Provisions Index

OpenAI commits that its staff and others who access API customer personal data are bound by confidentiality obligations, either by contract or by law....

Why it matters: This provision implements a standard GDPR Article 28(3)(b) requirement and provides operators with a contractual assurance that internal access to their data is subject to confidentiality controls. It does not specify the scope of access logging or auditing....

View provision → Watch OpenAI →

Business customers have the right to audit OpenAI's compliance with this DPA, either directly or through a third-party auditor, as long as they give reasonable notice and keep findings confidential....

Why it matters: This provision grants operators an audit right, which is required under GDPR Article 28(3)(h). The practical value of this right depends on what 'reasonable notice' means and whether OpenAI's standard practice is to provide documentation rather than physical inspections, which is common among large cloud providers....

View provision → Watch OpenAI →

EU users who are unsatisfied with Hugging Face's internal complaint response have the right under the Digital Services Act to bring their dispute to a certified external dispute settlement body, and Hugging Face has committed to participating in that process....

Why it matters: This provision establishes a specific dispute resolution pathway for EU users that is independent of Hugging Face's internal moderation team, providing an additional avenue to contest content moderation or account decisions beyond emailing legal@huggingface.co....

View provision → Watch Hugging Face →

Hugging Face states that its platform does not use personalized algorithmic recommendations; content is displayed in chronological order and trending content is ranked solely by recent likes rather than by behavioral profiling....

Why it matters: This disclosure is operationally relevant to users and regulators because it describes the absence of algorithmic content ranking or behavioral profiling in content display, which is a notable characteristic of the platform's design relative to social-media-style recommendation systems....

View provision → Watch Hugging Face →

Midjourney can remove you from its community spaces, such as Discord, independently of cancelling your subscription or product access, meaning you could lose community access while retaining a paid subscription....

Why it matters: This provision establishes that community participation and product use are treated as separable entitlements, which has implications for users whose primary engagement with Midjourney occurs through community channels....

View provision → Watch Midjourney →

Users are prohibited from using Midjourney to research or expose other people's private information, and cannot upload content that contains others' personal or private data....

Why it matters: This provision places affirmative obligations on users regarding third-party personal data, which aligns with broader privacy law obligations and creates a conduct basis for account enforcement if violated....

View provision → Watch Midjourney →

Anthropic can use your company name and logo in its marketing unless you opt out using the provided form. You are also asked to consider (but not required to accept) providing quotes or participating in joint marketing....

Why it matters: The agreement authorizes Anthropic to use the Customer's name and logo for marketing purposes by default; customers who do not wish to be publicly identified as API users must actively submit an opt-out request....

View provision → Watch Anthropic →

You cannot use AI-generated images from Mistral AI to train a competing image generation product....

Why it matters: This restriction limits how commercial customers can use image outputs, specifically prohibiting competitive use for AI training, which may affect AI developers or startups building image generation capabilities....

View provision → Watch Mistral AI →

Cohere states that it holds security certifications such as SOC 2 and follows industry-standard security practices to protect enterprise customer data....

Why it matters: Security certifications provide independent third-party validation that a vendor's data security practices meet defined standards. For enterprise customers, particularly in regulated industries, verifying these certifications is a standard component of vendor due diligence....

View provision → Watch Cohere →

GitHub Copilot holds a SOC 2 certification, which means an independent auditor has evaluated its security, availability, and related controls. Enterprises can request the full SOC 2 Type 2 report through this page....

Why it matters: The SOC 2 Type 2 report provides enterprise customers with independent third-party evidence of GitHub Copilot's security controls over a defined audit period, which is commonly required by procurement and legal teams during vendor assessments....

View provision → Watch GitHub →

GitHub Copilot holds an ISO 27001:2013 certification, meaning an accredited body has verified that GitHub maintains an information security management system meeting this international standard....

Why it matters: ISO 27001 certification is a commonly referenced baseline for information security vendor assessments and may be required by enterprise procurement policies or contractual obligations with customers in regulated industries....

View provision → Watch GitHub →

GitHub Copilot holds a CSA STAR Level 2 certification, which is a cloud security certification that includes an independent third-party assessment against the Cloud Security Alliance's Cloud Controls Matrix....

Why it matters: CSA STAR Level 2 certification provides cloud-specific security assurance that is frequently referenced in enterprise cloud procurement policies and may satisfy cloud security requirements in data protection agreements and customer contracts....

View provision → Watch GitHub →

Certain audit documents including SOC bridge letters are available only to users who request access through the Trust Center, indicated by a lock icon on the document listing....

Why it matters: The access-restricted nature of bridge letters and detailed audit reports means enterprise customers must submit a formal access request before reviewing documents that may be critical to their compliance assessment timelines....

View provision → Watch GitHub →

GitHub Copilot holds a TISAX certification, which is an information security assessment standard used in the automotive industry to evaluate suppliers and service providers....

Why it matters: TISAX certification indicates that GitHub Copilot has been assessed against the VDA ISA (Verband der Automobilindustrie Information Security Assessment) standard, which is required by many automotive manufacturers for their supply chain technology vendors....

View provision → Watch GitHub →

This license does not give you the right to use DeepSeek's trademarks or brand name, except as minimally necessary to describe or distribute the model as required by the attribution provisions....

Why it matters: The agreement simultaneously requires the use of 'DeepSeek-V3' in derivative model names and limits trademark use, creating a tension between the attribution requirements and the trademark restriction that licensees must navigate carefully....

View provision → Watch DeepSeek →

Cohere gives you a limited right to use its AI services for your own internal business needs, but you cannot transfer, resell, or sublicense that access to others....

Why it matters: The license is explicitly scoped to internal business use only, which means customers building downstream products or reselling API access to end users may require separate contractual authorization from Cohere....

View provision → Watch Cohere →

When the business customer stops using Perplexity AI's services, the DPA typically requires Perplexity AI to delete or return personal data processed under the agreement, at the customer's choice, within a specified timeframe....

Why it matters: The deletion or return obligation ensures that personal data does not remain with Perplexity AI indefinitely after a contract ends. The scope of what is deleted, the timeline, and whether any exceptions exist (such as legal retention requirements) are material to assessing data governance risk....

View provision → Watch Perplexity AI →

When the service ends, Mistral AI will delete or return your personal data. After 30 days from termination, the data will no longer be accessible....

Why it matters: The 30-day post-termination accessibility window defines a hard cutoff after which data retrieval or portability may not be possible, which customers must account for in their own data retention and business continuity planning. The provision defers to Mistral AI's internal deletion policies and procedures rather than specifying a deletion standard, which may limit customer visibility into the actual deletion process....

View provision → Watch Mistral AI →

Whatnot keeps your personal data for as long as it needs to, which could include indefinitely for legal or fraud-related reasons, without specifying fixed retention periods....

Why it matters: The absence of specific retention periods means your personal data, including purchase history and financial information, may be held indefinitely under broad business or legal justifications....

View provision → Watch Whatnot →

California residents have a set of legal rights over their personal data held by Whatnot, including the right to access, delete, correct, and opt out of data sharing, and can exercise these rights by contacting Whatnot directly....

Why it matters: These rights give California users meaningful control over how Whatnot uses their personal data, including the ability to stop data sharing for advertising purposes and to have their data deleted....

View provision → Watch Whatnot →

Skillshare keeps your personal data for as long as your account exists or as long as they need it for legal, financial, or dispute resolution purposes, with no specific maximum time period stated....

Why it matters: The absence of specific retention periods means your data could be retained indefinitely as long as any of the broadly stated purposes apply, including enforcing agreements, which provides limited clarity for users seeking to understand when their data will be deleted....

View provision → Watch Skillshare →

Messages sent through Revolut Messenger are end-to-end encrypted, meaning Revolut itself cannot read them. This also means Revolut cannot recover or provide your messages if you lose access to them or need them for a dispute....

Why it matters: While end-to-end encryption protects your message privacy, it also means Revolut cannot assist you if you need to retrieve messages for a dispute or legal purpose, and your messages will be permanently lost if you reinstall the app or change devices....

View provision → Watch Revolut →

You are not allowed to use your Revolut account to make speculative currency trades or to exploit foreign exchange rate discrepancies for profit. The currency exchange feature is intended for personal spending and travel, not currency speculation....

Why it matters: Revolut may suspend or close your account if it determines you are using the currency exchange feature speculatively. Users who exchange large amounts of currency frequently or in patterns that resemble speculative trading may be at risk of account action....

View provision → Watch Revolut →

Square keeps your personal data for as long as it needs to provide services and meet legal requirements, and may retain it longer for regulatory or tax reasons....

Why it matters: Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests....

View provision → Watch Square →

Mistral AI uses part of your IP address to infer your location and tailor AI responses based on where you are. You can turn this off in your account settings....

Why it matters: Your IP address, which can reveal your approximate geographic location, is used to modify the content of AI responses you receive, creating a form of location-based profiling that you may not expect from an AI assistant service....

View provision → Watch Mistral AI →

Mistral AI provides a Data Protection Officer and a dedicated contact form for users who want to exercise their privacy rights, such as accessing, correcting, or deleting their personal data....

Why it matters: You have formal rights over your personal data held by Mistral AI, and the company has designated a DPO as a named point of contact, which is a meaningful accountability mechanism under GDPR....

View provision → Watch Mistral AI →

If you download a Mistral AI model from the Hugging Face platform, Mistral AI collects your Hugging Face username and email address for license enforcement and to send you product communications....

Why it matters: Developers and researchers who download Mistral AI models from Hugging Face should be aware that doing so triggers personal data collection by Mistral AI, even if they have not created a direct Mistral AI account....

View provision → Watch Mistral AI →

Content accessed through Disney+, ESPN, and Hulu is licensed to you for personal use only, not sold, and the services reserve broad intellectual property rights over all content and software on the platform....

Why it matters: Subscribers do not own any content they watch or download through Disney+ and cannot copy, distribute, or commercially use any material accessed through the services....

View provision → Watch Disney+ →

Disney+ services are only available in specific countries and territories, and your ability to access content may vary or be restricted based on your geographic location....

Why it matters: If you travel internationally or move to a different country, your Disney+ subscription may not work the same way or at all, and certain content may be unavailable based on licensing restrictions in your location....

View provision → Watch Disney+ →

If you post or submit any content to SoFi's platforms, you give SoFi a permanent, worldwide, free license to use that content in almost any way they choose....

Why it matters: Any content you submit, including reviews, feedback, or other user-generated material, can be used by SoFi indefinitely and across any media without additional compensation or permission....

View provision → Watch SoFi →

Any legal disputes with SoFi will be governed by California law, regardless of where you live....

Why it matters: Choosing California law as the governing framework may affect which consumer protections apply to your relationship with SoFi and where legal proceedings would be conducted if arbitration is not required....

View provision → Watch SoFi →

When you take an Uber ride or place a food delivery order, Uber shares your name, photo, pickup and dropoff address, and trip details with the driver or merchant fulfilling your request....

Why it matters: Sharing your name, photo, and precise location with drivers and merchants is necessary to complete the service, but it means third parties outside Uber receive personal data that could be retained or misused independently of Uber's policies....

View provision → Watch Uber →

Depending on where you live, you may have the right to see the data Uber holds about you, ask for it to be corrected or deleted, receive a copy you can transfer elsewhere, or object to certain uses of your data....

Why it matters: These rights give consumers meaningful control over their personal data, but their availability depends on jurisdiction, and the qualifier 'to the extent applicable law allows' means not all users have the same rights....

View provision → Watch Uber →

Substack shares user account identifiers including email addresses and usernames with external child safety organizations to help detect and prevent child sexual abuse material online....

Why it matters: This practice, newly disclosed in this policy update, means that identifiers associated with your Substack account may be shared with third-party organizations outside of Substack for a defined safety purpose, without individual user consent or notification....

View provision → Watch Substack →

Substack is certified under the EU-U.S. Data Privacy Framework, which provides a mechanism for legally transferring personal data from Europe to the US, and EU users have access to a free dispute resolution process and ultimately binding arbitration if they have unresolved privacy complaints....

Why it matters: For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured dispute resolution process independent of Substack if those principles are violated....

View provision → Watch Substack →

You have rights to access, correct, delete, or transfer your personal data held by Substack depending on where you live, and Substack commits to responding to these requests within one month....

Why it matters: The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements and provides an enforceable benchmark for EU users....

View provision → Watch Substack →

If Substack is sold, merges with another company, or goes bankrupt, your personal information may be transferred to the new owner as part of that transaction....

Why it matters: Your personal data could be transferred to a different company with potentially different privacy practices if Substack undergoes a change of ownership, and the policy does not guarantee notice to users before such a transfer occurs....

View provision → Watch Substack →

Legal disputes about these terms are governed by Minnesota law, regardless of where you live in the United States....

Why it matters: Designating Minnesota law as governing means consumers from other states, particularly those with stronger consumer protection laws like California, may find that the choice-of-law clause limits application of those protections, though courts in consumer's home states do not always honor such designations....

View provision → Watch Target →

Tabnine owns its software and all related intellectual property; users receive only the limited rights expressly stated in the terms and nothing more....

Why it matters: This clause establishes that all intellectual property in the Tabnine platform, including underlying models and software, remains with Tabnine; users should understand that their license to use the service is limited and non-transferable....

View provision → Watch Tabnine →

You are given a limited, personal, revocable right to use the Taskrabbit platform and app, subject to the acceptable use policy. You cannot copy, reverse engineer, or redistribute the platform or its content....

Why it matters: The license is revocable, meaning Taskrabbit can terminate your access to the platform, and the acceptable use policy incorporated by reference may contain additional restrictions on how you can use the service....

View provision → Watch TaskRabbit →

If you live in California, you have a set of legally enforceable rights over your personal data, including the right to see it, delete it, correct it, and stop Udemy from sharing it with advertising partners....

Why it matters: These rights, backed by California law, give California residents meaningful control over their personal data at Udemy and cannot be waived by the privacy policy terms....

View provision → Watch Udemy →

When you take a course, the instructor can see that you are enrolled, how far you have progressed, your quiz scores, and any questions or forum posts you submit....

Why it matters: Learners may not anticipate that their quiz performance and course participation are visible to the individual instructor, not just Udemy as a platform operator....

View provision → Watch Udemy →

If you live in California, you have legal rights to see what data Webull holds about you, ask for it to be deleted, and opt out of any sale of your data, and Webull states it will not penalize you for exercising those rights....

Why it matters: These rights are legally enforceable under California law and give California-based investors meaningful control over their financial and personal data held by Webull....

View provision → Watch Webull →

Webull states it takes reasonable steps to protect your data but does not guarantee any specific security standard or outcome....

Why it matters: The use of 'reasonable measures' without specifying technical standards means the policy does not commit to any particular security framework, which is relevant given the sensitivity of financial and identity data held....

View provision → Watch Webull →

Users must meet Acorns' eligibility requirements, including being at least 18 years old, to open and maintain an account....

Why it matters: Age and eligibility requirements determine who can legally access Acorns' financial services and are tied to regulatory compliance for brokerage and banking products....

View provision → Watch Acorns →

Acorns sets rules for how users may use the platform, prohibiting misuse, unauthorized access, and certain content, with violations potentially resulting in account suspension....

Why it matters: Violating Acorns' conduct standards, even inadvertently, could result in your account being suspended or terminated, potentially restricting access to your invested funds....

View provision → Watch Acorns →

Acorns retains ownership of its platform, content, and trademarks, and grants users a limited license to access and use the service for personal, non-commercial purposes only....

Why it matters: The intellectual property clause means you cannot copy, reproduce, or commercially use Acorns' platform content, and any content you submit to Acorns may be subject to a license grant back to the company....

View provision → Watch Acorns →

If you create a shareable link to a conversation, anyone who receives that link can view the conversation, and the link can be passed on further. Mistral AI does not control who ultimately sees it....

Why it matters: Shareable conversation links can spread beyond your intended recipient without any access control, which means sensitive or personal information in a shared conversation could be viewed by unintended parties....

View provision → Watch Mistral AI →

Mistral AI can raise subscription prices and will give you at least 30 days' notice before any increase takes effect at your next renewal. If you disagree with the new price, you can cancel before your next billing date....

Why it matters: Price increases are permitted without your affirmative consent, and your only option if you disagree is to cancel. The 30-day notice period gives you time to decide, but does not entitle you to a refund of amounts already paid....

View provision → Watch Mistral AI →

If you file a Significantly Not as Described claim, PayPal may require you to return the item at your own cost, and your refund does not include those return shipping expenses....

Why it matters: For low-value items or bulky goods, the cost of return shipping could reduce or eliminate the net financial benefit of a successful claim....

View provision → Watch PayPal →