Found in 122 of 325 platforms tracked (38% adoption) · 135 provisions
Transferring personal data from the EU or UK to the US requires legal safeguards under GDPR; a general consent disclaimer in a privacy policy is not sufficient under EU law, making this clause legall…
A change of ownership could place your genetic data under an entirely different company's privacy policy and business practices, potentially including uses you never consented to when you originally …
Post-Schrems II, SCCs alone are insufficient without a documented Transfer Impact Assessment; failure to maintain compliant transfer mechanisms exposes both Asana and its enterprise customers to GDPR…
Your data as an EU or UK user is sent to the United States, which has different privacy protections — Audible must use legal mechanisms like Standard Contractual Clauses to make this transfer lawful,…
A merger or acquisition could result in your sensitive financial and identity data being controlled by an entirely different company with different privacy standards, and you may have limited ability…
For users in countries with strong privacy laws like the EU, transferring data to the US requires specific legal safeguards, and a general consent-based transfer mechanism may not satisfy GDPR requir…
Your data as an EU or UK user is transferred to the US, which has different privacy protections. The legal mechanism used (SCCs) has been challenged in courts and requires ongoing review to remain va…
Data transferred to China is subject to Chinese law, including national security laws that may require disclosure to Chinese government authorities without the legal protections available under US or…
International data transfers mean your data may be subject to foreign surveillance laws — particularly US surveillance statutes — which is a live legal risk for EU and UK users following the Schrems …
Consent obtained by simply using a service (implicit consent) is not a valid legal basis for international data transfers under GDPR — Groq must rely on Standard Contractual Clauses, adequacy decisio…
Cross-border transfers of EU personal data to the US require specific legal safeguards under GDPR; the policy's acknowledgment of these transfers without specifying the mechanism (Standard Contractua…
Data processed by a Chinese-owned company may be subject to China's National Security Law and the Cybersecurity Law, which can require disclosure to authorities without user notice — a risk not discl…
If you are in the EU or UK, transferring your data to Australia or the US requires Leonardo AI to have specific legal safeguards in place — the policy does not clearly specify what these safeguards a…
EU and UK users' personal data is sent to the United States where legal protections differ from European standards; the SCCs are the primary legal mechanism ensuring this transfer is lawful, but thei…
EU and UK users who log sensitive dietary and health data with MyFitnessPal should know their data leaves the EU/UK and is processed in the US under a legal framework that must meet GDPR adequacy req…
Cross-border data transfers to the US carry legal risk following Schrems II (CJEU Case C-311/18), and the adequacy of SCCs depends on whether supplementary technical measures are in place — a gap in …
EU and UK users' sensitive health data is transferred to the US, which requires specific legal mechanisms under GDPR — without adequate safeguards, this transfer may be unlawful under European data p…
Your most sensitive data — including government IDs, biometric data, and financial records — may be transferred to countries with different privacy standards, and the adequacy of Standard Contractual…
The policy does not explicitly identify the legal mechanism (Standard Contractual Clauses, adequacy decision, or binding corporate rules) used to transfer personal data from the EU to the U.S., which…
Cross-border data transfers from the EU to the US have been repeatedly challenged in court (Schrems I and II), and reliance on Standard Contractual Clauses requires ongoing supplementary safeguards a…
Relying on 'consent by use of service' as the legal basis for international data transfers is legally inadequate under GDPR following the Schrems II ruling, which requires appropriate transfer mechan…
Using 'consent by use' as the legal basis for international data transfers to the US is legally questionable under GDPR — this approach was specifically challenged in Schrems II, and a platform canno…
Your data is transferred to companies in the BVI and Dubai — neither of which has an EU adequacy decision — meaning the protection of your data depends entirely on the enforceability of contractual c…
Once your data is transferred to an exhibitor, it becomes subject to that exhibitor's own privacy practices — which you may not have reviewed — and the exhibitor can contact you directly, meaning you…
Given Webull's corporate structure with China-linked affiliates, international data transfers raise significant concerns about whether your financial and personal data could be accessed by Chinese au…
If you are based in the EU or UK, international transfers of your data require specific legal safeguards that CoreWeave must have in place.
A corporate transaction could result in your personal data — including purchase history, location, and live-stream activity — being transferred to an entirely new company with different privacy pract…
European users' personal data is transferred to US servers and processed under US law, meaning the legal protections on that data change once it leaves the EU — compliance with SCC and DPF obligation…
Cross-border data transfers to countries without EU adequacy decisions must be protected by approved mechanisms; reliance on internal principles alone may not satisfy post-Schrems II legal requiremen…
Cross-border data transfers without adequate safeguards are one of the most heavily enforced areas of EU privacy law; if ADP's BCR are not properly implemented or scoped, your EU data rights may not …
Data transferred to the United States faces ongoing legal uncertainty following the Schrems II ruling, and while Israel has EU adequacy status, US transfers require SCCs supplemented by Transfer Impa…
If you're in the EU or UK, your personal data being transferred to the US requires specific legal safeguards to protect your rights under GDPR, and the Microsoft acquisition creates additional cross-…
This broad consent to international data transfers is particularly significant for EU/EEA and UK users, where GDPR and UK GDPR impose strict conditions on transferring personal data to third countrie…
Post-Schrems II, international data transfers require not just SCCs but also Transfer Impact Assessments — if Adyen has not conducted these, your data may be at risk of government access in destinati…
Cross-border data transfers from the EU to the US require specific legal safeguards under GDPR Chapter V, and the adequacy of these mechanisms is subject to ongoing regulatory and judicial scrutiny f…
The policy's conditional framing — 'when required by law' — means Airtable may not always apply transfer safeguards in jurisdictions without mandatory requirements, which could expose data to less pr…
US data protection laws offer significantly fewer protections than GDPR, and SCCs alone may be insufficient without a Transfer Impact Assessment confirming the US legal environment doesn't undermine …
Claude's expanding agentic capabilities mean it can interact with many third-party services on your behalf, and each of those interactions transfers your data to third parties with potentially very d…
International data transfers are a key compliance risk for EU/UK users — the legal mechanisms used (SCCs) have faced scrutiny, and any transfer to the US requires supplementary safeguards following t…
International data transfers mean your personal data may be subject to the laws and government access regimes of countries other than your own, which is particularly significant for EU users whose da…
International data transfers affect the legal protections that apply to your data, and the adequacy of transfer mechanisms such as Standard Contractual Clauses is subject to ongoing legal and regulat…
International data transfers from the EU/UK to the US carry legal risk, and the adequacy of Standard Contractual Clauses as a transfer mechanism has been contested — EU users should be aware their da…
When your data is transferred to countries with weaker privacy laws, your legal protections may be diminished, and the effectiveness of Standard Contractual Clauses as a safeguard depends on the spec…
The adequacy of SCCs as a transfer mechanism has been challenged post-Schrems II, and users in the EU, UK, Switzerland, and Brazil should be aware their data may be stored and processed in the United…
International data transfers mean your personal information may be processed under legal frameworks that provide different or potentially lower levels of protection than your home country's laws.
This provision attempts to use general 'use of service' as consent to international data transfers, which is not a valid legal basis for GDPR-regulated cross-border transfers from the EU to the US.
European and UK users' sensitive wellness data is being processed in the United States under SCCs, which have faced legal challenges, and users retain the right to request copies of these transfer do…
If you are an EU or UK user, your data leaves the region and the legal protections that apply to it may be weaker once it reaches Australia or the US, even with contractual safeguards in place.
A change of ownership could mean your financial and personal data ends up with a company you have no relationship with, potentially with different data practices or in a different regulatory jurisdic…
International data transfers mean personal financial and identity data may be processed in countries with different privacy laws, and the adequacy of protection depends on the specific mechanisms use…
A data transfer in a business sale could expose your educational and behavioral records to a new entity whose privacy practices you have not agreed to, with limited ability to prevent the transfer.
For EU and UK users, data transfers to the US require legally valid safeguards under GDPR, and the policy's reliance on consent as a transfer mechanism may not satisfy GDPR requirements in all circum…
If you are in the EU, UK, or Switzerland, your data is transferred to the U.S. under Standard Contractual Clauses, a mechanism whose adequacy has been subject to ongoing legal scrutiny, and you may h…
This provision is particularly significant for EU and UK users because transfers of personal data from the EEA and UK to the United States require a lawful transfer mechanism under GDPR and UK GDPR, …
Your data may be processed in jurisdictions with weaker privacy protections, and the adequacy of SCCs as a transfer mechanism is subject to ongoing regulatory scrutiny following the Schrems II ruling.
If you are in the EU/EEA, your data being transferred to the US means it may be subject to US government surveillance programs, and your GDPR rights may be harder to enforce against a US-based compan…
Post-Schrems II, the legal adequacy of SCCs for EU-to-US data transfers is subject to ongoing regulatory scrutiny, and users in the EU/UK have the right to challenge whether appropriate safeguards ar…
For EU users in particular, relying on use of the service as consent to international data transfer may not satisfy GDPR's requirements for a valid transfer mechanism, as consent alone is generally n…
EU and UK users' personal data is transferred to the US, which requires specific legal safeguards under GDPR Chapter V to ensure adequate protection.
EU, UK, and other non-U.S. users should be aware that their data is transferred to a jurisdiction with a different legal framework, and the adequacy of transfer mechanisms is a material compliance co…
EU and UK users have strong data protection rights, but transferring data to the US requires specific legal safeguards — and the policy does not specify which transfer mechanisms (e.g., Standard Cont…
International data transfers from the EU require specific legal safeguards and the adequacy of Standard Contractual Clauses as a transfer mechanism has been the subject of ongoing legal scrutiny, mea…
Following the Schrems II ruling, SCCs alone are not always sufficient without a Transfer Impact Assessment; EU users should be aware their data may be processed in the US under legal mechanisms that …
Data transfers outside the EEA carry privacy risks if the receiving country has weaker legal protections or government access to data; the adequacy of SCCs as a transfer mechanism has been the subjec…
International data transfers can expose your personal information to different legal standards and enforcement regimes, potentially reducing your privacy protections.
For users outside the US, especially in the EU and UK, this clause is significant because data transferred to the US may not receive the same level of legal protection as under GDPR or UK GDPR, and t…
In a corporate transaction, your Disney+ viewing history, payment information, and behavioral profile could be transferred to an entirely different company whose privacy practices you have not agreed…
Cross-border data transfers from the EU to the US have been a major area of regulatory scrutiny; while the EU-US Data Privacy Framework provides a transfer mechanism, its legal adequacy remains subje…
Cross-border data transfers affect EU, UK, Swiss, and Asia-Pacific data subjects whose personal information is moved to the US, and the legal validity of those transfers depends on the continued reco…
Cross-border data transfers from the EU and UK to the US require specific legal mechanisms under GDPR to be lawful, and the policy's disclosure that data is transferred to and processed in the US is …
The EU-U.S. DPF is currently the primary mechanism EA uses to justify transferring European users' personal data to US servers — if the DPF is invalidated (as its predecessors Safe Harbor and Privacy…
If you are in the EU or UK, your personal data is being transferred to the US, which requires specific legal safeguards following the Schrems II ruling — and these safeguards must be current and prop…
EU/EEA users' data transferred to the US must be protected by an adequate transfer mechanism under GDPR; relying on consent as the basis for international transfers may not fully satisfy GDPR require…
The legal mechanisms used to transfer your data internationally have faced legal challenges — if any mechanism is invalidated, your data protections could be weakened until new arrangements are put i…
EU and UK users may have fewer legal protections once their data is processed in the US, and Figma's reliance on consent as a transfer mechanism is not always a valid legal basis under GDPR for routi…
Your personal data — including account information, payment history, and potentially stored prompts — could end up under the control of a company with different privacy practices if Fireworks is acqu…
If you are in the EU, UK, or another jurisdiction with strong data protection laws, transfers to the US require specific legal safeguards that must be in place for the transfer to be lawful.
If you are based in the EU, UK, or other regions with strong privacy laws, your data may be transferred to countries with weaker protections, which increases the risk that your data is accessed by th…
International data transfers expose your personal information to legal systems that may allow government access or offer fewer consumer protections than your home country's laws.
The legal validity of these transfers depends on SCCs being properly executed and supplemented with technical safeguards, following the Schrems II ruling — failure could expose EU users' data to US g…
For EU and UK users, the identity of the data controller and GDPR representative determines which supervisory authority oversees complaints and where legal proceedings can be brought — this designati…
Cross-border data transfers are a key GDPR compliance obligation. If the transfer mechanisms are not properly implemented, data flows to the US could be challenged by regulators or privacy advocates.
For users in the EU, UK, or other jurisdictions with strong data protection laws, transferring data to the US requires specific legal safeguards, and the adequacy of those safeguards has been subject…
Cross-border transfers of personal data from the EEA to the United States require specific legal safeguards under GDPR, and users in the EEA should understand that their data is ultimately processed …
The legal adequacy of cross-border data transfers has been challenged repeatedly (Schrems I and II), and if the EU-U.S. Data Privacy Framework is invalidated again, the lawfulness of your data being …
International data transfers are a high-scrutiny area under GDPR following the Schrems II ruling. The use of SCCs is legally recognized but may require additional technical safeguards depending on th…
Canadian users' data may be subject to U.S. legal process and law enforcement access once transferred to the United States, and the protections available under Canadian law may not apply in full to d…
When your data is transferred from the EU or UK to the US, it must be protected by a legal mechanism such as Standard Contractual Clauses; without this, the transfer may not comply with GDPR.
If you are in the EU, UK, or Switzerland, your personal data is transferred to the US where legal protections may differ from your home country, making the validity of transfer mechanisms important.
Your personal data — including your reading history, payment information, and interest profile — could be transferred to an entirely different company with different privacy practices, with your only…
Data transferred outside the EU/EEA or UK may be subject to different legal protections and government access laws, and the adequacy of SCCs as a transfer mechanism continues to face legal scrutiny p…
For users in the EU, UK, or other jurisdictions with strong data protection laws, international data transfers carry legal significance and Microsoft must rely on approved transfer mechanisms such as…
Relying on user acceptance of a privacy policy as 'consent' for cross-border data transfers does not meet GDPR's standard for valid transfer mechanisms, creating potential legal exposure for EEA user…
Cross-border data transfers to the US carry ongoing legal risk following the Schrems II ruling, and users should be aware their data may be subject to US surveillance laws even when transferred under…
SCCs are currently the primary mechanism for EU-US data transfers following the Schrems II ruling, but their adequacy depends on supplementary measures that companies must implement and maintain — a …
EU and UK users' data, including sensitive neighborhood location data, is transferred to the US where it may be subject to US government surveillance programs, and users should understand that differ…
The policy asserts consent to international data transfer based on use of the service, but under GDPR this type of implied consent is generally insufficient as a transfer mechanism; the policy separa…
Cross-border data transfers remain one of the most actively enforced areas of EU data protection law — SCCs must be accompanied by Transfer Impact Assessments, and US national security law creates on…
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes…
EU, UK, and Swiss users' data is transferred internationally, and the adequacy of Standard Contractual Clauses as a safeguard remains an active area of regulatory scrutiny following Schrems II.
EU and UK users are entitled to have their data protected to GDPR standards even when transferred abroad, and this clause creates an obligation on Peloton to implement legally adequate transfer mecha…
For users in the EU, UK, and other jurisdictions with strong data protection laws, transferring personal data to countries without equivalent protections requires specific legal safeguards that the p…
A data transfer in a corporate acquisition means your query history and behavioral profile could end up under the control of an entirely different company with different privacy practices, with notif…
International data transfers carry legal risk if transfer mechanisms are challenged or invalidated, and users should know their data leaves their jurisdiction and the legal protections that apply.
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF …
A corporate transaction could result in your data — including code, AI interactions, and account details — being transferred to a new entity with potentially different privacy practices, with no indi…
Your personal data may be processed in countries outside the UK with different levels of data protection, and the adequacy of the safeguards in place determines how well your data is protected intern…
Data transfers to the US require specific legal safeguards under GDPR, and if those mechanisms are not properly implemented, users' data may lack adequate protection under EU standards — a risk highl…
International data transfers from the EU/EEA to the US remain a legally contested area following Schrems II; reliance on SCCs requires Roblox to conduct Transfer Impact Assessments and implement supp…
For EU, UK, and Swiss users, your data crossing borders to the US triggers specific legal protections. Salesforce's use of the DPF and SCCs is meant to provide those protections, but the legal landsc…
EU, UK, and other international users' personal data is transferred to the United States and processed under US law, with GDPR protections maintained only through contractual safeguards that have fac…
EU and UK users' data being transferred to the US means it falls under US surveillance laws (e.g., FISA Section 702), and while SCCs provide a legal transfer mechanism, they do not eliminate the unde…
For users in countries with strong data protection laws (such as the EU), transferring data to the US or other jurisdictions without adequate protections could expose their personal information to re…
For EU and UK users in particular, transferring data outside the EEA or UK requires specific legal safeguards under GDPR, and the adequacy of those safeguards directly affects the legal protection of…
EU, UK, and other international users may have their data transferred to a jurisdiction with weaker legal privacy protections, and the policy places the burden of this risk on the user through consen…
Cross-border data transfers from the EU or UK to countries without an adequacy decision require specific legal safeguards under GDPR and UK GDPR, and the policy's general disclosure does not specify …
This certification is the legal mechanism that allows Valve to transfer EU, UK, and Swiss users' personal data to the United States — without it, those transfers could be unlawful under GDPR, potenti…
In a sale or bankruptcy scenario, your personal data — including your name, email, payment history, and message contents — could be acquired by an unknown third party whose privacy practices may diff…
For EU, UK, and Swiss users, transferring personal data to the US requires specific legal mechanisms under GDPR, and Supabase's acknowledgment that US protections may be weaker is a significant discl…
International transfers of EU/UK personal data carry ongoing legal risk following Schrems II, and SCCs must be accompanied by a Transfer Impact Assessment — gaps in this documentation can result in r…
International data transfers are a significant privacy risk, particularly for EU and UK users, because data moved to countries without equivalent protections may be subject to foreign government acce…
EU and UK advertisers' data being processed in Singapore requires a valid cross-border transfer mechanism under GDPR Chapter V (adequacy decision, SCCs, or BCRs) — Singapore does not currently have a…
Your personal data may be processed in countries with weaker privacy laws than the EU or UK, and the adequacy of the protections applied to those transfers can affect your rights in practice.
For EU and UK users, cross-border data transfers require specific legal protections — if these safeguards are not properly implemented, your data may be exposed to foreign government access or inadeq…
Standard Contractual Clauses require supplementary technical and organizational safeguards post-Schrems II — if Unity has not conducted Transfer Impact Assessments, EU/UK user data may be transferred…
EU, UK, and other non-US users' data is transferred to the United States where data protection standards differ from those in the EU, and Epic relies on Standard Contractual Clauses and other transfe…
A new company acquiring Upwork could have very different privacy practices, and you would have limited ability to prevent your sensitive data from being transferred to and used by that new entity.
Post-Schrems II, SCCs alone may not be sufficient without a Transfer Impact Assessment, and any future legal challenge to EU-US data transfers could disrupt Vercel's services or expose EU users' data…
International data transfers from the EU/UK to the U.S. carry regulatory scrutiny, and SCCs alone may not fully protect consumer data if U.S. surveillance laws allow government access — a concern hig…
For users in the EU, UK, and other jurisdictions with strong data protection laws, this transfer must be covered by a lawful mechanism such as Standard Contractual Clauses, and the policy does not sp…
EU and UK users' personal data — including AI prompts and outputs — is transferred to the US, where it may be subject to US government surveillance laws that do not offer equivalent EU-level protecti…
International data transfers mean your personal information may be subject to legal frameworks offering different levels of protection than your home country, particularly relevant for EU users whose…
Data transferred to the US or other countries may be accessible to foreign governments or law enforcement under laws like FISA, and contractual protections (like Standard Contractual Clauses) may not…
Post-Schrems II, SCCs are the primary legal mechanism for EU-to-US data transfers, and their validity depends on Zendesk conducting and documenting Transfer Impact Assessments; failure to do so prope…
If Twitch is acquired or merged, your personal data becomes an asset transferred to the new entity, which may operate under different privacy practices than those you originally agreed to.
Create a free account and watch the platforms that matter to you. We'll email you the moment something changes.
A cross border clause is a provision in a platform's terms of service or privacy policy governing cross border-related rights, obligations, or restrictions.
ConductAtlas tracks 122 platforms with cross border clauses - roughly 38% of platforms in the archive. 29 are classified as high severity.
Severity reflects the magnitude of rights waived, availability of opt-out, breadth of users affected, financial or legal exposure created, and the degree of discretion retained by the platform.