SOC 2 report as part of their vendor risk assessment....

View provision → Watch OpenAI →

The policy states that personal information is retained for as long as necessary to provide services, meet legal obligations, resolve disputes, and enforce agreements, and that data will be deleted or anonymized when no longer needed....

Why it matters: The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations....

View provision → Watch Acorns →

The policy authorizes use of personal information for service delivery, communications about promotional offers, personalization of user experience, and internal research and analytics....

Why it matters: The authorization to use personal information for promotional communications and personalization, in the context of a financial services platform, engages both GLBA's marketing restrictions and CCPA's provisions on using data for targeted advertising, and may interact with CAN-SPAM and TCPA requirements depending on the communication channel used....

View provision → Watch Acorns →

The agreement prohibits using GitHub's systems to send spam, conduct excessive automated bulk activity, relay unsolicited advertising, or operate get-rich-quick solicitation schemes....

Why it matters: This provision restricts automated and bulk communications activity through GitHub infrastructure, which is relevant for organizations using GitHub Actions, bots, or API integrations for high-volume operations that may approach the threshold of prohibited bulk activity....

View provision → Watch GitHub →

The Privacy SDK is configured with a consent agreement timeout of 365 days (1000 * 60 * 60 * 24 * 365 milliseconds), meaning recorded consent preferences are retained and applied for up to one year before the consent mechanism is re-triggered. Cookie clearing is enabled (enableClearCookie: true) while storage clearing is disabled (enableClearStorage: false)....

Why it matters: The 365-day consent timeout determines how long previously recorded consent states govern advertising and analytics tracking activity without requiring renewed user interaction. This configuration parameter has compliance significance in jurisdictions that impose requirements on the duration or renewal frequency of consent records....

View provision → Watch Shein →

The Privacy SDK is configured to intercept document cookie operations (disableInterceptDocumentCookie: false), enable cookie clearing upon consent events (enableClearCookie: true), but disable local storage clearing (enableClearStorage: false) and disable storage list interception (enableInterceptStorageList: false). The cookie clearing API endpoint is configured at /bff-api/user-api/cookie_banner/remove_cookies....

Why it matters: This provision establishes the technical scope of the consent management layer governing which storage mechanisms are subject to clearing and interception upon consent withdrawal or modification. The decision to intercept document cookies but not localStorage has operational implications for how thoroughly user identifiers are removed upon opt-out or consent changes....

View provision → Watch Shein →

The agreement establishes mutual confidentiality obligations requiring each party to protect the other's confidential information with at least reasonable care, use it only for purposes of performing under the agreement, and not disclose it to third parties without written consent....

Why it matters: This provision establishes a mutual confidentiality framework covering information exchanged between W&B and its customers, including customer-submitted technical configurations, model architectures, and business information. The reasonable care standard and the mutual structure are consistent with standard commercial SaaS practice....

View provision → Watch Weights & Biases →

The agreement prohibits customers from reselling or sublicensing the platform, reverse engineering it, building competitive products using it, submitting unlawful content, violating third-party privacy rights through the platform, transmitting malicious code, or attempting unauthorized access....

Why it matters: This provision establishes the contractual boundaries for permitted platform use and identifies conduct that may result in termination or liability. The prohibition on building competitive products using the services is operationally relevant for organizations that may develop AI tooling adjacent to W&B's platform capabilities....

View provision → Watch Weights & Biases →

The agreement designates California law as governing and San Francisco County courts as the exclusive venue for disputes not subject to arbitration, without regard to conflict of laws rules....

Why it matters: This provision establishes California law as the governing framework for interpreting the agreement and designates San Francisco County as the exclusive venue for any non-arbitrated proceedings, which may create logistical and cost considerations for customers located outside California....

View provision → Watch Weights & Biases →

The terms state that fine-tuning datasets and custom models created by customers using Bedrock's fine-tuning capabilities remain customer content and are not used by AWS to train models made available to other customers. AWS treats these assets as customer content subject to the standard AWS Customer Agreement content provisions....

Why it matters: This provision establishes data isolation protections for customers who invest in fine-tuning foundation models with proprietary datasets through Bedrock; it is operationally significant for organizations that use proprietary training data that may constitute trade secrets or competitively sensitive information....

View provision → Watch AWS Bedrock →

The document states that OpenAI maintains SOC 2 Type 2 certification and applies encryption to customer data both at rest and in transit for enterprise and API service tiers....

Why it matters: This provision discloses the security assurance framework applicable to enterprise data, which is a standard due diligence reference point for vendor security assessments and regulatory compliance programs requiring documented technical safeguards....

View provision → Watch OpenAI →

The site's consent management code checks for the Global Privacy Control browser signal and, if detected, executes OneTrust's RejectAll function, declining all non-essential cookie categories for that user....

Why it matters: This provision documents that SoFi's implementation recognizes the GPC signal as an opt-out instruction for unauthenticated users on public-facing pages, which is consistent with California Attorney General guidance on CCPA compliance for GPC signals....

View provision → Watch SoFi →

SoFi structures its privacy disclosures as a hub page linking to product-specific privacy policies covering distinct product lines including banking, lending, investing, insurance, and other services, rather than a single unified policy document....

Why it matters: The hub-and-spoke policy structure means that the applicable privacy terms for any given user depend on which SoFi products they use, and users of multiple products are subject to multiple overlapping policy documents with potentially different data collection, sharing, and retention terms....

View provision → Watch SoFi →

The policy describes OpenSea's data retention practices, stating that personal data is retained for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, and reporting requirements....

Why it matters: This provision establishes the framework under which OpenSea holds user data after account closure or inactivity, with retention periods tied to legal obligations and business purposes rather than fixed timeframes, which affects the practical scope of deletion requests....

View provision → Watch OpenSea →

The policy states that OpenSea's services are not directed to children under the age of 18 (or the applicable age of majority) and that OpenSea does not knowingly collect personal information from minors....

Why it matters: This provision establishes the age restriction applicable to the platform and the policy's scope with respect to minors, engaging COPPA obligations for users under 13 in the United States and analogous requirements under GDPR for users in the EEA....

View provision → Watch OpenSea →

The agreement is governed by Utah law regardless of where the user is located, and any non-arbitrated disputes are subject to Utah courts....

Why it matters: This provision establishes Utah law as the governing framework for all disputes arising under the agreement, which may affect the consumer protections available to users in other states or countries where stronger consumer protection laws apply....

View provision → Watch Ancestry →

The policy states that Google does not share personal information with external parties except with user consent, for processing by trusted partners under confidentiality obligations, for legal compliance, or for safety purposes....

Why it matters: This provision defines the operational boundaries of external data sharing, including sharing with domain administrators (relevant to Google Workspace users) and partners engaged for processing; the stated restrictions are subject to the listed exceptions, which include broad legal and safety grounds....

View provision → Watch YouTube Ads →

The policy states that users may export a copy of their Google Account content and request deletion of their Google Account and associated data, with the caveat that some data may be retained for legal or operational purposes....

Why it matters: This provision establishes the operational mechanisms for data portability and erasure rights, which are required under GDPR and CCPA/CPRA; the availability of Google Takeout for data export and account deletion through Google Account settings are the primary operational tools disclosed....

View provision → Watch YouTube Ads →

The policy states that Uber shares rider and order recipient personal data including name, pickup location, delivery address, and order details with drivers, delivery personnel, restaurants, and merchants as operationally necessary to fulfill requested services....

Why it matters: This provision identifies the operational data-sharing structure under which personal data including home or work addresses, order preferences, and identity information passes from Uber to independent contractor drivers and third-party merchant partners who operate outside Uber's direct employment or data governance structure....

View provision → Watch Uber →

The policy states that users can submit requests to access, correct, delete, or receive a portable copy of their personal data through the Uber app or privacy.uber.com, with Uber committing to respond consistent with applicable law in the user's jurisdiction....

Why it matters: This provision establishes the operational mechanism through which users in GDPR, CCPA, CPRA, and other privacy law jurisdictions can exercise statutory data subject rights, with the scope of rights honored dependent on the user's jurisdiction and applicable legal framework....

View provision → Watch Uber →

The terms assign responsibilities to account holders for activity conducted under their accounts, including security obligations and compliance with platform rules. Specific account responsibility provisions are contained in the full document....

Why it matters: Account responsibility provisions establish the user's contractual liability for all activity conducted under their credentials, which is operationally significant for organizations with multiple users sharing a RunPod account....

View provision → Watch RunPod →

The policy states that users have GDPR data subject rights including access, rectification, erasure, restriction, portability, and objection, as well as the right to lodge a complaint with a supervisory authority....

Why it matters: This provision enumerates the data subject rights DeepL recognizes and the mechanism through which users may exercise them. The right to lodge a supervisory authority complaint provides a direct regulatory escalation path independent of DeepL's own response....

View provision → Watch DeepL →

The policy states that credit card details, billing addresses, and transaction history are collected at the point of purchase and processed by PCI DSS-compliant third-party payment service providers....

Why it matters: This provision discloses that payment card data is handled by external payment processors operating under PCI DSS compliance standards, rather than being stored directly by DeepL. The specific payment service providers are not named in this excerpt....

View provision → Watch DeepL →

The document permits users to monetize video content featuring Minecraft gameplay through advertising and streaming platforms such as YouTube and Twitch....

Why it matters: This provision establishes an explicit authorization for video monetization using Minecraft gameplay, which is operationally significant for the large population of content creators whose revenue depends on this permission. Under this clause, ad-enabled YouTube videos and Twitch streams featuring Minecraft are within permitted use....

View provision → Watch Minecraft →

Visual Website Optimizer (VWO account 1176295) is deployed on twilio.com for A/B testing and behavioral optimization, with a conditional consent handler that reads TrustArc consent category '2' from localStorage to determine whether to initialize VWO with full tracking, limited tracking, or opt-out status....

Why it matters: This provision establishes VWO as an active behavioral tracking and experimentation tool on twilio.com. The consent handler reads a specific TrustArc consent key from localStorage and maps it to VWO initialization states (1=allowed, 2=no consent data found, 3=denied), indicating a consent-conditional loading mechanism for this specific tool....

View provision → Watch Twilio →

The notice provides a Japanese-language version of the privacy notice at a separate URL (twilio.com/ja-jp/legal/privacy) and includes hreflang metadata indicating the notice is available in English (en-us) and Japanese (ja-jp), suggesting Twilio has provided localized privacy disclosures for at least two jurisdictions....

Why it matters: The availability of region-specific privacy notice versions indicates Twilio has structured its privacy disclosures to address jurisdictional variation, which is relevant for assessing the adequacy of disclosures to users in different markets, including Japan (Act on the Protection of Personal Information) and US/EU markets....

View provision → Watch Twilio →

The policy discloses that Amplitude uses cookies, pixel tags, web beacons, and similar technologies to collect IP addresses, browser type, operating system, referring URLs, pages visited, and visit timestamps on its website for analytics, advertising, and personalization purposes....

Why it matters: This provision establishes the technical mechanisms through which Amplitude collects behavioral and device data from website visitors and authorizes their use for advertising and personalization, which engages cookie consent requirements under EU and UK law and opt-out rights under CCPA/CPRA....

View provision → Watch Amplitude →

The policy states that personal information is retained for the duration necessary to provide services, meet legal obligations, resolve disputes, and enforce agreements, after which it will be deleted or anonymized....

Why it matters: This provision establishes Amplitude's data retention framework but does not specify retention periods for particular categories of data, which may be relevant to GDPR Article 5(1)(e)'s storage limitation principle and to CCPA/CPRA's data minimization requirements....

View provision → Watch Amplitude →

The policy authorizes sharing of personal information with third-party service providers performing hosting, analytics, payment processing, email delivery, marketing, advertising, customer service, and data enrichment functions, subject to a stated limitation that such providers use data only as necessary for those services....

Why it matters: This provision establishes Amplitude's sub-processor and vendor data sharing framework and the contractual limitation imposed on third-party service providers. The inclusion of data enrichment services as a permitted category may create downstream data use considerations relevant to GDPR's purpose limitation principle and CCPA's service provider requirements....

View provision → Watch Amplitude →

The agreement designates New York law as the governing law for disputes and requires non-arbitration legal proceedings to be brought exclusively in New York federal or state courts....

Why it matters: This provision requires that any court proceedings not resolved through arbitration be brought in New York courts under New York law, which may impose geographic and legal burden on users outside New York who seek judicial resolution of disputes....

View provision → Watch Teachable →

The agreement requires account holders to be at least 18 years old, or the legal age of majority in their jurisdiction, and restricts platform access to individuals meeting this age threshold....

Why it matters: This provision establishes a minimum age threshold for account creation that applies globally, with a jurisdiction-specific alternative referencing local age of majority, which affects eligibility and creates an age verification obligation at account signup....

View provision → Watch Kajabi →

The agreement incorporates the AUP, Privacy Notice, and any other applicable policies by reference, and states that new features and tools will automatically fall under the Terms without requiring a separate agreement. The current version of the Terms is maintained at a specified URL....

Why it matters: This provision establishes that the contractual framework is defined by a set of external documents that may be updated over time, and that new platform features are automatically governed by the existing Terms, which means the scope of the agreement can expand as the platform evolves....

View provision → Watch Kajabi →

The agreement designates Illinois law as the governing law and Cook County, Illinois courts as the exclusive venue for disputes arising under the terms....

Why it matters: The governing law and exclusive venue provisions require disputes to be litigated under Illinois law in Cook County courts, which may create logistical and financial barriers for customers located outside Illinois who seek to bring claims against ActiveCampaign....

View provision → Watch ActiveCampaign →

The terms designate Massachusetts law as the governing law and Massachusetts courts as the forum for disputes arising under the agreement....

Why it matters: This provision establishes that disputes are governed by Massachusetts law and adjudicated in Massachusetts courts, which may require users located outside Massachusetts, including international users, to litigate in that jurisdiction....

View provision → Watch Klaviyo →

The policy prohibits using the platform to transmit content that promotes illegal activities, incites violence, constitutes hate speech, or discriminates against individuals or groups based on enumerated protected characteristics....

Why it matters: This provision establishes content-based access conditions that operate independently of any legal compliance standard, giving Klaviyo contractual authority to suspend accounts based on content determinations that may not themselves be unlawful in all jurisdictions....

View provision → Watch Klaviyo →

The policy prohibits using Klaviyo's platform to disrupt platform infrastructure, transmit malicious code, or attempt unauthorized access to any platform component....

Why it matters: This provision establishes standard platform security conditions and creates contractual grounds for account termination in the event of security-related misuse, independent of any criminal liability that may arise under applicable computer fraud statutes....

View provision → Watch Klaviyo →

Mailchimp reserves the right to modify the Terms of Use unilaterally, with changes becoming effective no sooner than fourteen days after posting notice, except for changes addressing new functions or legal requirements, which take effect immediately....

Why it matters: This provision permits Mailchimp to alter the contractual terms governing platform access on fourteen days' notice for standard changes and with no advance notice for legally required or functional changes, which may affect ongoing business obligations built around current terms....

View provision → Watch Mailchimp →

The Terms are governed by Georgia law, and non-arbitrable disputes are subject to the exclusive jurisdiction of federal and state courts in Atlanta, Georgia....

Why it matters: This provision designates Georgia courts as the exclusive venue for non-arbitrable disputes, which may require users outside Georgia to litigate in a distant forum and limits the applicability of more consumer-protective state laws that might otherwise apply to users in their home jurisdictions....

View provision → Watch Mailchimp →

The policy authorizes Mailchimp to report suspected illegal activity by account holders to law enforcement, regulators, or other third parties at its discretion....

Why it matters: This provision establishes that Mailchimp may proactively disclose account activity to regulatory or law enforcement bodies without a specified prior notice requirement to the account holder. Under this clause, platform use that Mailchimp determines may violate applicable law could result in referral to external authorities....

View provision → Watch Mailchimp →

The agreement requires associates to use Amazon-formatted Special Links containing their Associate tag for all product referrals; transactions referred through non-compliant links are not eligible for advertising fee credit....

Why it matters: This provision establishes that advertising fee eligibility is contingent on technical compliance with Amazon's link formatting requirements; associates who use shortened, redirected, or non-standard links risk forfeiting commission credit on transactions that would otherwise qualify....

View provision → Watch Amazon Associates →

The agreement grants associates a limited, revocable, non-exclusive, non-transferable license to use Amazon's trademarks and branding solely in connection with their participation in the Associates Program, subject to Amazon's trademark usage guidelines and revocable at any time....

Why it matters: This provision establishes that the license to use Amazon's marks is revocable at any time and non-transferable, meaning associates may not sublicense or transfer their use rights, and any breach of trademark usage guidelines may result in license revocation independent of other account remedies....

View provision → Watch Amazon Associates →

The policy requires that advertiser landing pages and destination URLs be functional, consistent with ad creative content, legally compliant, free of malware, and accessible in all targeted regions....

Why it matters: This provision extends Snap's compliance requirements beyond the ad creative itself to the destination user experience, meaning advertisers must audit and maintain their landing pages as a condition of continued ad delivery....

View provision → Watch Snapchat Ads →

The policy requires advertisers to represent that they have obtained all necessary rights and licenses for all creative content included in their ads, including trademarks, music, images, and third-party materials....

Why it matters: This provision places a contractual warranty obligation on advertisers regarding IP clearance, meaning that Snap may hold advertisers contractually responsible for intellectual property claims arising from ad content, in addition to any direct third-party claims....

View provision → Watch Snapchat Ads →

The policy states that Microsoft may update its advertising policies at any time and that advertisers bear ongoing responsibility for monitoring and complying with current policy requirements....

Why it matters: This provision places a continuous compliance monitoring obligation on advertisers without specifying a notice period or advance warning mechanism for policy changes, meaning existing campaigns may become non-compliant following a policy update without any direct notification to the advertiser....

View provision → Watch Microsoft Advertising →

The AdSense terms grant Google a non-exclusive license to crawl, cache, index, and display publisher content and properties for the purpose of serving ads, optimizing ad placement, and operating the AdSense service. This license is limited to the purposes of ad serving and program operation....

Why it matters: This provision establishes the intellectual property basis on which Google accesses and processes publisher content to operate the AdSense service. The license scope is tied to AdSense program operation, and publishers retain underlying ownership of their content....

View provision → Watch Google Ads →

This provision grants advertisers the right to conduct or commission audits of Google's processing of advertiser personal data, subject to reasonable prior notice and scheduling during normal business hours....

Why it matters: This clause satisfies the GDPR Article 28(3)(h) requirement that processor agreements include an audit right. The practical scope and logistics of exercising this right against a large cloud and advertising infrastructure provider may be operationally complex, and advertisers typically rely on third-party audit certifications such as ISO 27001 or SOC 2 reports as a practical substitute....

View provision → Watch Google Ads →

This provision requires Google, at the advertiser's election, to delete or return all advertiser personal data upon termination of the relevant Google Ads services, unless applicable law requires Google to retain the data....

Why it matters: This clause governs the disposition of advertiser personal data at the end of the service relationship, implementing the GDPR Article 28(3)(g) requirement. Advertisers should understand the procedures for exercising this right and confirm what data categories are covered, including data stored in Google's ad serving and reporting infrastructure....

View provision → Watch Google Ads →