Provisions Index

Strava uses your GPS activity data to contribute to its Global Heatmap, a publicly accessible map showing aggregated movement patterns of all Strava users around the world....

Why it matters: Even though the Heatmap is described as aggregated, individual users' frequent routes can be inferred from it — potentially revealing home addresses, workplaces, and daily routines — as demonstrated by real-world security incidents in 2018....

Strava requires permission to track your device's precise GPS location for core features to function, including activity tracking, routes, and segments....

Why it matters: Granting precise location access to Strava means the app continuously collects your exact movement data — routes, timing, pace — which when aggregated over time creates a detailed record of your physical movements and daily patterns....

Strava commits that health data collected from connected devices like Garmin or Apple Health will not be sold, used for advertising, or disclosed to third parties without your prior consent....

Why it matters: This is a significant consumer protection commitment, but it applies only to health data from connected devices — not all data Strava collects — and the policy still permits use of this health data for AI model training and service improvement....

Strava's Flyby feature lets other users who were near you during an activity see your identity and activity data, unless you opt out in your privacy controls....

Why it matters: By default, Flyby can expose your location and identity to strangers who happened to be near you during an exercise, creating personal safety and stalking risks — particularly for solo runners or cyclists....

Strava uses your health data, GPS location, and activity information — depending on your privacy settings — to develop and run AI and machine learning models that provide personalized training recommendations and other AI-powered features....

Why it matters: The use of sensitive health and location data to train and run AI models introduces risks of opaque automated decision-making, potential processing beyond original purpose, and exposure to sub-processors who may have different data governance standards....

Strava shares your personal information, including activity and location data, with third-party service providers who help run Strava's platform, and with business partners for co-branded events and other purposes....

Why it matters: Data shared with third-party service providers and partners can be used beyond Strava's direct control, potentially for purposes you did not anticipate, and the policy does not provide a complete list of these parties....

Strava provides privacy controls allowing users to set who can see their activities and data, including options for 'Everyone,' 'Followers,' or 'Only Me' — but the policy notes that some features like the Global Heatmap and Flyby use data from activities regardless of these settings unless separatel...

Why it matters: The existence of privacy controls is positive, but the complexity of multiple overlapping settings — including separate opt-outs for Heatmap, Flyby, and other features — means users may believe their data is private when it is still being used in ways they did not intend....

When you delete your Strava account, the policy states that your data will be deleted, but some data may be retained for legal, safety, or business purposes, and aggregated or deidentified data derived from your activities may be retained indefinitely....

Why it matters: Account deletion does not guarantee complete erasure of all data derived from your activities — aggregated and deidentified data (including contributions to the Global Heatmap) may persist even after your account is gone....

Strava uses your location information to determine your country pricing for subscription plans....

Why it matters: Using location data to set subscription prices means your geographic location directly affects what you pay for Strava — and this pricing use is in addition to the activity tracking and fitness purposes for which location is primarily collected....

Once Ledger hands your order to the shipping carrier, the risk of the package being lost, stolen, or damaged transfers to you as the buyer. If something happens to your device in transit, Ledger may not be liable....

Why it matters: This clause means that if your Ledger hardware wallet goes missing or is damaged during delivery, you may have no direct financial recourse against Ledger — you would need to pursue the carrier or your own insurance....

Ledger excludes liability for any losses involving cryptocurrencies or digital assets — including losses resulting from user error, device malfunction, or third-party software — that occur in connection with use of its hardware wallet....

Why it matters: Given that Ledger devices are specifically purchased to secure potentially very high-value cryptocurrency holdings, this exclusion means that if your crypto assets are lost or compromised due to a product defect or failure, you cannot recover those losses from Ledger....

Ledger reserves the right to cancel any order at its discretion, including after payment has been made, for reasons such as suspected fraud, product unavailability, or export restrictions....

Why it matters: This means Ledger can cancel your purchase even after you have paid, which could delay access to a security device you may urgently need, and creates uncertainty about the finality of confirmed orders....

Consumers in the EU have a 14-day right to withdraw from the purchase and return the Ledger device without giving any reason, starting from the day they receive the product....

Why it matters: This is a legally mandated consumer protection right in the EU that gives you a cooling-off period to return your Ledger device for a full refund, even if you have already opened and tested it....

Ledger's sales terms are governed exclusively by French law, and any disputes must be brought before French courts, regardless of where the buyer is located....

Why it matters: If you have a legal dispute with Ledger about your purchase — for example, a refund refused or a defective product — you may be required to pursue it under French law in French courts, which could be costly and impractical for consumers outside France....

By purchasing a Ledger device, the buyer agrees to comply with all applicable export control and sanctions laws, and represents that they are not located in or subject to a sanctioned jurisdiction....

Why it matters: This clause shifts a legal compliance obligation onto the buyer — if you are inadvertently subject to export restrictions you were unaware of, Ledger disclaims responsibility and your order may be cancelled or voided....

Ledger collects and processes your personal data — including name, shipping address, email, and payment details — to process and fulfill your hardware wallet order, and this data may be shared with third-party logistics and payment providers....

Why it matters: Your personal data including home address is shared with shipping and payment partners when you buy a Ledger device, and given Ledger's history of a significant customer data breach in 2020, understanding how your data is handled remains a material privacy consideration....

Ledger provides the statutory warranty required by French and EU law, guaranteeing that the hardware wallet will conform to its description and be fit for purpose for a defined period after purchase....

Why it matters: This warranty ensures that if your Ledger device is defective or does not function as described at the time of purchase, you are entitled to a repair, replacement, or refund — but the warranty terms are limited to what French law mandates and do not provide extended protections....

Microsoft can combine data it collects from different products you use — like Bing searches, Cortana voice queries, and Copilot conversations — to improve its AI systems and personalise your experience across its entire product range....

Why it matters: This means data you generate in one Microsoft product can be used to train AI models or inform decisions in completely separate products, creating a comprehensive profile you may not be aware of....

Windows automatically collects diagnostic data about your device and how you use it — at minimum a 'Required' level for security, and optionally a broader 'Optional' level that includes detailed usage patterns used to improve and personalise Windows....

Why it matters: Even at the minimum 'Required' level, Microsoft collects device identifiers, error logs, and hardware information; the 'Optional' level significantly expands the scope of data collection to include detailed application usage and browsing behaviour within Microsoft apps....

Microsoft shares your search queries, IP address, location, and device identifiers with advertising partners to deliver targeted ads, though it does not share your name or email address directly with those advertisers....

Why it matters: Even without sharing your name, the combination of search queries, location, device identifiers, and IP address shared with advertising partners can enable re-identification and detailed behavioural profiling by those third parties....

Children under 13 need a parent or guardian to give permission before Microsoft collects their data; Microsoft also provides parental controls through Microsoft Family Safety to manage what data is collected about children....

Why it matters: If a child in your household uses Xbox, Minecraft, or a family Microsoft account, their gaming behaviour, location, voice chat, and usage data may be collected, and parents need to actively manage family safety settings to limit this collection....

You have the right to see what personal data Microsoft holds about you, correct inaccuracies, download a copy of your data, and in some circumstances ask Microsoft to delete it — all manageable through the Microsoft Privacy Dashboard....

Why it matters: The Privacy Dashboard gives consumers a practical tool to exercise their data rights, but the scope of what can be deleted is limited — some data essential to service delivery or required by law cannot be erased, meaning full data deletion is not always achievable....

Microsoft transfers personal data from the EU and EEA to other countries, including the US, using Standard Contractual Clauses — a legal mechanism approved by the European Commission to make such transfers lawful....

Why it matters: Following the Schrems II ruling (CJEU 2020), the legal validity of data transfers to the US depends on supplementary measures alongside SCCs; while the EU-US Data Privacy Framework (2023) now provides an alternative adequacy basis, any future invalidation of these mechanisms could disrupt Microsoft'...

When you use voice commands or type queries to Microsoft's AI products like Copilot, Microsoft collects and retains those inputs and uses them to improve its AI models, not just to respond to your immediate request....

Why it matters: Sensitive or personal information shared with Copilot or spoken to Cortana may be retained by Microsoft and used for AI model training, creating privacy risks if confidential or sensitive content is inadvertently included in queries....

Microsoft collects health-related data through products like Microsoft Health, fitness tracking, and health-related search queries, and processes this data under both this Privacy Statement and a separate Consumer Health Data Privacy Policy....

Why it matters: Health data is among the most sensitive categories of personal information, and its collection by a technology company through non-medical products creates risks around re-identification, secondary use, and exposure to law enforcement requests that may not be present with traditional healthcare prov...

Reddit's policy states that content you post on Reddit — including text, images, and other media — may be used to train artificial intelligence and machine learning models. This applies to publicly posted content and potentially to other data Reddit holds about you....

Why it matters: This provision means your creative posts, comments, and contributions to Reddit communities could be used to build commercial AI products without your explicit consent or compensation....

Reddit shares your personal information — including browsing behavior, interests, device data, and demographic inferences — with third-party advertising partners to serve you targeted advertisements both on and off Reddit. This may constitute a 'sale' or 'sharing' of personal data under California l...

Why it matters: Your behavioral data and inferred personal characteristics are being shared with external companies you have no direct relationship with, enabling those companies to build profiles about you for advertising purposes....

Reddit automatically collects extensive data about how you use the platform, including your IP address, device type, browser, operating system, pages visited, links clicked, search terms, and inferred location, even if you do not have an account or are logged out....

Why it matters: Reddit is building a detailed behavioral profile of you through automatic data collection regardless of whether you are a registered user, which means even passive browsing of Reddit generates data that can be used for advertising and other purposes....

Reddit allows users to request deletion of their personal data, including account deletion, but warns that some data may be retained for legal, safety, or legitimate business reasons, and that publicly posted content may remain visible even after account deletion....

Why it matters: Deleting your Reddit account does not guarantee that all your personal data or posted content will be removed — Reddit may retain data for an indefinite period under broad exceptions, and your public posts may persist in archived or cached forms....

Reddit states that its services are not directed to children under the age of 13 and that it does not knowingly collect personal information from children under 13 without parental consent. Users must be at least 13 years old to use Reddit, with higher age requirements in some jurisdictions....

Why it matters: Despite Reddit's age restrictions, the platform hosts a vast range of content communities and has historically faced criticism regarding minor access, meaning parents and guardians should be aware that COPPA protections are only as strong as Reddit's age-verification mechanisms....

Reddit transfers personal data from the EU, UK, and other jurisdictions to the United States and other countries, relying on mechanisms such as Standard Contractual Clauses (SCCs) to legitimize these transfers under applicable law....

Why it matters: When your data is transferred from the EU or UK to the US, it moves to a jurisdiction with different privacy protections, and the adequacy of Reddit's transfer mechanisms is subject to ongoing legal challenges that could affect the lawfulness of processing....

California residents have specific rights under the CCPA/CPRA including the right to know what personal information is collected, the right to delete it, the right to correct it, the right to opt out of the sale or sharing of their personal information, and the right not to be discriminated against ...

Why it matters: As a California resident, you have legally enforceable rights to control your personal data on Reddit that go beyond what other US users receive, including the right to opt out of targeted advertising data sharing with a single click....

Reddit retains certain personal data after you delete your account, including data necessary for legal compliance, fraud prevention, and legitimate business purposes. The duration of retention is not always specified precisely, and some retained data may be used to train AI models....

Why it matters: Closing your Reddit account does not result in immediate or complete deletion of all your personal information — Reddit may hold your data for an unspecified period under broad retention exceptions, which limits the effectiveness of your deletion rights....

If you are a US user and have a dispute with Figma, you must resolve it through binding individual arbitration rather than going to court, and you cannot join or participate in a class action lawsuit against Figma....

Why it matters: This provision removes your right to sue Figma in court and prevents you from joining with other affected users to bring a collective legal claim, which is often the only economically viable way to challenge a large company over small or mid-sized harms....

When you upload designs, files, or other content to Figma, you grant Figma a worldwide, royalty-free license to use, copy, modify, and display that content — including to improve Figma's products and services, which includes AI and machine learning features....

Why it matters: Your design files, which may contain proprietary creative work, client assets, or personal data, could be used by Figma to train or improve its AI systems without additional payment or specific consent beyond agreeing to the ToS....

Figma's maximum financial liability to you for any claim — including data loss, service outages, or misuse of your content — is capped at the total fees you paid in the 12 months before the claim, or $100, whichever is greater....

Why it matters: Even if Figma causes significant harm to your business or creative work — such as permanent data loss of years of design files — you can only recover a very small amount of money, which may bear no relationship to your actual losses....

Figma can suspend or terminate your account and access to all your stored design files at any time, with or without notice, if Figma believes you have violated its terms or for any other reason at its discretion....

Why it matters: Figma can cut off your access to your design work — potentially years of files stored only on their platform — without advance warning, leaving you unable to retrieve your work if the termination is unexpected....

You agree to defend and pay Figma's legal costs and damages if a third party sues Figma because of something you did on the platform, including content you uploaded or shared....

Why it matters: If your use of Figma — such as uploading copyrighted material or client data without authorization — results in a lawsuit against Figma, you are personally responsible for covering Figma's legal defense costs and any resulting damages....

You must be at least 13 years old to use Figma (or 16 years old if you are in the European Economic Area), and Figma does not knowingly collect personal information from children below these thresholds....

Why it matters: Parents and educators should be aware that Figma is not legally available to children under 13 (or 16 in the EU), and any use by minors below these ages violates the ToS and may result in account termination and deletion of the minor's data....

Figma's ToS is governed by California law, and any disputes must be resolved in courts located in San Francisco, California — unless you are required to use arbitration or are an EEA/UK user with different legal protections....

Why it matters: If you have a dispute with Figma that is not subject to arbitration, you must litigate it in California, which is impractical and expensive for most users who live elsewhere....

Figma provides its services 'as is' and 'as available,' meaning it makes no guarantees that the platform will work correctly, be available at all times, or that your stored files will not be lost....

Why it matters: Figma expressly disclaims all warranties, so if the platform experiences an outage, data loss, or security breach, you cannot hold Figma responsible for failing to provide a reliable service — your only recourse is the capped liability provision....

TaskRabbit shares your personal information with third-party companies for advertising purposes, and acknowledges this may qualify as a 'sale' under California law....

Why it matters: Your personal data — including contact information, device identifiers, and browsing behavior — is shared with advertisers, and US users outside California have no explicit opt-in right before this occurs....

TaskRabbit reserves the right to share your personal information with third parties at its sole discretion if it believes there has been 'possible interference with the rights of users' — even without a court order or law enforcement request....

Why it matters: This clause gives TaskRabbit broad, self-determined authority to disclose your personal data to outside parties without your knowledge or consent, going significantly beyond standard legal obligation carve-outs....

TaskRabbit collects background check results for Taskers, which may include criminal violation records, and uses this to determine platform eligibility....

Why it matters: Criminal background data is among the most sensitive categories of personal information, and its collection, retention, and potential disclosure to third parties creates significant risks for Taskers if mishandled....

TaskRabbit participates in the EU-US Data Privacy Framework (DPF), which it uses as the legal basis for transferring EU and UK residents' personal data to US servers....

Why it matters: The DPF is the current post-Schrems II mechanism for EU-US data transfers, but its legal adequacy has been challenged and could be invalidated, which would affect the lawfulness of TaskRabbit's data transfers....

If TaskRabbit is acquired, merged, or sells its assets, your personal information may be shared with and transferred to the new business owner, even during pre-deal negotiations....

Why it matters: Your personal data — including sensitive identity, financial, and background check information — could be transferred to an entirely different company in a deal you have no notice of or control over....

TaskRabbit collects government-issued ID documents such as passports, driver's licenses, and local IDs, as well as social security numbers, tax IDs, and date of birth from users — particularly Taskers....

Why it matters: Collecting government-issued identity documents and social security numbers represents some of the highest-value data for identity theft; a breach involving this data would have severe consequences for affected users....

Users have rights to access the personal information TaskRabbit holds about them, correct inaccuracies, and request deletion — subject to TaskRabbit's ability to verify your identity....

Why it matters: These rights are fundamental consumer protections, but the policy conditions their exercise on identity verification, and TaskRabbit explicitly reserves the right to deny requests if it cannot verify your identity — which can be a practical barrier....

TaskRabbit collects your precise or approximate location data and detailed device information (including IP address, device type, and advertising ID) and relies on 'legitimate interests' rather than consent as the legal basis for this collection for EEA/UK users....

Why it matters: Using legitimate interests rather than consent for location and device data collection means TaskRabbit does not need your permission before collecting this data — though EU/UK users retain the right to object to this processing....

Twilio shares your browsing behavior and device identifiers with third-party vendors including Google Tag Manager, Adobe Launch, Segment, and Visual Website Optimizer for advertising targeting and website analytics purposes....

Why it matters: This data sharing funds Twilio's marketing activities but means your browsing activity on twilio.com is tracked and shared with multiple advertising and analytics companies, potentially building profiles about your interests and behavior....