Found in 284 of 343 platforms tracked (83% adoption) · 3351 provisions
The policy discloses that Research consent, once acted upon and data shared, creates an irreversible commitment; withdrawal from Research stops future sharing but does not remove already-contributed …
This provision defines the permissible scope of sample submission and establishes the account holder's attestation of legal authority over submitted samples. It creates a threshold requirement that r…
The clause establishes the operational mechanism for research data aggregation and clarifies that participation is not permanent or irrevocable, permitting users to withdraw from the research program…
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary …
This provision is particularly significant given that 23andMe has publicly reported financial difficulties; it means your most sensitive personal data, your DNA, could be acquired and controlled by a…
This provision establishes that the employing organization, not ADP, bears the primary data controller obligations for employee data processed through ADP's platforms, creating a structural redirecti…
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity …
This provision determines who you can hold accountable for your data. For most employees, ADP is not the primary point of contact for data rights, which can make exercising those rights slower or mor…
These are among the most sensitive categories of personal information recognized under privacy law globally. Payroll and HR platforms often require some of this data, but its collection by a single p…
This provision authorizes disclosure of personal information, which may include financial account data, device identifiers, and behavioral data, to advertising partners for targeted advertising purpo…
The Acorns Early product, which includes a debit card and financial learning app for children, involves collection of data about minors. How this data is used, retained, and protected is subject to C…
This provision establishes the scope of sensitive financial and identity data Acorns collects as a condition of platform use, encompassing data categories that are subject to heightened regulatory ob…
This provision allocates the legal and compliance burden for contact list legality, consent documentation, and anti-spam law adherence entirely to the customer, creating direct regulatory exposure fo…
Voice and chat data is among the most sensitive categories of personal information; its collection and retention for moderation and product improvement purposes means your in-game conversations may b…
Given that many Activision games are played by children and teenagers, the adequacy of age verification and parental consent mechanisms has significant legal and safety implications under COPPA in th…
Employees and students using Adobe through an institutional account have no independent privacy protections from their employer or school within that account, including for content created prior to t…
Biometric data like faceprints is sensitive and largely irreplaceable if misused. Users in states like Illinois have strong legal protections for this data that may exceed what this policy describes,…
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates s…
The authorization to use credit report data for marketing purposes is broader than many consumers expect and extends for the lifetime of the account, covering a wider range of uses than simple eligib…
Biometric data is among the most sensitive categories of personal information because it is permanent and cannot be changed if compromised; its collection is regulated by specific laws in several US …
This clause operationalizes Amazon's compliance obligations under the Children's Online Privacy Protection Act (COPPA) by establishing a mechanism for parental consent verification and a remedial del…
Voice data is highly sensitive and may be retained indefinitely in Amazon's cloud systems, meaning recordings of conversations in your home can be accessed, reviewed, and used to improve commercial p…
This provision operationalizes Amazon's compliance with the Children's Online Privacy Protection Act (COPPA) by establishing a consent mechanism and parental control structure. It establishes the pro…
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained,…
Biometric data is among the most sensitive categories of personal information because it is permanent and cannot be changed if compromised, making the circumstances and scope of its collection partic…
This provision establishes a two-tier consent structure for DNA data: baseline collection required for service delivery and an optional research consent layer governing use and external sharing of ge…
Genetic data is among the most sensitive personal information that exists — it reveals information about your health, ancestry, and biological relatives. Understanding how it is used and shared is cr…
This carve-out means that deletion of your DNA data is not complete erasure — your genetic information may persist in research databases in aggregated form. This has particular significance for users…
This provision asserts a sublicensable and transferable license over genetic information submitted by users, which is among the most sensitive categories of personal data under multiple regulatory fr…
Genetic data is among the most sensitive personal information a person can share, and the layered consent structure, where core terms reference but do not fully replicate the AncestryDNA-specific ter…
The clause establishes a default authorization for secondary use of genetic data beyond the primary service function, with an opt-out mechanism available to users who wish to restrict such use. This …
The provision creates a default data use practice for model training while preserving the company's ability to use flagged or reported content for safety enforcement and AI safety research purposes e…
The provision creates a conditional data usage framework where the opt-out applies to routine training operations but does not extend to feedback submissions or safety-flagged materials. This structu…
This exception creates a carve-out from the opt-out mechanism that allows the entity to retain training rights over flagged or reported content regardless of a user's training opt-out election. The p…
This provision means that even users who opt out of training cannot fully prevent their conversation data from being used in AI model development under certain circumstances, which has implications f…
The explicit reporting commitment to authorities is one of the strongest enforcement commitments in the policy, and the definition of minor as under-18 regardless of local jurisdiction creates a glob…
The provision establishes the scope of permitted data uses and creates a conditional opt-out structure rather than unconditional data use restrictions. The carve-outs ensure training data availabilit…
The provision operationalizes jurisdiction-specific legal obligations while explicitly reserving discretion to deny data subject requests based on lawful criteria. This structures how Anthropic handl…
The provision establishes a tiered consent model where the opt-out right does not apply uniformly—certain categories of user-submitted content (feedback and flagged materials) remain available for mo…
This provision operationalizes Anthropic's compliance obligations under child protection frameworks by establishing specific categorical prohibitions and affirmative safeguard requirements for produc…
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, provid…
This provision prohibits the data collection and advertising practices in child-directed apps that are most commonly associated with privacy risks to minors, including behavioral advertising identifi…
The provision operationalizes data protection obligations specific to apps marketed to children by establishing categorical restrictions on data sharing practices and third-party integrations. This r…
This provision operationalizes compliance with the Children's Online Privacy Protection Act (COPPA) and establishes App Store review standards for child-directed applications. It restricts the moneti…
These requirements directly affect how apps handle personal data belonging to millions of consumers, and non-compliance can result in app rejection or removal.
The DPA is the primary contractual document establishing Asana's data protection obligations to enterprise customers. Without a signed DPA, an organization may lack the contractual protections requir…
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to…
The clause operationalizes Audible's compliance obligations under the California Consumer Privacy Act (CCPA) by specifying the mechanism through which eligible residents can exercise statutory opt-ou…
Auth0 handles login credentials, authentication tokens, and user identity information for the end users of its customers' applications, making the data processing terms central to GDPR, CCPA, and oth…
This provision means your financial data can reach companies outside the Bank of America corporate family for marketing purposes unless you actively exercise your opt-out right.
The clause establishes the baseline data-sharing practice as permissible sharing with nonaffiliates for marketing, with opt-out as the mechanism through which customers can restrict this activity rat…
This provision is structurally unique: unlike most apps that collect photos you choose to share, BeReal's mechanism captures facial imagery and environmental context simultaneously on a randomised ti…
Precise geolocation is among the most sensitive categories of personal data because it can reveal where you live, work, worship, and socialise; sharing it with third-party partners expands the number…
Without a robust age verification mechanism, the policy's restrictions on minors are difficult to enforce, and the platform's demographic appeal to teenagers creates regulatory exposure under COPPA (…
Age restrictions determine whether minors can legally use the service and what additional protections apply to their data, which is particularly significant given BeReal's popularity among teenagers.
BeReal's core product involves capturing dual-camera photos at random moments, which means the app regularly collects images of your face and surroundings, and the terms govern how that sensitive dat…
The policy discloses that data sharing with advertising partners may constitute a sale or sharing under CCPA/CPRA, which triggers opt-out rights for California residents and creates compliance obliga…
The policy discloses collection of precise geolocation and financial account details, both of which are classified as sensitive personal information under CPRA and trigger additional rights including…
This provision operationalizes statutory opt-out rights under state privacy laws, requiring Best Buy to maintain accessible channels through which residents of covered jurisdictions can affirmatively…
Biometric data such as facial recognition scans or fingerprints is among the most sensitive categories of personal information and is subject to strict state-level legal protections in Illinois, Texa…
The collection of Social Security numbers and government-issued IDs represents a high-risk data category because these identifiers, if exposed in a breach, can enable identity theft and fraud. Users …
Financial account data and transaction records are highly sensitive and subject to specific regulatory protections. This data is retained by Binance.US for regulatory compliance purposes and may be s…
Facial scans and government ID images are among the most sensitive categories of personal data, and while Bluesky states it does not retain this data, the processing occurs through third-party vendor…
The clause establishes the operational framework for age-gated content access and specifies the verification methods available depending on jurisdiction and vendor capability. This provision delineat…
Organizations subject to GDPR, CCPA, or other data protection laws need to ensure they have executed a Data Processing Agreement with Box, as the standard terms alone may not satisfy regulatory requi…
Collection and processing of financial account numbers and credit information in the context of financial services products engages Gramm-Leach-Bliley Act obligations for privacy notices and informat…
This provision creates a CCPA/CPRA opt-out obligation and requires Brex to provide and honor a 'Do Not Sell or Share My Personal Information' mechanism; failure to do so creates enforcement exposure …
The clause establishes that California-specific privacy rights and obligations are documented separately from the general privacy policy, requiring users to consult multiple documents to understand t…
Biometric data is among the most sensitive personal information category under both GDPR and multiple US state laws, and its collection by a consumer dating app creates significant legal exposure and…
Dating app profiles inherently reveal or allow inference of sensitive personal characteristics such as sexual orientation and relationship preferences, which are special categories under GDPR requiri…
Business users who share booking pages publicly are treated as the data controller for all information submitted by meeting invitees, meaning GDPR, CCPA, and other privacy obligations fall on the cus…
Most people assume they only share data with services they have actively signed up for; this provision means Calendly may have your data simply because a colleague or business contact uses the platfo…
The provision establishes Calm's operational practices regarding targeted advertising and specifies the mechanism by which California residents can exercise opt-out rights under state privacy statute…
This provision is significant because it asserts that user-generated content, which may include proprietary business designs, personal photos, or confidential documents, can be used for AI model trai…
The school-as-intermediary model for child data consent is a common but legally sensitive structure under COPPA, and whether it satisfies verifiable parental consent requirements depends on the speci…
The policy states that Cash App may exchange information with credit bureaus, past and present employers, and personal reporting agencies, which creates a bilateral data relationship where informatio…
The clause creates a consolidated regulatory framework by extending the account restrictions and operational requirements across multiple account categories, ensuring consistent compliance requiremen…
This provision clarifies which account classifications are governed by the Sponsored Account provisions, ensuring that minor account holders and their sponsors understand which regulatory and operati…
The authorization to use personal data for AI training is explicit and broad, and the notice does not describe limits on which data categories may be used for this purpose or how long AI-trained mode…
The collection of biometric data including facial scans is subject to specific state laws such as Illinois BIPA, which impose written consent, retention schedule, and prohibition-on-sale requirements…
This clause establishes the operative mechanism by which Cash App obtains user consent for its stated data practices. It creates a consent framework based on continued service use rather than requiri…
The policy states that profiles maintained about Cash App users may be enriched with externally sourced inferred characteristics and advertising segments from data brokers, which goes beyond transact…
The policy states that credit risk profiles are developed from collected data; if these profiles are used in credit eligibility determinations, they may interact with Fair Credit Reporting Act (FCRA)…
Voice recordings are a biometric-adjacent data type that receives heightened legal protection in several US states and under GDPR, and their collection for AI model training carries specific regulato…
This provision effectively overrides a user's deletion request for content embedded in a public character, which may conflict with data deletion rights under GDPR and US state privacy laws and create…
The platform involves open-ended AI character conversations that may include adult themes, and the age restriction without detailed technical verification mechanisms creates risk of minors accessing …
The explicit prohibition on child exploitation material and grooming reflects mandatory legal obligations under federal law and directly implicates the platform's CSAM reporting duties to the Nationa…
The 16-year minimum for EU/EEA and UK users reflects stricter regulatory requirements under GDPR and UK GDPR for platforms processing children's data, and non-compliance with these restrictions creat…
Users engaging in potentially personal or sensitive conversations with AI characters may not fully appreciate that their messages and voice inputs can become training material for commercial AI model…
This provision establishes age-based eligibility criteria that define the permissible user population for the service. It implements compliance requirements under child privacy regulations including …
Users of AI chat platforms commonly share personal details in the course of conversation, and this provision acknowledges that sensitive categories of data may be collected through those interactions…
The clause establishes that Chase recognizes the applicability of California privacy statutes to its California resident users and references supplemental disclosure materials. This framing indicates…
The provision acknowledges CCPA statutory obligations that Chase must honor for California residents. These rights operate as legal requirements rather than voluntary company policies, establishing b…
As a payment processor handling card data, Checkout.com's data practices directly affect how sensitive financial information belonging to end customers is stored, processed, and protected.
Academic and learning activity data is particularly sensitive for students, and its use for advertising purposes goes beyond what many users of an educational platform would reasonably expect.
This provision operationalizes Chegg's statutory obligations under California privacy legislation by establishing procedures through which consumers can exercise legally-mandated rights over their pe…
COPPA compliance provisions establish mandatory operational procedures for services used by children under 13, including parental notification and consent mechanisms. These requirements directly stru…
Given that Chegg is an education platform heavily used by teenagers including students under 13, the adequacy of the age verification mechanism and the reactive rather than proactive approach to unde…
For business users, this distinction determines who controls your data and what rights apply: workspace content is governed by your agreement with ClickUp as a processor, while separately collected b…
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare …
Data residency options are operationally significant for enterprises subject to data localization laws or contractual requirements restricting cross-border data transfers. The availability of these o…
The agreement authorizes use of customer-submitted inputs and model outputs for model training by default; enterprise customers transmitting confidential, regulated, or sensitive data should confirm …
The DPA structure is the primary mechanism through which GDPR, CCPA, and other data protection obligations are operationalized in the agreement; enterprise customers processing personal data through …
For any user submitting data to the Cohere API, the Privacy Policy governs what Cohere does with that data, including whether it is used to train or improve models, which is a material consideration …
This provision directly addresses a common concern for enterprise customers deploying AI: whether proprietary business data submitted as prompts or documents could be incorporated into shared model t…
This provision clarifies the operational limits on Coinbase's ability to process data deletion requests under privacy regulations. The clause establishes that certain transaction data subject to dele…
The policy states disclosure may occur based on Coinbase's good faith belief, not solely on legally compelled orders, and may proceed without notifying the user, which means users may not know when t…
The collection of biometric data for identity verification is subject to specific state laws including Illinois BIPA, which imposes strict notice, consent, and deletion requirements, and the policy's…
This clause establishes the operational scope of data collection and use under the service agreement. It conditions continued service on Comcast's authority to gather and process subscriber informati…
Business users who submit proprietary, confidential, or customer-related content through the platform should understand that such content may leave Copy.ai's direct infrastructure and be handled by t…
Many users may not realize that enrollment through an employer or university program means their learning activity is visible to that organization, which could affect employment or academic assessmen…
This provision places contractual responsibility on users to ensure they do not input regulated data types such as medical records or financial account information into Cursor, which is significant f…
Employees or users whose accounts are provisioned by an organization may not have the same rights or protections described in this policy; their data rights depend entirely on the terms of the agreem…
This provision establishes the full scope of data use when Privacy Mode is disabled, authorizing collection and use of codebase data, prompts, and editor actions for AI model training and disclosure …
This provision establishes that personal data transmitted within enterprise customers' monitoring payloads is governed by a separate contractual document, meaning individuals whose data appears in th…
This provision establishes a material operational distinction between free and paid service tiers with respect to how submitted text and document content is processed beyond the immediate translation…
Biometric data like facial recognition is among the most sensitive categories of personal information because it is unique, immutable, and cannot be changed if compromised; state laws impose strict r…
The collection of message content, interaction patterns, server membership, and activity logs means Discord holds a detailed behavioral and content record of how you use the platform, which the polic…
The agreement establishes a minimum age of 13 and requires parental consent for users aged 13 to 17, engaging COPPA compliance obligations for US users and similar frameworks in other jurisdictions.
The policy establishes an age restriction and a stated commitment to delete data from underage users, but enforcement depends on Discord's ability to verify user ages at registration, which the docum…
Disney's services are popular with children, and the collection of date of birth and other personal details from minors is subject to COPPA in the US, which requires verifiable parental consent befor…
Families using Disney+ and other Disney services should understand that children's accounts and family profiles may involve data collection about minors, and the adequacy of age verification and pare…
The clause operationally separates data collection and privacy governance by source: Disney+ collects and processes data under its own policy terms, while third-party platforms operate under their ow…
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant bi…
This clause is operationally significant because it attempts to use acceptance of the privacy notice as a blanket authorization for financial institutions and government organizations to disclose use…
The policy authorizes sharing personal data with third parties for the third parties' own marketing purposes, which in practice may include platforms such as Meta and Google, and which for EU and UK …
Duolingo's platform is widely used by minors, including through Duolingo for Schools; the adequacy of parental consent mechanisms and age verification is a significant compliance consideration under …
The policy asserts COPPA compliance for users under 13, which is significant given Duolingo's broad appeal to younger users; however, the adequacy of age verification mechanisms and parental consent …
Children's data protections depend significantly on self-identification and platform-level age verification, and parents should understand that consent given on a third-party gaming platform may carr…
This provision establishes an absolute prohibition on using ElevenLabs for child sexual exploitation material or grooming, which carries serious criminal law implications in virtually all jurisdictio…
This provision authorizes the use of user-submitted voice audio for AI model training, which creates obligations under GDPR lawful basis requirements and may trigger biometric consent statutes in Ill…
Voice recordings may constitute biometric identifiers under laws in Illinois, Texas, Washington, and potentially under GDPR Article 9, which impose specific consent, retention, and destruction requir…
Your voice is a biometric identifier, and its use for AI training extends beyond the immediate service you signed up for, with implications for data retention and potential exposure across future AI …
This provision directly implicates biometric privacy statutes in multiple U.S. jurisdictions, including Illinois BIPA, which requires opt-in written consent before collecting biometric identifiers, a…
This provision asserts consent-based authorization for cross-border data transfers, including from the EU and UK to the United States; under GDPR, consent alone is generally not a sufficient transfer…
Under CCPA and CPRA, California residents have enforceable rights including an opt-out of sharing personal data with advertising partners; voice recordings may qualify as sensitive personal informati…
Parents who set up or accept the Terms for a child's Epic Games Account take on full financial responsibility for all transactions, including unauthorized or unexpected purchases made by the child, w…
Biometric data is among the most sensitive personal information because it cannot be changed if compromised. Several states have strict laws governing how companies may collect, store, and share biom…
This provision establishes a material limitation on state privacy rights: because Equifax's core business involves FCRA-governed consumer report data, a substantial portion of the personal informatio…
These are the most sensitive categories of personal data and their collection by any entity, particularly a data broker that has experienced significant data breaches historically, creates meaningful…
Equifax is a large corporate entity with numerous affiliates, meaning data you share with one Equifax product or service may be accessible to other Equifax entities. Sharing with external business pa…
This provision establishes that Equifax collects among the most sensitive categories of personal data recognized under U.S. and international privacy law, including government-issued identifiers and …
Inferenced profiles can be used in ways you may not anticipate, including marketing, risk scoring, and product targeting, and may reflect characteristics you have never directly disclosed to Equifax.
This provision establishes that Equifax engages in data sharing practices that qualify as a sale or share under CPRA and potentially other state privacy statutes, triggering opt-out rights for reside…
Data transfers to China are subject to Chinese data law requirements including the Personal Information Protection Law (PIPL) and potential government access obligations that differ materially from E…
Biometric facial data is among the most sensitive personal data categories because it is unique and permanent; unlike a password, you cannot change your face. Collection of this data from home securi…
Your browsing behavior, event interests, and personal identifiers may be shared with advertising partners for targeted advertising, and exercising the opt-out requires affirmative action by the user.
This provision operationalizes Eventbrite's obligation to provide users with a method to exercise opt-out rights under applicable privacy regulations. The specified mechanism—accessible link, toggle …
Government-issued identity documents and tax information are among the most sensitive categories of personal data, and making their submission mandatory means you cannot use those features of the ser…
The operational significance is that opt-out effectiveness is contingent on per-device and per-browser implementation rather than account-level settings, which means the burden of compliance maintena…
Precise GPS-level location data is among the most sensitive categories of personal information because it can reveal where you live, work, worship, or seek medical care, and this policy authorizes sh…
This provision goes beyond standard law enforcement or fraud-prevention disclosures and authorizes FanDuel to share your identifying information with your employer or a sports organization without a …
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agr…
Design files submitted to Figma's AI features may contain proprietary business information, client work, or sensitive intellectual property, and this clause authorizes Figma to use that material to i…
The breadth of health categories collected, particularly menstrual cycle tracking and ECG data, places this data among the most sensitive personal information categories, with implications for how it…
This provision operationalizes state-level data privacy requirements that apply to Fiverr's processing of California residents' personal information. It establishes mandatory procedures for respondin…
This provision means your Fiverr activity can follow you across the internet in the form of targeted advertising, which many users would not expect from a professional services marketplace.
This provision places legal compliance responsibility for end-user data squarely on the deploying developer or business, which may expose them to regulatory liability if they have not established app…
This provision discloses collection of biometric identifiers and biometric information, which are subject to heightened regulatory requirements under statutes such as the Illinois Biometric Informati…
This type of data goes well beyond what most people expect from a car company's privacy policy; your driving habits and vehicle status are collected continuously through connected vehicle systems and…
This provision discloses collection of precise geolocation as a sensitive personal information category, which under CPRA and similar state laws may require specific consent mechanisms, disclosure ob…
This provision establishes Ford's authority to collect continuous location and behavioral data from connected vehicles, including route history and driving patterns, which may be shared with third pa…
Sensitive personal information including precise geolocation and biometrics carries heightened privacy risks and is subject to special protections under California law; consumers have the right to li…
Precise location data over time can reveal sensitive information about a person's daily routines, home and work addresses, medical appointments, religious attendance, and other private behaviors, mak…
This data is among the most sensitive personal information that can be collected, and its exposure, misuse, or breach carries significant personal and legal consequences, particularly for reproductiv…
The provision establishes the regulatory framework governing Gemini's privacy obligations by reference to federal law rather than state-by-state regimes. This designation determines which privacy sta…
This claim directly limits which privacy rights you can exercise as a US consumer, potentially removing protections you might expect under state laws like CCPA.
This provision establishes the regulatory framework applicable to Gemini's data handling practices. By asserting GLBA status, Gemini indicates its privacy obligations derive from federal banking priv…
Biometric data is among the most sensitive personal information because it cannot be changed if compromised; its collection and storage creates significant privacy risk and is subject to strict regul…
Biometric data is unique and permanent; unlike a password, it cannot be changed if compromised, making its collection and storage a significant privacy risk.
Precise location and driving behavior data can reveal sensitive patterns about your daily life, routine, and movements, and this data is shared with affiliates and third parties.
The policy authorizes use of user data for AI product development, which may include training or improving machine learning models; the full scope of this use is not entirely defined within this docu…
The clause operationalizes CCPA/CPRA statutory rights by specifying the mechanism through which California residents may exercise opt-out authority over data sales and sharing practices, establishing…
The policy states GitHub relies on Standard Contractual Clauses for international transfers, which is the standard legal mechanism post-Schrems II; however, adequacy of these transfers depends on sup…
This is among the most sensitive category of personal data under both GDPR and US state privacy laws, and its collection on a professional networking and job platform creates meaningful risk if data …
Job application data is among the most personal information a user can provide, and its classification as both Sensitive Personal Information and professional data means it carries heightened protect…
Using customer workplace data for AI model training raises significant questions about data purpose limitation and confidentiality of enterprise information, particularly where employees discuss sens…
This provision establishes a contractual prohibition on transmitting personally identifiable information through the Google Analytics service, which has direct implications for analytics implementati…
This provision establishes a direct contractual obligation on account holders as data controllers to maintain adequate privacy disclosures, creating compliance dependencies with GDPR consent requirem…
This provision incorporates by reference a separate data processing agreement governing GDPR compliance, meaning the full scope of GDPR-applicable data processing obligations for EU/EEA, Swiss, and U…
This provision establishes a default data-use posture that applies to all API traffic until a developer affirmatively changes a project setting. Developers handling personal data from end users shoul…
This provision establishes the consent basis under which Google shares location, payment, and device data with a broad set of third parties. The non-exhaustive list of recipients and the absence of s…
This provision establishes the publisher, rather than Google, as the party responsible for obtaining and managing end-user consent for ad-related data collection on their properties. Failure to imple…
This provision establishes an affirmative publisher obligation to identify child-directed content and configure ad serving accordingly, with failure to do so creating both AdSense policy violations a…
This clause provides the contractual basis for international data transfers required by Google Ads operations. Advertisers and their legal teams should evaluate whether the Standard Contractual Claus…
This provision makes eligibility for personalized ad serving in EU and UK markets conditional on implementation of a Google-certified CMP, which directly affects publisher revenue in those regions if…
This provision establishes data collection conduct standards that apply at the ad interaction level, complementing Google's broader privacy policies and creating a platform-level enforcement mechanis…
This provision restricts advertiser use of sensitive data categories for audience targeting, establishing platform-level limitations on targeting functionality that interact with data protection law …
This provision means that individuals whose personal data is processed through a Google Cloud-powered application have no direct rights under this public notice; their protections depend entirely on …
For any organization processing personal data of EU residents or other protected individuals on GCP, the DPA establishes the legal framework for that processing and determines whether Google acts as …
This provision establishes that the user-initiated deletion of Gemini Apps Activity does not result in immediate or complete deletion of conversation data, as reviewer copies are retained on a separa…
This clause establishes the default data practice for model training and specifies the mechanism by which users can opt out of this use. The provision clarifies that conversation data serves a dual f…
The clause establishes a user-controllable mechanism for limiting data retention and personalization processing, while specifying that conversation data continues to be used for AI model improvement …
The notice explicitly authorizes human access to conversation content, and the policy advises users not to submit anything they would not want reviewed, signaling that conversation content is not tre…
If you write personal, professional, or sensitive content through Grammarly, that text could contribute to AI model development, meaning your writing goes beyond the immediate service interaction.
Sexual orientation is a special category of personal data under GDPR and equivalent frameworks, requiring the highest level of protection. Using or sharing this data for advertising purposes raises s…
The provision creates a categorical restriction on the use of designated sensitive personal information categories within the entity's AI systems and model training processes, establishing a processi…
The clause establishes a default data sharing arrangement with advertising partners while providing users with a mechanism to control participation in this specific practice. The opt-out/opt-in struc…
HIV status and sexual orientation are among the most sensitive categories of personal data, and their collection and potential disclosure can create significant real-world risks for users including d…
Precise geolocation data can reveal where you live, work, worship, receive medical care, and whom you associate with. For users of an LGBTQ+ platform, location data combined with identity data create…
HIV status is among the most sensitive categories of personal data under virtually every major privacy framework, and its collection and potential onward sharing carries significant privacy, safety, …
Precise geolocation on an LGBTQ+ platform can be used to infer or expose a user's presence in sensitive locations such as health clinics, community centers, or private residences, creating safety and…
Your most sensitive personal data, including government ID documents and facial images, is handled by a company whose privacy practices are separate from Groq's policy commitments, creating a gap in …
This provision authorizes collection of highly sensitive personal and financial data categories, including Social Security Numbers and bank account information, from both Suppliers and Buyers. The da…
This provision establishes that Gusto's privacy policy disclosure page itself incorporates third-party tracking infrastructure, which means user activity on the privacy documentation page is monitore…
Health and benefits data is among the most sensitive personal information category, and its collection by a payroll platform creates potential obligations under HIPAA and heightened risks if exposed.
This data is among the most sensitive a company can hold; unauthorized exposure could enable identity theft, financial fraud, or discrimination.
This dual-framework approach creates separate regulatory pathways depending on the type of health data and the legal status of the entity collecting it. The distinction determines which privacy stand…
This is among the most sensitive categories of personal data, and its collection by a consumer app with both clinical and non-clinical features means different parts of the same dataset may be subjec…
This provision operationalizes statutory obligations under CPRA by establishing the mechanism through which consumers can restrict data usage to service delivery purposes and control commercial data …
The provision operationalizes statutory privacy rights within Headspace's service terms, establishing procedural obligations for Headspace to comply with GDPR and UK GDPR requirements and defining th…
This classification subjects Headspace to HIPAA's security, privacy, and breach notification requirements as a business associate, establishing a specific regulatory framework for how protected healt…
Sexual orientation, health, and religious data are among the highest-risk categories of personal information because their exposure can lead to discrimination or harm in certain contexts, and the con…
Biometric data is among the most sensitive personal information because it cannot be changed if compromised, and several US states impose strict legal requirements on how companies collect, store, an…
Sensitive personal information is subject to the strongest legal protections under state privacy laws, and its collection by a retail company is noteworthy given the breadth of categories disclosed.
Biometric data is among the most sensitive categories of personal information because it is permanent and uniquely identifies individuals; unauthorized collection or misuse can cause irreversible har…
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against th…
This provision establishes a bifurcated data governance structure in which data subject rights requests for customer-submitted data must be directed to HubSpot's business customers, not to HubSpot di…
The DPA governs GDPR and CCPA compliance for personal data processed through HubSpot, and its terms and obligations are legally binding even though they are in a separate document that many customers…
This provision places the legal compliance burden for Contact Data on the Customer as data controller, creating direct exposure under GDPR, CCPA, and other applicable privacy laws if data is transfer…
The VPPA is a federal law that restricts the disclosure of video rental and streaming records; this clause establishes that Hulu is sharing viewing history for advertising and that you must opt out t…
The clause operationally allocates responsibility for advertiser conduct and third-party content away from Hulu, establishing that the platform does not curate, endorse, or warrant advertiser product…
Most people do not expect that the details they share in a private conversation could be retained and used as training data; this is especially significant if you have shared sensitive personal, heal…
The California supplemental disclosures section provides the most detailed account of what data Instacart collects and shares with third parties, and it is the section most relevant to consumers who …
This provision operationalizes Instacart's compliance framework for California privacy statutes, which require distinct disclosures regarding consumer rights, data collection categories, and use prac…
The policy explicitly acknowledges that personal information is sold and shared within the meaning of CCPA, which means your purchase history, device identifiers, and browsing behavior may be transfe…
Prescription data is among the most sensitive categories of personal information; the policy's separate treatment of this data category signals distinct handling obligations, but the applicable prote…
The provision operationalizes Instacart's compliance obligations under California privacy statutes by providing residents with jurisdiction-specific rights regarding data collection, use, disclosure,…
This category of data represents among the most sensitive personal information a consumer can share, and its collection by a company that also engages in advertising and analytics partnerships warran…
Business users submitting confidential, proprietary, or client-related content as prompts should be aware that this material may be used to train Jasper's AI models unless they actively exercise the …
This provision establishes that user-submitted content, which may include proprietary business information, creative assets, or sensitive organizational data, is within scope for AI model training an…
Creating an account for a child under 13 constitutes verifiable parental consent under COPPA, making the parent responsible for the child's activity and for understanding what data Khan Academy colle…
Platforms accessible to minors face heightened legal obligations under COPPA in the US and the UK Children's Code, and inadequate age verification can expose both users and the platform to significan…
An automated system rather than a person may determine whether you can access Klarna's payment services, and an incorrect automated decision could deny you access without obvious recourse unless you …
A missed Klarna payment could be reported to credit reference agencies and damage your credit score, affecting your ability to get loans, mortgages, or other credit products from unrelated financial …
This provision establishes that EU and UK data protection obligations are addressed in a separate contractual instrument rather than within the ToS itself, creating a multi-document compliance framew…
The operational significance is that privacy practices and data handling procedures, if disclosed at all, are integrated into the primary terms of service rather than presented as a standalone policy…
AI trace data submitted to LangSmith may contain sensitive business information, proprietary logic, or personal data embedded in prompts and completions, and the policy states this data is collected …
Personal data of EU, UK, and other non-US users may be transferred to and stored in the United States, which requires an adequate legal transfer mechanism under GDPR and UK GDPR to ensure the data re…
This provision establishes a default-on data practice in which user-submitted creative prompts and generated outputs are authorized for use in AI model training; the opt-out mechanism places the proc…
Precise location data reveals your daily movements, home address, workplace, and travel patterns, making it one of the most sensitive categories of personal data collected by the service.
Precise geolocation data is among the most sensitive categories of personal data. It can reveal where you live, work, and spend time, and may be shared with third parties including advertisers and se…
This provision authorizes LinkedIn to use the professional content and data you contribute to the platform to develop and improve AI products, including sharing with its parent company Microsoft, whi…
This provision establishes specific restrictions on data transferred to LinkedIn through the Insight Tag and ad targeting systems, including a categorical prohibition on sensitive data targeting and …
This provision directly limits the practical effect of account deletion as a privacy remedy, meaning users cannot fully remove their content's influence from Luma's AI systems even after closing thei…
Biometric identifiers are unique and permanent; their collection and potential misuse carry significant privacy risks, and laws like Illinois BIPA impose strict requirements including written consent…
Continuous and background location tracking creates a detailed record of your physical movements, which the policy permits sharing with advertising and business partners beyond the core purpose of pr…
The parental consent requirement creates a gatekeeping mechanism that aligns the service with legal obligations under the Children's Online Privacy Protection Act (COPPA). This provision establishes …
This provision creates a time-sensitive operational obligation that applies upon platform access termination or user request, requiring developers to have implemented data mapping and deletion workfl…
The provision establishes a notice-and-consent framework that conditions certain data practices on prior user authorization, creating an operational requirement for Meta to distinguish between expect…
This provision establishes an absolute contractual prohibition on commercialization of platform-sourced data through sale, licensing, or brokerage channels, which constitutes a significant restrictio…
This provision establishes a baseline protection for minors by restricting developer access to Meta's platform for child-directed applications unless specific approval and legal compliance obligation…
This clause establishes restrictions on data use for child-directed applications and creates a compliance obligation for developers to adhere to regulatory requirements governing the collection and u…
This provision defines the permissible scope of data use for all platform-integrated applications, establishing that use of user data outside the stated core functionality or Meta's advertising polic…
The terms explicitly state that personalized advertising based on activity and interest data is the commercial basis for free access to Meta's services, and that users consent to this use by agreeing…
This clause creates an operational obligation for Meta to process data deletion requests within defined parameters, establishing the conditions under which user data must be removed from Meta's syste…
This provision establishes a floor of prohibited developer behaviors, particularly around sensitive data categories including health, financial, and precise location data, which receive additional pr…
This provision places independent legal and operational obligations on developers to maintain compliant privacy disclosures and consent mechanisms, meaning that failures in these areas are the develo…
The provision operationalizes the legal basis for Meta's data collection and processing practices by defining when and how user consent is obtained. This establishes the contractual foundation for Me…
This provision establishes categorical prohibitions on specific uses of platform data that intersect with anti-discrimination law and data protection frameworks governing special categories of person…
This provision establishes a developer obligation to comply with age-based data protection requirements, which interacts with COPPA, GDPR provisions on children's data, and state-level age-appropriat…
This provision discloses that sensitive personal data categories are processed within Meta's advertising infrastructure. The distinction between 'exclusionary' and 'targeting' use of special category…
Personalized advertising is the primary commercial use of your data on Meta's platforms, and this provision authorizes a layered targeting model where both Meta's data and a partner advertiser's own …
These restrictions aim to prevent discriminatory targeting, but they also define the boundaries of what behavioral and demographic data advertisers can use — which has significant implications for bo…
This provision establishes that Meta's data collection extends beyond its own products to include off-platform browsing, purchase, and behavioral data sourced from third parties, which is incorporate…
This provision operationalizes Meta's compliance with the Children's Online Privacy Protection Act (COPPA) and establishes a tiered privacy framework based on user age cohorts. The age-based restrict…
This provision establishes the legal basis and operational scope under which Meta links behavioral, interest, and activity data across its entire product family and external sources, creating a unifi…
This provision means your activity across a wide range of third-party digital and physical environments can be linked back to your Meta profile and used to target you with advertising, even if you ne…
The collection and inference of special category data carries heightened legal obligations under GDPR and many other frameworks, and creates elevated privacy risk if that data is used in advertising …
This provision matters because IP addresses can be used to identify a person's approximate physical location and internet service provider, and when combined with a specific wallet address, can poten…
This provision clarifies the operational boundaries of MetaMask's data deletion obligations under privacy regulations. It establishes that the company's ability to honor erasure requests is constrain…
The provision creates a contractual mechanism linking the Services Agreement to the separate Microsoft Privacy Statement, establishing that data practices disclosed in the Privacy Statement form part…
This clause establishes the operational basis and conditions under which Microsoft may unilaterally access and disclose user information without prior notice or consent, defining the scope of informa…
The clause establishes Microsoft's operational framework for children's data handling under educational product offerings and designates a separate Children's privacy section as the authoritative sou…
The provision creates a distinct data processing framework for preview services, authorizing Microsoft to apply alternative privacy protections and data collection practices that differ from standard…
Users interacting with AI features may not realize that their prompts and AI-generated responses can be collected and used for product improvement, which could include sensitive or confidential conte…
The provision operationalizes Microsoft's compliance obligations under children's privacy regulations, requiring age verification and documented parental consent before minor account activation. This…
This provision operationalizes the separation between service terms and privacy practices by referencing external privacy documentation. It establishes that Azure data handling is subject to Microsof…
The policy states that prompts, uploaded images, and generated images may be used for AI model training, and the terms assert a license to use this content for that purpose, which may affect users wh…
This provision establishes a compliance obligation for server operators to adhere to child protection laws, but does not specify a verification, age-gating, or parental consent mechanism. Under this …
This provision governs how data from minor users is collected and used, and whether parental consent mechanisms meet regulatory standards under COPPA and equivalent frameworks.
Provisions affecting minors carry heightened regulatory significance under COPPA and GDPR-K, and determine what protections apply to younger players interacting with platform content, community featu…
This clause places the legal responsibility for minors' account terms on parents, but does not specify how Mojang or Microsoft verifies parental consent, which is critical under COPPA for children un…
The clause allocates account creation responsibility and terms acceptance to parents or legal guardians rather than minors, establishing the administrative and contractual authority structure for acc…
This provision creates compliance obligations under COPPA (enforced by the FTC), GDPR provisions applicable to children's data, and national implementations of child data protection requirements acro…
The provision operationalizes Minecraft's legal obligation to implement age-gating mechanisms and consent verification procedures, establishing the procedural baseline for permissible data handling a…
AI features may involve additional data processing, including the use of board content to train or improve AI models, which raises distinct privacy considerations not covered by the main Privacy Poli…
This provision establishes two distinct legal frameworks governing different categories of data, requiring enterprise customers to manage compliance obligations under both the privacy policy (for con…
This provision authorizes Mistral AI to act as an independent Controller for AI training purposes, which is a distinct legal role from its Processor role, and means the data use is governed by Mistra…
Your conversations may contribute to improving Mistral AI's models by default on free and some paid plans, meaning the things you type into the service could be reviewed and incorporated into future …
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access,…
This provision determines who is responsible for your personal data and where you must direct rights requests; end users of apps built on Mixpanel's platform may have limited direct recourse against …
Dietary and body data is among the most personal information someone can share, and understanding how it is used beyond the core app function, including for advertising, is important for informed con…
The policy authorizes use of user-submitted content for AI model training, which means inputs to NVIDIA AI services could contribute to model development; the scope of data retained after opt-out is …
The agreement authorizes collection of usage, diagnostic, and telemetry data from deployed software instances without specifying granular data categories, retention periods, or whether NVIDIA acts as…
This provision establishes Netflix's compliance framework for children's data protection under applicable regulations such as COPPA. The clause defines Netflix's operational approach to age-gating an…
This provision authorizes Netflix to incorporate behavioral profiles built from your activity on unaffiliated third-party services into its advertising targeting, meaning Netflix ads may reflect your…
Your real home neighborhood is tied to your account by design, and this data is used for advertising, meaning your physical location is part of Nextdoor's ad-targeting infrastructure.
COPPA imposes strict requirements on collecting data from children under 13, and the adequacy of Nintendo's consent mechanism within its family account system directly determines whether children's d…
The provision creates a dual framework: it restricts general data collection from children pending parental authorization while carving out an exception permitting collection of technical identifiers…
The provision operationalizes California's statutory privacy mandates within Nintendo's service terms, establishing procedural requirements for data subject requests and defining the scope of persona…
The provision allocates parental oversight responsibility and establishes age-based use restrictions that condition continued access on family review and parental acknowledgment of the terms. This af…
The availability of a Business Associate Agreement is operationally significant for healthcare organizations and covered entities that need contractual assurances under HIPAA before using Notion to p…
Most people encounter Okta through workplace login, but this policy explicitly does not cover that context, meaning employees have no direct privacy rights against Okta for their authentication data …
These requirements function as gatekeeping mechanisms to establish legal capacity, enforce age restrictions on adult content access, and create documented identity records for regulatory compliance a…
Submitting a government ID and selfie creates a detailed identity record held by OnlyFans and its third-party processors, which if breached or misused could expose Creators to serious identity theft …
Bank account details and tax identification numbers are among the most sensitive financial data points a consumer can share, and their collection by an online platform creates meaningful exposure to …
Selfie-based age estimation involves the processing of facial image data, which may qualify as biometric data under certain state laws such as Illinois BIPA, creating significant legal and consent ob…
The explicit separation of Face Recognition Data as a distinct category suggests the platform may process facial recognition data in some contexts, which carries the most stringent biometric data obl…
The document discloses that these capabilities exist within the model's audio processing architecture and that restrictions were applied prior to release, meaning the risk surface is present and miti…
This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for an…
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualif…
A signed DPA is the primary contractual instrument establishing GDPR Article 28 compliance and CCPA service provider status; without it, enterprise customers may lack documented legal basis for proce…
A DPA incorporating SCCs is a legal requirement under GDPR for transferring personal data from the EU/EEA to a third country such as the United States. The document states this is available but requi…
This provision establishes that API-based deployments handling protected health information may be eligible for BAA coverage, which is a prerequisite for using a third-party vendor under HIPAA. The p…
This provision reflects OpenAI's compliance framework under the Children's Online Privacy Protection Act (COPPA) and establishes the operational process by which the company addresses unauthorized co…
GDPR Article 8 sets the digital consent age at 16 by default, though member states may lower it to a minimum of 13; users below the applicable threshold require verifiable parental or guardian consen…
This provision places the compliance burden on the operator to identify when HIPAA applies to their use case and to execute a BAA before submitting any protected health information. Using the API wit…
This provision is operationally significant because it means that conversational inputs, which may include personal, professional, or sensitive information, may be incorporated into AI model training…
This provision establishes OpenAI's default authorization to use submitted Content for service improvement and product development, while creating carve-outs for enterprise and API customers. The opt…
The policy discloses that user Inputs submitted through the OpenRouter service are transmitted to third-party LLM providers whose data practices, including model training use, are outside OpenRouter'…
This provision establishes that personal data or sensitive content embedded in user Inputs may be processed by third-party AI providers under terms and data practices that OpenRouter neither governs …
This provision delegates data handling configuration, including prompt logging and model training enablement, to organizational Admin Users rather than to individual Authorized Users. The data handli…
The terms establish that Admin Users can enable prompt logging, chat logging, and model training for all Authorized Users in their organization; individual Authorized Users may not have independent v…
This provision directly limits the practical scope of your privacy rights. Even if you exercise your legal right to erasure, the most sensitive financial activity data remains permanently public.
Reproductive health data carries heightened legal and personal risk, particularly given evolving US state laws on reproductive rights; users should understand that this data is stored by Oura and, in…
This provision establishes that Oura's privacy obligations cease to directly govern user health data once it is shared with a Data Recipient, shifting data controller responsibility to the receiving …
Palantir's most significant data operations involve analyzing large datasets for government and corporate clients, and those processing activities are entirely outside the scope of this public privac…
Despite hosting Nickelodeon, Nick Jr., and other children's content, the terms restrict use to those 13 and older, creating a tension between the platform's content offering and its stated age restri…
Because Paramount+ hosts major children's brands like Nickelodeon, the adequacy of age verification and parental consent mechanisms is especially significant for families; COPPA violations can expose…
The provision operationalizes statutory consumer rights under California law by establishing procedures through which the company must process access, deletion, and opt-out requests, and specifies th…
The VPPA is a federal law that gives users specific protections over the disclosure of their video viewing records; streaming services sharing this data with third parties without proper consent may …
Viewing history and location data are considered sensitive personal information under several state privacy laws, and the sharing of this data with third-party partners for advertising purposes may c…
The clause operationalizes Paramount+'s obligations under California privacy law (CCPA/CPRA) by creating a documented process for opt-out requests and establishing that the company will cascade opt-o…
Parental controls are opt-in rather than default, meaning children may access unrestricted content and their data may be collected under standard adult data practices unless a parent actively configu…
Video viewing records are specifically protected under the Video Privacy Protection Act (VPPA), a federal law that restricts how streaming services can share what you watch with third parties.
Federal law (COPPA) requires verifiable parental consent before collecting personal data from children under 13, and the FTC actively enforces these rules against streaming platforms that include chi…
The provision identifies a broad list of use cases for biometric data collection beyond basic login, including cryptocurrency transfers and lifting account limitations, which means biometric data may…
This provision discloses that personal information, including financial and transaction data, is used to train AI models, and that automated decision-making is applied to fraud and risk assessments t…
This provision discloses that PayPal may derive sensitive attributes, including income and creditworthiness estimates, from transaction behavior without requiring separate consent for each inferred a…
The explicit disclosure that data brokers are among the sources from which PayPal obtains personal information means that data about users may be combined with externally purchased data profiles, whi…
The opt-out right is meaningful but requires affirmative action on every browser and device separately, and users outside the listed 19 states may have no enforceable opt-out right under this policy …
Most privacy frameworks that designate sensitive personal information as a distinct category do so specifically to limit its use for commercial purposes like advertising; using sensitive data for tar…
Biometric data is among the most sensitive personal information that can be collected because it is permanent and uniquely identifies you. Collection at physical venues like theme parks means this ap…
Your video viewing history is sensitive personal information that reveals interests, habits, and potentially political or personal views. The VPPA provides specific federal protections for this data …
Fitness and health-related data is among the most sensitive categories of personal information, and its collection, use, and sharing are increasingly regulated under state biometric and health data p…
Health and fitness data is among the most sensitive categories of personal information, and its collection through always-connected hardware means Peloton builds a detailed picture of your physical c…
Voice audio data is a distinct and sensitive category of biometric-adjacent personal data in several jurisdictions. This provision creates compliance obligations under Illinois BIPA for voiceprint da…
This provision establishes an opt-out default for use of personal interaction data in AI model training, meaning training use proceeds unless users take affirmative action. For EU/EEA users, the adeq…
This provision governs the scope of Perplexity's rights to use enterprise-submitted data, which is a primary compliance consideration for organizations deploying AI platforms that process employee qu…
The DPA is a critical companion document for GDPR and CCPA compliance, but it is incorporated by reference rather than appended to the main agreement. Enterprise customers must review the DPA separat…
This provision establishes that conversational input submitted by users during ordinary platform use may be incorporated into AI model training workflows. The opt-out mechanism's operational scope, a…
This means your queries, including potentially sensitive ones about health, finances, or personal matters, could become part of the data used to build Perplexity's AI models.
The SCCs provide the contractual transfer mechanism required under GDPR Chapter V, but following the CJEU's Schrems II decision, customers must also conduct Transfer Impact Assessments to verify that…
This provision addresses AI-enabled privacy violations, including the use of generative AI to build surveillance or data harvesting tools targeting individuals without their knowledge.
This provision places the obligation to obtain express consent and hold all necessary rights directly on the user, covering privacy, publicity, and intellectual property laws, which creates significa…
This clause places the entire legal burden of ensuring lawful processing, including obtaining data subject consent where required, on the Customer rather than Pinecone. Submitting special category da…
This provision states that Pinterest's advertising data collection is not limited to activity on its own platform; it extends to third-party sites and apps that have embedded Pinterest partner tools,…
The policy states that Pinterest is not directed at children under 13 and restricts EEA access based on member state age-of-consent laws; however, the policy does not detail the technical mechanisms …
This provision establishes age-based targeting restrictions that require advertisers to configure audience parameters in compliance with both Pinterest's policy thresholds and jurisdiction-specific l…
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is re…
This provision establishes a dual-role data use structure in which Plaid acts both as a service provider to developer partners and as an independent data user, creating compliance questions regarding…
This provision establishes the core data collection mechanism through which Plaid accesses sensitive nonpublic personal financial information, implicating GLBA, CCPA, and GDPR obligations for both Pl…
Secondary use of financial transaction data for Plaid's own benefit (product development, analytics) is a purpose that goes beyond what you likely intended when connecting your bank account to a spec…
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
The policy asserts user consent to international data transfers through continued use of the service; however, under GDPR, consent obtained in this manner (through terms of service acceptance rather …
The provision operationalizes a default public visibility model for user profiles and transaction-related content. It allocates responsibility by establishing that users' posted content operates unde…
This provision operationalizes Poshmark's compliance with the Children's Online Privacy Protection Act (COPPA) and establishes the institutional mechanism by which age eligibility and parental consen…
The provision establishes the operational framework under which user data becomes a functional component of the platform's advertising delivery system. This authorization governs how personal informa…
This is one of the most expansive data collection practices in consumer insurance: your real-time behavioral and location data is collected continuously and directly tied to how much you pay for cove…
The clause operationalizes Reddit's compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent international child privacy regulations by establishing mandatory age gates tha…
Loan pre-approval documents contain some of your most sensitive financial data, including income, assets, and credit information; understanding how this data is stored, shared, and retained is import…
This provision creates a contractual linkage between the Privacy Notice and the Terms of Use, meaning that privacy disputes do not operate under a standalone privacy framework but instead fall under …
Training data uploaded to build AI models could contain highly sensitive information about real people, and the policy does not specify special handling, access controls, or retention limits for this…
Automated decisions in financial services can affect whether you are approved for credit, flagged for fraud, or restricted from certain products, and consumers should understand they may have rights …
Automated credit and fraud decisions can directly affect your access to financial products, and you have the legal right to request that a human reviews any decision that significantly affects you.
Biometric data such as facial scans or fingerprints is highly sensitive because, unlike passwords or account numbers, it cannot be changed if compromised, making its collection and protection particu…
Your home security footage, which may capture activity inside and around your home, can be disclosed to law enforcement without your direct consent in response to legal process.
Riot's games are widely played by players under 16, and the age-based data practices and parental consent requirements are legally significant. The policy's reliance on users self-reporting their age…
This provision establishes the legal framework under which Riot Games collects and processes data from minor users. It conditions such processing on obtaining parental consent where legally mandated,…
This provision establishes the statutory framework governing how Robinhood must handle personal information requests from California residents. The clause operationalizes consumer privacy rights that…
The operational significance is that the scope of privacy rights available to users varies based on which federal financial privacy regime applies to their information. This creates a tiered privacy …
By reference incorporation, this provision creates a unified contractual framework where privacy practices become enforceable agreement terms rather than unilateral company policy. This mechanism ens…
The provision operationalizes COPPA compliance by designating specific data categories as non-personal information while establishing the technical and administrative necessity for username, password…
Biometric data is subject to strict state-level laws in the US (notably Illinois BIPA) that require informed written consent, impose retention and destruction obligations, and provide a private right…
COPPA requires verifiable parental consent before collecting personal data from children under 13; the adequacy of Roblox's consent and age-verification mechanisms directly affects the legal complian…
The policy authorizes behavioral advertising directed at users as young as 13, which engages a rapidly evolving set of state-level minor privacy laws; the lawfulness of this practice depends on juris…
This provision establishes the platform's COPPA compliance framework, requiring parental consent for users under 13 and placing representational obligations on account creators. The effectiveness of …
This provision invokes the COPPA internal operations exception to justify collecting persistent identifiers from children without separate verifiable parental consent. The scope of permitted uses, in…
This provision establishes age-gated advertising eligibility thresholds that govern how the platform serves advertisements across its user base, creating distinct operational obligations for ad deliv…
This provision authorizes collection of facial images for age estimation purposes, which may trigger obligations under state biometric privacy statutes including Illinois BIPA and Texas CUBI, dependi…
The agreement states that under-13 users receive a restricted account experience with limited data collection, which is relevant to the large portion of Roblox's user base that falls in this age grou…
This provision governs how Roblox handles data for its youngest users and establishes the parental consent and deletion rights that apply under US federal law for children under 13.
This provision authorizes third-party advertising partners to collect your behavioral and activity data across platforms using tracking technologies, which under California law constitutes 'sharing' …
The provision operationalizes Roblox's commercial content moderation structure by establishing that ad placement extends across the user base without age-based restrictions on ad eligibility, while c…
The collection of persistent identifiers enables core platform operations including device connectivity, user recognition across sessions, and advertising delivery. This data collection supports both…
This provision discloses collection of facial images for age estimation purposes, which may constitute biometric data collection under applicable state and national laws including Illinois BIPA, Texa…
This provision establishes Rumble's use of first-party and third-party tracking technologies for behavioral advertising, which engages CCPA opt-out requirements, potential GDPR consent obligations, a…
This provision establishes Rumble's authority to transfer personal information including behavioral and viewing data to third-party advertising and analytics entities, which is directly relevant to C…
The clause establishes the Company's operational authority over content moderation and sets the contractual baseline that content transmission occurs without privacy protections. This permits the Com…
Biometric identifiers such as face scans and voiceprints are among the most sensitive personal data categories and are subject to specific consent, retention, and destruction requirements under laws …
The clause establishes Runway's operational authority to review user-generated content without prior notice requirements and eliminates any contractual privacy expectation for communications on the p…
This provision discloses collection of biometric identifiers, which are among the most sensitive personal data categories under CCPA/CPRA and state biometric privacy laws. The scope of collection acr…
The provision operationalizes CCPA/CPRA compliance by creating an accessible consumer control mechanism and establishing a heightened consent standard for minors. The dual-track approach (opt-out for…
This provision identifies collection of health metrics that, while not covered by HIPAA in a consumer app context, are classified as sensitive personal information under CCPA/CPRA and subject to FTC …
Voice recordings may constitute biometric voice prints under applicable state biometric privacy laws and are classified as sensitive personal information under CCPA/CPRA. The policy's disclosure that…
The terms establish that personal data processing is governed by a separately incorporated DPA, which is the operative compliance instrument for GDPR and CCPA obligations; customers must review and u…
The deployment of an alpha-stage SDK in production environments establishes the technical mechanism through which Shein's privacy-related data handling operations execute client-side. The preload dir…
Loading a third-party advertising tracker on a privacy disclosure page may constitute data sharing before a user has had the opportunity to read or respond to the privacy notice, which engages notice…
The provision establishes the operational framework for the service to acknowledge and handle GPC signals, a standardized mechanism through which users can communicate privacy preferences to websites…
This provision establishes baseline content policies that Shopify enforces to maintain compliance with legal obligations regarding child safety and to manage platform risk. The clause creates operati…
This provision covers recordings made inside your private residence, making it among the most sensitive data categories SimpliSafe handles, with implications for household safety and personal privacy.
The provision operationalizes CCPA compliance by creating an opt-out mechanism for data sale and sharing activities. It establishes the procedural pathway through which users may exercise their statu…
This provision operationalizes Skillshare's compliance with child data protection regulations, including the Children's Online Privacy Protection Act (COPPA) and similar international standards that …
The incorporation of a DPA addresses regulatory requirements under data protection regimes such as GDPR and similar frameworks that require explicit contractual terms governing the processing of pers…
Most Slack users encounter the service through an employer or organization, meaning their message content is legally under the employer's control and Slack's obligations run to that employer, not the…
This provision determines the allocation of direct regulatory obligations between Smartsheet and its enterprise customers under GDPR and CCPA. Where Smartsheet acts as a processor, enterprise custome…
Given Snapchat's widespread use among teenagers, the adequacy of age verification and the specific nature of 'certain restrictions' for users aged 13-17 are material to assessing whether minors' data…
The clause establishes age-based eligibility criteria and creates an operational mechanism for account termination based on age verification. For users under 18, it establishes parental consent as a …
Camera and image processing features, particularly augmented reality Lenses that map facial geometry, may generate data that constitutes biometric information under state laws such as Illinois BIPA, …
Precise location data is among the most sensitive personal data types because it can reveal home and work addresses, religious or medical visits, and daily routines, and this data is shared with adve…
This provision establishes Snapchat's compliance framework with child protection regulations including COPPA (Children's Online Privacy Protection Act) and equivalent international requirements. It d…
This provision establishes affirmative age-targeting obligations that advertisers must operationalize through audience configuration settings, and creates compliance exposure under COPPA and equivale…
This provision establishes a passive consent mechanism that triggers full cookie opt-in upon page abandonment for users who have not explicitly engaged with the consent banner, which may require eval…
The use of third-party tracking technologies for behavioral advertising may constitute 'sharing' personal information under CCPA/CPRA, and the consent management implementation directly affects wheth…
The collection of date of birth to gate child accounts is the mechanism through which COPPA compliance is implemented; if this process fails to accurately identify or appropriately restrict data coll…
Parents are accepting full liability for their child's activity on PlayStation, which means a child's code of conduct violation or unauthorized purchase could result in consequences that affect the p…
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sol…
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states …
Payment and banking credentials are among the most sensitive categories of personal data, and understanding how they are stored, shared, and protected is critical for any user of Square's services.
This provision means that creative inputs and outputs produced during your use of Stability AI tools may become part of the data used to improve the company's AI models, which raises questions about …
Collection of bank login credentials is associated with account aggregation services that access your external financial accounts on your behalf; this practice involves significant security considera…
Government-issued ID is among the most sensitive categories of personal data and its collection by a consumer marketplace creates heightened security and misuse risks if not properly protected.
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who i…
Collection of government-issued identification data engages heightened sensitivity requirements under multiple privacy frameworks and triggers specific obligations regarding secure storage, limited r…
Many consumers who encounter Stripe only through third-party merchant checkouts may not realize that their direct rights against Stripe are limited in that context, and that they must contact the mer…
This provision establishes that biometric data collection is within scope of Stripe's data practices for identity verification purposes, which engages state biometric privacy statutes and GDPR specia…
This clause is designed to prevent deepfake voice abuse and protects both users and third parties from having their voices cloned without consent, though enforcement relies on Suno's unilateral discr…
This provision operationalizes Suno's compliance obligations under EU data protection law by explicitly acknowledging that EEA residents retain statutory rights independent of the terms. It establish…
This means content you create or upload, including music prompts and generated songs, may feed back into Suno's AI training pipeline without requiring your explicit, specific consent, which is a mate…
Your face and voice are among the most sensitive categories of personal data and may qualify as biometric data under Illinois, Texas, or Washington state law, triggering specific consent, retention, …
Precise location data is among the most sensitive personal information a carrier can collect, revealing where you live, work, worship, receive medical care, and travel. Prior FCC enforcement actions …
T-Mobile has experienced multiple significant data breaches affecting tens of millions of customers, making this provision's practical meaning directly relevant; the commitment to notify 'as required…
This provision authorizes T-Mobile to share your personal data with external advertising partners for commercial purposes beyond your service relationship with T-Mobile, which represents a broader us…
The policy authorizes use of code inputs for AI model training for free and pro users, which may be significant for developers working with proprietary, confidential, or regulated code.
This provision establishes a default data use practice for free-tier users that includes their submitted code in AI training pipelines, with opt-out access tied to subscription tier. Enterprise compl…
The provision creates an operational requirement for Target to honor opt-out requests submitted through specified mechanisms, establishing procedural pathways through which California residents can e…
Biometric data is among the most sensitive categories of personal information. Unlike a password, it cannot be changed if compromised, and several states impose strict legal requirements on its colle…
The clause establishes a mechanism for users to affirmatively restrict how Target uses personal information for advertising purposes and establishes Target's procedural obligation to honor Global Pri…
The clause operationalizes Target's statutory obligation under CCPA to provide consumers a functional opt-out mechanism for data sale and sharing activities. The provision establishes the procedural …
This provision requires compliance with state biometric privacy statutes including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), …
This provision operationalizes TaskRabbit's CCPA compliance framework by acknowledging potential regulatory overlap between its disclosed advertising practices and CCPA's definition of 'sale,' while …
This provision establishes that the platform collects categories of information classified as sensitive under multiple privacy frameworks including GDPR and CCPA, including national identification nu…
The collection of social security numbers, government photo ID, and criminal history represents some of the most sensitive categories of personal data, and their exposure in a breach or unauthorized …
This provision establishes that a US-domiciled entity is the data controller for EU and UK data subjects, which requires legally adequate transfer mechanisms for personal data flowing from the EEA or…
The operational significance of privacy policy provisions cannot be assessed without the actual clause language. Privacy policies establish the procedural framework for data collection, use, retentio…
This provision establishes that user data transmitted to third-party bots is outside Telegram's data protection framework, and that Telegram does not govern how independent bot developers collect, st…
Sensitive personal information carries the highest privacy risk and is subject to the strongest legal protections in most jurisdictions; its collection by a data broker and information products compa…
Session replay technology can capture detailed behavioral data including mouse movements, clicks, and potentially form field interactions, which goes beyond standard analytics; the presence of Facebo…
The provision operationalizes Thomson Reuters' compliance obligations under California privacy statutes by explicitly acknowledging resident rights and establishing the procedural basis for Thomson R…
This provision means personal data you provide, or that Thomson Reuters collects about you, could be used to build AI systems, raising questions about what data is used, for how long, and whether ind…
This provision establishes the entity's operational policy regarding compliance with children's privacy protections under applicable law (including COPPA in the U.S.). The deletion mechanism creates …
This provision establishes that activity data generated on Threads is not siloed within the Threads product but may be combined with data from other Meta platforms and third-party sources to build ad…
This provision means users cannot exercise a standalone right to delete their Threads data and profile without also losing their Instagram account and all associated data, which may affect how users …
The Privacy Policy incorporated by reference governs the collection of identifiers, usage data, location-related data, and behavioral data associated with Threads use, and determines the legal basis …
The provision operationalizes consent-based tracker gating, allowing TikTok to control whether third-party data collection tools fire or remain inactive in response to documented user consent prefere…
Biometric data is among the most sensitive categories of personal information under US law because it cannot be changed if compromised; the policy's qualifier 'where required by law' means consent ma…
The platform's policies for users under 13 and users aged 13-17 determine what data is collected from minors, what content they can access, and what parental controls are available, which has signifi…
The provision operationalizes regulatory compliance obligations regarding child protection and data privacy frameworks that apply to minors. It establishes the platform's procedural mechanisms for ac…
This provision states that content collection can occur before a user makes a final decision to share or store content, meaning data about content a user chose not to publish may still be retained an…
Age-based safety frameworks establish operational procedures for content access, feature availability, and user protections that vary by user age category. This architecture enables the platform to a…
When law enforcement requests your data, TikTok's guidelines determine what information is disclosed, under what legal standards, and whether you are notified, which directly affects your privacy and…
The clause operationalizes COPPA compliance and establishes a tiered age-based access framework with differentiated contractual obligations and privacy protections depending on the user's age categor…
This provision operationalizes TikTok's compliance framework for child users by creating a segregated data collection environment and establishing a remedial process when information is collected out…
COPPA compliance is a statutory obligation under federal law that materially constrains how the platform operates with respect to users under 13. The provision's operational significance lies in its …
The agreement establishes age-based access restrictions and places legal responsibility on parents and guardians for minor users' platform activity, while the Under 13 Experience provides a separate …
This provision describes a data-sharing relationship in which external advertiser partners supply off-platform behavioral data to TikTok for ad targeting, meaning TikTok's information about you exten…
This statement functions as a foundational principle for platform moderation but lacks operational specificity regarding age verification, content restrictions for minors, or parental consent procedu…
The provision operationalizes TikTok's legal obligations to implement age-appropriate safeguards and data handling practices for users under 13, establishing a framework for differential application …
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond s…
This provision places the burden of age-targeting compliance on the advertiser, including appropriate use of TikTok's targeting tools to exclude underage users from age-restricted campaigns. Given Ti…
This provision establishes age-based targeting restrictions at two thresholds, under-13 and under-18, creating distinct compliance obligations for advertisers based on product category and audience t…
The monitoring system operationalizes cookie consent compliance by identifying misalignments between consent settings and actual cookie deployment. This enables TikTok to track instances where consen…
The Singapore regional deployment means that advertiser personal data and campaign data may be transferred outside the EU/EEA and UK, engaging cross-border transfer restrictions under GDPR Chapter V …
Continuous background location collection on a dating app creates meaningful privacy and safety risks, particularly for users in sensitive situations, because precise location data can reveal home ad…
Sexual orientation and gender identity are categorized as special category data under GDPR, requiring explicit consent and heightened protection standards. Sharing this data with a platform and its p…
Sexual orientation and health status are among the most sensitive categories of personal data, and once disclosed on a dating platform, they are processed and potentially shared in ways users may not…
These categories of data carry the highest privacy risk; their exposure in a data breach or unauthorized sharing can cause significant harm including identity theft, discrimination, and financial los…
The scope of data collection extends well beyond what most people associate with a credit bureau, encompassing behavioral, biometric, and psychological inference data that can affect how companies ev…
The notice authorizes cross-site behavioral tracking by multiple third-party vendors, meaning your activity on Twilio's website may be used to serve you ads on other websites and applications.
This allocation of responsibility establishes that Twilio operates as a messaging infrastructure provider without monitoring obligations for customer-side regulatory compliance. The provision defines…
Continuous precise location collection creates a detailed record of a driver's movements over time, which is shared with riders and may be shared with insurers and government authorities, and is subj…
Facial image data and government ID copies constitute sensitive personal data in multiple jurisdictions, and facial recognition or matching may qualify as biometric data under laws such as Illinois B…
The collection of precise location data and trip details, combined with use for purposes described in a separate Privacy Notice incorporated by reference, means the full scope of data use is not enti…
Continuous background location collection constitutes processing of precise geolocation data, classified as sensitive personal information under CPRA and subject to heightened protections under GDPR …
This provision requires collection and processing of biometric identifiers, which are classified as special category data under GDPR Article 9 and sensitive personal information under CCPA/CPRA, and …
This provision authorizes collection of biometric identifiers, a category of sensitive personal data subject to specific statutory requirements in Illinois, Texas, Washington, and other jurisdictions…
Automated deactivation decisions directly affect a driver's ability to earn income through the platform, and under GDPR Article 22 drivers in the EU may have the right to request human review of sole…
This provision establishes the third-party data sharing relationships that determine how user behavioral and learning data flows beyond the Udemy platform, with direct implications for advertising ta…
Many users may not realize that an employer-sponsored account removes the privacy of individual learning activity, potentially exposing course choices, quiz results, and platform communications to ma…
The provision operationalizes California Consumer Privacy Act (CCPA) requirements by establishing an opt-out mechanism for personal information sales and sharing practices. The clause specifies both …
This provision affects potentially hundreds of millions of mobile game players who have no direct relationship with Unity but whose data Unity collects and uses for advertising profiling.
Advertising identifiers enable cross-app tracking and profiling at scale; combining them with third-party partner data amplifies the scope of the profile Unity can build about any individual user.
Once your data is shared with third parties who operate under their own privacy policies, your ability to control how it is used depends on each recipient's practices, and Unity's policy does not ful…
Because Unity's SDK is embedded in many mobile games that children frequently play, the operational gap between this policy statement and actual data collection practices is a significant compliance …
This provision involves collection of photographic images of users, which may constitute biometric information or biometric identifiers under laws such as the Illinois Biometric Information Privacy A…
This provision authorizes collection of persistent identifiers from users identified as children for purposes including analytics and personalization, which requires evaluation against COPPA's restri…
The waiver structures dispute resolution to proceed on an individual basis, which affects how disputes are adjudicated and the procedural framework available to parties. The opt-out mechanism creates…
Persistent identifiers collected from children, including IP addresses and device IDs, are sensitive data categories under COPPA and equivalent laws, and the sufficiency of the asserted technical con…
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric …
The policy authorizes collection of sensitive financial identifiers and transaction content that, in combination, create a detailed profile of a user's financial behavior and relationships.
The default public setting means that payment descriptions, which may reveal personal, financial, or relationship information, are visible beyond the two parties to a transaction unless a user active…
Developers deploying applications on Vercel need to understand that they, not Vercel, are legally responsible for their end users' data under GDPR and similar laws, and they must have their own priva…
CPNI is a federally protected data category for telecommunications customers; its use for marketing is subject to FCC rules and your right to restrict it is legally enforceable at the federal level, …
This provision authorizes collection and advertising use of telecommunications network data, including call records and browsing activity at the network layer, which is subject to FCC CPNI obligation…
This clause implements statutory rights under California privacy law by creating specific request mechanisms that Verizon must establish and maintain to comply with consumer data rights mandates.
The provision operationalizes California statutory privacy requirements within Verizon's service terms, establishing specific procedures for how consumers in California may exercise state-mandated pr…
This provision establishes that Verizon collects precise location data from multiple technical sources across both Verizon services and, in some circumstances, third-party contexts. Precise location …
This program uses sensitive browsing and app activity data for advertising without requiring you to affirmatively opt in, meaning your data is being used for ad personalization unless you take action…
As a major telecommunications carrier, Verizon has access to particularly sensitive data including precise location information and communications metadata, making the privacy policy one of the most …
This program uses network-level behavioral data, including browsing history and app activity, for commercial advertising purposes without requiring you to affirmatively consent before enrollment.
Precise geolocation is among the most sensitive categories of personal data and is classified as sensitive personal information under California law, triggering heightened consumer rights and restric…
Location data is among the most sensitive categories of personal information because it can reveal your home, workplace, medical appointments, religious practices, and other sensitive patterns of beh…
This provision establishes a default opt-in enrollment for a program that uses network-level data, including URLs visited and app usage, for advertising profiling. Under FCC CPNI rules, telecommunica…
This provision identifies the federal CPNI regulatory framework applicable to Verizon as a telecommunications carrier and establishes the stated basis for using network data in service delivery and m…
This provision authorizes Verizon to use network-level behavioral data, including browsing and app usage activity, as a telecommunications carrier to deliver targeted advertising. As a common carrier…
This provision authorizes collection of multiple categories of precise location data, including GPS coordinates and cell tower proximity, and its combination with other data types enables detailed lo…
This provision operationalizes Visa's compliance obligation under the California Consumer Privacy Act by establishing a documented opt-out process. The availability of multiple submission channels (w…
The provision operationalizes Visa's compliance with state privacy statutes by establishing procedural mechanisms for consumer requests and defining the entity's obligations to process, verify, and f…
Health and prescription data is among the most sensitive personal information, and its collection by a company that also operates digital advertising programs creates significant privacy consideratio…
Under CPRA, sensitive personal information is subject to heightened use limitations and consumers have a statutory right to limit its use beyond service delivery. This provision establishes the right…
This provision identifies a broad category of sensitive health-related data collected across both HIPAA-regulated pharmacy operations and non-HIPAA retail and digital channels. The policy does not co…
Sensitive personal information categories carry heightened regulatory protection under multiple state laws, and the phrase 'as otherwise permitted by applicable law' leaves the scope of permitted use…
This provision triggers opt-out rights under CCPA/CPRA for California residents and requires Walgreens to provide a clear and accessible opt-out mechanism, including recognition of the Global Privacy…
This provision authorizes third-party tracking technology deployment on Walgreens platforms, enabling advertising and analytics partners to independently collect device identifiers, browsing activity…
The CPRA established specific rights for consumers to limit the use and disclosure of sensitive personal information; the policy's disclosure of sensitive data categories triggers those rights for Ca…
This clause operationalizes state-law opt-out rights by designating specific mechanisms (online portal and phone line) and establishing a processing timeline, creating procedural obligations for the …
The collection of sensitive personal information categories including financial account identifiers and government-issued IDs creates heightened obligations under CPRA and analogous state statutes, a…
Biometric data collection is subject to strict consent, retention, and destruction requirements under state laws including Illinois BIPA, and the policy's disclosure of this practice requires consume…
This provision establishes that precise location and detailed driving behavior data are collected continuously during app use, creating a comprehensive record of a user's physical movements and trave…
The terms authorize collection and use of real-time GPS location data for advertising purposes in addition to navigation functionality; the detailed scope of data collection is deferred to a separate…
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations m…
The clause operationalizes CCPA/CPRA compliance requirements by creating a documented mechanism for California residents to control data sale and sharing practices. It establishes a specific processi…
This provision requires sellers to submit sensitive personal and financial data categories that are subject to heightened protection under state financial privacy laws, data breach notification statu…
Biometric and physiological health data is among the most sensitive categories of personal information and, once collected, cannot be changed if misused; understanding how WHOOP uses and shares this …
The agreement discloses collection of a range of physiological and biometric-adjacent data categories on a continuous basis; the handling of this data is governed primarily by the Privacy Policy rath…
This provision states that content users enter into Windsurf, which may include proprietary code, sensitive queries, or personal information, can be retained and used to train the company's AI system…
This provision states that employer-side administrators have potential access to individual users' Prompts and Outputs, which may include sensitive code, business logic, or personal queries entered d…
The agreement conditions opt-out from AI model training on loss of Chat Service access entirely, meaning users cannot retain both privacy from model training and full service functionality simultaneo…
Millions of employees use Workday through their employer without realizing that their privacy rights for employment-related data must often be exercised through their employer rather than directly wi…
This allocation of legal roles has significant implications for enterprise compliance teams: it means the enterprise customer bears primary obligations under GDPR for lawful basis, data subject right…
This clause establishes the jurisdictional and operational framework for X's data handling practices. By conditioning consent on service use rather than requiring affirmative opt-in, the provision es…
The terms use continued service use as the mechanism for consenting to international data transfers, including transfers to the United States, Ireland, and unspecified other countries; for EU and UK …
The clause operationalizes data transfer across jurisdictions as a condition of service access, establishing the geographic scope of data processing operations and the involvement of affiliate entiti…
The provision indicates X has implemented a documented framework addressing minor user access and parental notification or consent procedures. This establishes an operational structure for age-relate…
This provision states that direct messages, which users may treat as private communications, are processed by X's systems including AI and machine learning tools, for purposes beyond simple delivery …
This provision states that location data is collected both through explicit permission (precise GPS) and passively through IP address and device settings, and that this data is used for advertising p…
The policy states that data collection occurs simply by viewing the platform, without any account interaction, and that a wide range of personal and behavioral data categories are collected based on …
This provision authorizes X to use broad categories of personal data, including content you create and how you interact with the platform, to develop and improve AI systems, which is a use that may e…
This provision addresses X's compliance obligations under laws regulating online data collection from minors, including parental notification and consent requirements. It establishes the operational …
The document states that X infers minor status from behavioral interactions rather than verified age documentation, which has implications for what content and protections are applied to accounts bel…
Cable viewing history is among the most sensitive categories of subscriber data, and its use for off-platform advertising raises questions about whether the current opt-out consent model satisfies th…
The provision establishes a mechanism for disclosing state-specific privacy rights and obligations that operate alongside the primary privacy policy. This structure acknowledges differential legal re…
As your internet service provider, Xfinity has a privileged position to observe your online behavior at the network level, and the policy indicates this data may be used for advertising purposes, whi…
The provision's operational significance lies in its establishment that Xfinity's privacy practices are structured to accommodate multi-jurisdictional privacy requirements. This indicates the policy …
Video footage and sensor data from inside a subscriber's home represent some of the most sensitive categories of personal information, and the policy's scope for using and sharing this data deserves …
The collection of biometric identifiers and precise geolocation alongside financial identifiers creates significant data security and regulatory exposure, particularly under state biometric privacy l…
The clause creates an operational framework that separates data processing activities into manageable categories and designates a specific control interface where users can express preferences about …
This provision establishes the operational framework for Yelp's data sharing practices with external advertising partners. It clarifies that information shared under this authorization is limited to …
This provision operationalizes Children's Online Privacy Protection Act (COPPA) compliance by creating a technical framework that disables data collection and personalization mechanisms for child use…
This provision allocates legal responsibility for underage user conduct to parents or guardians who authorize Service access. It establishes the operational framework through which the Service permit…
The creation of a named child profile that includes age and birth month, linked to watch and search history, represents a more detailed personal data record than the signed-out state and has direct i…
This provision means that a child's activity in YouTube Kids can feed into Google's broader data ecosystem when a Google Account is used, extending the data use well beyond what many parents might ex…
The clause creates a categorical limitation on the scope of statutory privacy rights by restricting their availability to a specific subset of California residents based on transaction type and relat…
The scope limitation creates two eligibility requirements that must both be satisfied for CCPA rights to apply: California residency status and B2B interaction context. This restriction narrows the c…
Financial data submitted for mortgage applications is among the most sensitive personal information category; its use and sharing beyond the immediate loan process warrants careful review.
This provision determines whether the content of your meetings, including things you say, type, or share, may be used to improve Zoom's AI products. Because the opt-out is assigned to account adminis…
This provision defines the data control hierarchy within Zoom accounts, specifying that administrative authority over account data rests with account owners rather than individual participants. It es…
The agreement authorizes use of meeting and communication content, which may include audio, video, chat transcripts, and shared files, to develop and improve AI features, subject to consent and avail…
The collection and retention of credit card numbers and bank account details by eBay and its payment affiliates creates significant financial data security obligations and exposure risk for users if …
Sellers are required to submit highly sensitive identity data including government IDs, social security numbers, and selfie photos, which represents a significant privacy commitment and creates eleva…
The clause creates a bifurcated data governance framework: logged-in users receive an affirmative choice mechanism regarding model training use of their content, while non-authenticated users operate…
The agreement acknowledges that certain features may produce outputs involving coarse language, sexual situations, or violence, and places responsibility on parents to monitor use and configure data …
The clause creates a bifurcated privacy framework where medical information accessed or created through telehealth services operates under distinct privacy terms separate from the primary Privacy Sta…
This provision operationalizes user control over a specific category of data processing—the matching and display of genetic information across the service's user base. The mechanism distinguishes bet…
The policy provides a meaningful choice over biological sample retention, which is operationally significant because a stored sample could be used for future genetic analyses if you later consent, wh…
The clause establishes a self-service mechanism for account termination, enabling users to unilaterally discontinue their relationship with the service through the platform's administrative interface…
The provision establishes 23andMe's acknowledgment of California statutory privacy obligations and delineates the specific consumer rights the company recognizes under state law. This framing establi…
The policy grants users a meaningful deletion right that includes destruction of the physical biological sample, but the irreversibility of the action means users who delete cannot recover their data…
This provision establishes 18 as the minimum age for account creation while creating a parental consent pathway for minors, which has implications for how genetic data of children is collected and pr…
The existence of a separate Medical Record Privacy Notice for telehealth means that users accessing clinical services through 23andMe are subject to a different and supplementary privacy framework, a…
This provision operationalizes 23andMe's compliance obligations under California law by explicitly acknowledging CCPA rights holders and establishing the framework through which residents may submit …
Participating in DNA Relatives discloses your genetic relationship to other users and may reveal family information to people you did not previously know, including information about relatives who ha…
The provision operationalizes compliance with HIPAA and state medical privacy laws by creating a distinct governance framework for telehealth-derived medical records, which have different regulatory …
This restriction is intended to prevent genetic data derived from 23andMe's services from being used to make insurance or employment decisions, which aligns with the Genetic Information Nondiscrimina…
The clause operationalizes data subject rights by designating a submission mechanism, establishing response timelines tied to legal requirements, and specifying conditions under which ADP may verify …
This provision establishes that the procedural mechanism for exercising GDPR, CCPA, and other data subject rights is distributed across jurisdiction-specific supplements rather than centralized, whic…
BCR approval is a regulatory authorization mechanism under GDPR Chapter V that requires ongoing supervisory authority oversight; this provision identifies the specific transfer mechanism ADP relies o…
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce de…
This provision authorizes the use of advertising and analytics tracking technologies on ADP's website, which engages GDPR ePrivacy Directive consent requirements for EU users and CCPA opt-out require…
CCPA provides enforceable rights backed by California law, including the right to opt out of data sharing that could affect advertising and marketing uses of your information, and the right to non-di…
This provision identifies a jurisdiction-specific supplement that governs California residents' data rights, which is operationally significant because CPRA rights including the right to opt out of s…
The provision operationalizes California's statutory privacy framework by establishing the procedural mechanism through which covered residents exercise legally-mandated rights and by designating spe…
BCR are a recognized but operationally complex transfer mechanism. If regulators in any country determine that BCR do not provide adequate protection, data transfers relying on them could be suspende…
These rights are meaningful only if ADP can verify your identity and respond within legally required timelines. Because ADP often acts as a processor for employers, some rights may need to be exercis…
Your prompts may contain sensitive, personal, or confidential information, and understanding that this content could be used for model training is important for deciding what to share with AI21's pro…
These rights give you meaningful control over your personal data held by AI21, including the ability to request deletion or restrict use of your data for advertising purposes, but exercising them req…
The provision operationalizes data subject rights that arise under data protection regulations in specific jurisdictions, establishing the mechanism and contact point through which users can exercise…
Advertising and analytics cookies collect behavioral data that is shared with third-party platforms, and users who do not actively manage their cookie preferences may have their browsing behavior tra…
Data transferred outside the EU or UK may be subject to different legal protections, and the adequacy of Standard Contractual Clauses as a transfer mechanism depends on whether supplementary measures…
This clause establishes procedural mechanisms through which California residents can exercise statutory rights under California privacy law. The provision conditions these rights on exceptions define…
The scope of automatic collection, including IP addresses and behavioral data, means AWS gathers information about you even without you actively filling out a form, which has implications for profili…
This provision establishes that personal data collected through the AWS website may be shared across the broader Amazon corporate group, including Amazon.com, Inc. and unnamed subsidiaries, as well a…
This provision establishes conditions under which personal data may be disclosed to government or law enforcement entities, including a discretionary determination by AWS that disclosure is reasonabl…
This provision establishes a data sharing arrangement with identified third-party advertising and analytics partners that may involve transfer of personal data outside the direct AWS data controller …
This provision operationalizes data subject rights commonly required under privacy regulations such as GDPR and CCPA by establishing a mechanism through which users can submit requests and specifying…
Behavioral tracking through cookies and pixels means AWS (and potentially its advertising partners) can build detailed profiles of your online activity across its properties, which may inform targete…
This provision establishes the scope of personal data collection applicable to all AWS website visitors and registered users, including both actively provided information and passively collected tech…
This provision discloses that personal data may be transferred internationally without specifying the transfer mechanisms used to ensure adequate protection for EU or other regulated transfers. This …
This provision establishes the mechanism and contact point for exercising data subject rights for the two largest regulated user populations. The notice's acknowledgment of these rights is a complian…
These rights are legally enforceable under GDPR and CCPA, meaning AWS is required to respond to valid requests within defined timeframes, giving you meaningful control over your personal information …
This provision establishes that the AWS website engages in behavioral tracking for advertising purposes, including the use of pixel tags and web beacons in addition to cookies. This is operationally …
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and mainten…
This provision addresses a material concern for enterprise customers deploying proprietary data in AI workflows; the agreement states that customer content processed through Bedrock does not contribu…
This provision establishes that service improvement use of customer content is the default state unless an opt-out is actively exercised; customers who do not take affirmative action to opt out opera…
The terms explicitly state that customer prompts and content submitted through Bedrock inference are not used to train Amazon foundation models by default, which is a material data handling commitmen…
This provision operationalizes California's statutory privacy framework by specifying the mechanism through which eligible residents can assert legally-mandated access, deletion, correction, and opt-…
The policy's acknowledgment that Acorns Early involves minor beneficiaries, alongside the general COPPA disclaimer, creates a compliance distinction requiring assessment of whether and what data is c…
This provision establishes operative consumer rights under CCPA and CPRA for California residents, creating enforceable obligations for Acorns to respond to rights requests and to provide a functiona…
This provision establishes the legal framework and account holder eligibility requirements for minor investment accounts. By requiring guardian representation and authority attestation, the clause cr…
These rights are legally enforceable under California law and give California residents meaningful control over how a financial app with highly sensitive data uses and shares their information.
This provision establishes automated collection of behavioral, device, and location data through tracking technologies in addition to user-provided financial data, creating a dataset that may be used…
This clause operationalizes California Consumer Privacy Act (CCPA) statutory rights within Acorns' terms, establishing the procedural framework through which California residents may exercise informa…
This level of data collection is expected for a regulated financial services provider but represents significant exposure if data is breached or misused, as it includes identity documents and financi…
Geolocation data is classified as sensitive personal information under the CPRA, giving California residents specific rights to limit its use, and precise location data can reveal sensitive personal …
The mechanism for parental consent is not further specified in the visible document text, which raises questions about whether any affirmative verification occurs or whether parents are simply expect…
These rights are enforceable under California law and give California-based Activision users concrete tools to control their personal data, including the ability to stop their data from being shared …
For EU and UK users, the legal adequacy of data transfers to the US is an ongoing regulatory concern following the Schrems II decision, and the effectiveness of Standard Contractual Clauses depends o…
Detailed gameplay behavioral data enables profiling of individual users over time and can be combined with device identifiers and advertising data to build comprehensive user profiles used for target…
These rights are legally binding on Activision for EU and UK users and provide meaningful tools to challenge, limit, or delete the personal data Activision holds, including data used for advertising …
This is a broad assertion that allows Adobe to process your data for marketing and sharing purposes by default, without your explicit consent, in jurisdictions where this basis is available. Users wh…
Personal users who used a work email for their Adobe account risk losing control of their account and all associated content if their employer subsequently joins Adobe as a business customer, even re…
Users who attempt to store health records, financial documents, or other sensitive personal information in Adobe cloud services may be in violation of these terms, and Adobe is not obligated to prote…
The opt-out right creates a procedural pathway for users to control whether their content and usage data are subject to Adobe's analytics operations. This affects the scope of data Adobe may process …
This provision directly addresses a major concern among creative professionals by explicitly prohibiting Adobe from using user content for generative AI training, with a narrow and clearly defined ex…
Adobe's analysis of your actual creative content, not just usage metadata, for marketing and product improvement purposes is a meaningful privacy consideration that many users may not expect and shou…
The GDPR Data Processing Agreement creates binding obligations for Adobe as a data controller or processor, establishing lawful bases for data processing, data subject rights procedures, and cross-bo…
This provision operationalizes Adobe's compliance framework under children's privacy laws by restricting unsupervised product access for users under 13. It establishes a procedural requirement that s…
Users outside the U.S., particularly in the EU, have legal protections governing international data transfers, and the adequacy of those protections depends on the legal mechanisms Adobe uses, such a…
This provision establishes minimum protections for children's data consistent with COPPA requirements, but parents should be aware that enforcement relies on self-reporting and Adobe's awareness of u…
Users who store creative files, documents, or AI prompts in Adobe's cloud should be aware that this content may be reviewed, not just for safety reasons, but also to inform product improvements and m…
California's CPRA provides among the strongest US consumer privacy rights, and Adyen's explicit acknowledgment of these rights means California residents have actionable tools to control their data t…
The absence of specific retention periods for most data categories makes it difficult for individuals to know how long their financial and personal data is held, and purpose-based retention can resul…
Behavioral tracking for advertising purposes requires consent under EU and UK law, and the consent defaults built into Adyen's cookie tool determine whether your browsing data is used for targeted ad…
If Adyen is acting as a processor for a merchant, you may need to go to that merchant, not Adyen, to exercise rights like deletion or access, which adds a step and could delay or complicate your requ…
Legitimate interests is a flexible legal basis that does not require your consent, meaning Adyen can process your data for analytics and product improvement without asking you, though you have the ri…
Cross-border transfers expose your data to legal systems with potentially lower privacy protections than the EU or UK, and the adequacy of Standard Contractual Clauses as a safeguard depends on ongoi…
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper leg…
GLBA opt-out rights are narrower than many consumers expect: they apply to sharing with non-affiliated third parties for marketing but do not cover sharing for joint marketing arrangements or operati…
Third-party tracking on Affirm's platform means your browsing and purchase behavior may be shared with advertising networks, which can follow you across other websites.
This means your profile at Affirm is built from sources you may not be aware of or have directly consented to, which can affect credit decisions and how you are targeted for marketing.
This provision establishes Affirm's legal obligations to honor CCPA-enumerated consumer rights and establishes the operational framework under which California residents may exercise data subject acc…
Device identifiers and geolocation data can be used for behavioral tracking and advertising targeting purposes beyond the basic function of processing a loan.
Behavioral profiling means Affirm uses your financial activity to make inferences about you that go beyond your loan transactions, which can affect what products you are shown and potentially how you…
The GLBA notice requirement creates a regulatory framework obligating the company to disclose its information practices transparently, establish procedures for consumer access to personal information…
Depending on which state you live in, you may have additional rights to access, correct, delete, or limit the use and sharing of your personal information that go beyond what the general notice descr…
The provision operationalizes Afterpay's ability to unilaterally revise privacy practices without obtaining affirmative user consent, with effectiveness tied to publication rather than individual ack…
The breadth of collection across all service interactions means Afterpay can gather identity, financial, behavioral, and device data from the moment you visit its site, not just when you make a purch…
The GLBA Consumer Privacy Notice is the federally mandated disclosure that governs your right to opt out of certain sharing of your nonpublic personal information with non-affiliated third parties, w…
Messages sent through Airbnb's messaging system are not private in the way direct email or text messages are; Airbnb retains and may analyze their content, which users may not expect when communicati…
This clause means that law enforcement or government agencies can obtain your personal data, booking records, communications, and identity information from Airbnb through legal process, which is part…
GDPR rights are among the strongest personal data protections globally, and EU and UK Airbnb users can exercise these rights against Airbnb Ireland UC or Airbnb UK Limited as the designated data cont…
Precise geolocation data is a sensitive category of personal information that can reveal your home address, travel patterns, and daily movements, making it a high-value data type for both personaliza…
California's CPRA gives residents enforceable rights over their personal data that go beyond what users in most other US states have, including the right to limit how sensitive data like biometrics a…
This provision operationalizes Airbnb's obligations as a data controller under EU and California privacy regulations by designating a mechanism for rights requests and requiring identity verification…
Connecting third-party accounts to Airtable gives Airtable access to data from those external services, which is then stored and associated with your Airtable account, potentially expanding the perso…
Users in the EU, UK, and other jurisdictions with data export restrictions need to know that their data may be processed in countries with different privacy standards, and that legal safeguards are p…
Employees using Airtable for work purposes should be aware that their content and activity may be visible to their employer through Airtable, which has implications for privacy and confidentiality of…
This provision goes beyond standard usage analytics to assert the right to profile users on psychological and aptitude dimensions, which has implications for how your data is categorized and potentia…
Employees using Airtable through an employer-managed account should be aware that their activity, content, and profile data can be disclosed to their employer, potentially without separate notice.
Even after you delete your account, Airtable retains and can continue to use behavioral and usage data derived from your activity, which may include information that could be used to profile users or…
This provision invokes COPPA compliance obligations and establishes Amazon's stated policy on data collection from minors under 13, which is relevant for parents and for compliance teams evaluating C…
This clause establishes that AWS may disclose customer account information and activity data to law enforcement authorities based on its own determination that criminal activity may have occurred, in…
This clause engages COPPA compliance obligations by asserting that Amazon does not knowingly collect data from children under 13 without consent, and establishes an age restriction requiring parental…
The provision allocates account security obligations to the user while establishing Amazon's framework for age-restricted transactions. This defines the operational responsibility structure for accou…
By incorporating the Privacy Notice by reference, the Conditions of Use make data collection and processing terms part of the binding agreement, and changes to the Privacy Notice may affect user righ…
Without defined retention limits for most categories of personal data, your information may remain in Amazon's systems for extended periods, increasing the potential impact of a data breach and limit…
The provision establishes operational mechanisms for data subject rights compliance across jurisdictions with varying legal requirements. It designates specific channels (Privacy Central and direct c…
Your ability to control Amazon's use of your personal data depends heavily on where you live, and users outside California, the EU, UK, or Brazil may have substantially fewer enforceable rights under…
This means your shopping behavior on Amazon follows you across the internet through advertising networks, which can feel intrusive and extends Amazon's commercial use of your data beyond its own plat…
The provision establishes a procedural mechanism for users to exercise data subject rights mandated under applicable privacy legislation, with the scope and availability of such rights determined by …
Because airline travel legally requires collection of certain personal data for minors, including passport and identification information, children's data is routinely processed even where general CO…
Cross-device behavioral advertising means your online activity on aa.com can follow you to unrelated third-party websites, and when combined with your personal identity data, creates a detailed profi…
The disclaimer that this policy is not a contract means you cannot rely on it as a legally binding commitment, and the notification mechanism is limited to a website label rather than direct notice s…
Third-party trackers on aa.com operate under their own privacy policies, meaning data about your visit may be collected and used by entities you have no direct relationship with and whose data practi…
Combining offline airport interactions with online behavioral data and third-party information creates a comprehensive profile that is more revealing than any single data source, and is used both to …
This provision establishes Amplitude's participation in targeted advertising data sharing ecosystems and creates an opt-out obligation under CCPA/CPRA for California residents. Under CPRA, sharing pe…
This provision establishes the scope of US state privacy rights Amplitude recognizes and the jurisdictions in which those rights apply, creating a multi-state compliance framework. The specific right…
Businesses cannot assess Amplitude's data protection obligations from the ToS alone; the DPA is the operative document for GDPR and privacy law compliance, and it must be reviewed separately.
The use of legitimate interests as a legal basis for some processing activities means Amplitude may process your data without your explicit consent, though you have the right to object to such proces…
This provision determines which legal obligations, data subject rights workflows, and contractual requirements apply depending on the data processing context. Organizations deploying Amplitude's SDK …
This provision establishes the legal basis for cross-border data transfers from the EU/EEA, UK, and Switzerland to the US, which requires ongoing adequacy and Schrems II compliance assessment. Organi…
Your data collected on Amplitude's website may be used by outside advertising partners to profile and target you, which goes beyond what many users expect from a B2B analytics vendor's own website.
California residents have legally enforceable rights under CPRA to stop their data from being shared with advertising partners, which is a meaningful protection given Amplitude's disclosed advertisin…
This provision creates a secondary use of platform-processed data beyond the primary service delivery purpose, and the adequacy of the de-identification standard applied is not specified in the docum…
The provision operationalizes California Consumer Privacy Act (CCPA) statutory rights by designating a specific contact mechanism and processing timeline, and establishes an age-based protection stan…
This clause operationalizes Amplitude's compliance obligations under GDPR and equivalent regional frameworks by explicitly acknowledging and establishing mechanisms for data subject rights exercise. …
This distinction determines who is legally responsible for your data and who you should contact with privacy requests, depending on how you encountered Amplitude.
This provision establishes that account closure does not result in immediate or complete deletion of personal data. The retention of data post-closure for undefined 'legitimate business purposes' int…
This provision establishes operationally distinct rights regimes for users based on geography, with California and EU or UK users having the most specific enumerated rights. The practical availabilit…
Automatic collection of device identifiers, browsing activity, and location-derived data is disclosed as occurring across Ancestry's services, and this data is used to support advertising, analytics,…
California's privacy laws give residents stronger rights over their data than users in most other US states, including specific controls over sensitive personal information like genetic data.
This provision implements age-based access controls and establishes Anthropic's procedural obligations under children's privacy regulations, including COPPA compliance. It creates a categorized user …
The opt-out does not provide a complete exclusion from model training; two specific categories of conversations remain eligible for training use regardless of the opt-out setting, which affects the p…
This clause delineates the scope of Anthropic's Privacy Policy by excluding circumstances where Anthropic processes data under a data processing agreement with a commercial entity. It clarifies that …
This means the opt-out is not absolute: any conversation that triggers a safety review can be retained and used for model training even if you have explicitly chosen not to contribute your data, and …
Employees using a work email for a personal Claude account may have their conversations visible to their employer's IT administrator without realizing it, particularly if the notice came through a ge…
Using a work email address to access Claude.ai may give your employer visibility into conversations that you intended to be private, including personal or sensitive content shared in the course of us…
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to unde…
The opt-out mechanism does not fully prevent your conversations from being used to train AI models, because two significant carve-outs apply regardless of your settings choice.
Cross-border data transfers from the EU and UK to the U.S. are subject to specific legal requirements under GDPR, and users should be aware that their data leaves their home jurisdiction, even if tra…
The explicit prohibition on biometric and neural data misuse is particularly significant as these data categories carry heightened legal protections in multiple jurisdictions, and the impersonation p…
Users who share sensitive personal information in Claude prompts, such as health details, financial data, or identifying information, should be aware that this data is collected and stored, and could…
Users who use the feedback rating buttons may not realize this causes their entire conversation to be stored separately as feedback data, which may be subject to different use and retention terms tha…
The policy discloses that personal data obtained from publicly available internet sources and commercial datasets is used for model training, which means individuals who have not consented to or inte…
The provision operationalizes jurisdiction-specific privacy compliance by requiring users in designated regions to consult supplemental terms. This structure ensures that applicable regional regulati…
This clause delineates the scope of Anthropic's Privacy Policy by carving out commercial use cases where Anthropic provides backend processing services. The distinction clarifies that responsibility …
Users accessing Claude through an employer account or third-party application are not covered by this policy and must consult their employer's or operator's data practices separately, which may offer…
Users who access Claude.ai with a corporate email address may have their conversations (Materials) visible to their employer's administrator, and the terms permit Anthropic to forego individual notic…
Many people use Claude-powered tools without knowing Anthropic is the underlying engine; this clause means those users have no direct privacy rights against Anthropic and must look to their operator …
The opt-out does not provide complete exclusion from model training use: the policy reserves the right to use flagged conversations regardless of a user's opt-out preference, and the criteria for saf…
These provisions establish procedural mechanisms for individuals to exercise control over their personal data through access requests, correction requests, and objection to processing. The framework …
The policy states that advertising identifiers, probabilistic identifiers, and IP-derived location data are collected automatically, which are categories of data with direct relevance to targeted adv…
This type of automatic data collection is used to build a profile of your behavior and device, which feeds into advertising and analytics operations. The policy states this data may be used to identi…
The clause establishes the operational framework for privacy policy amendments, specifying that modifications may occur unilaterally and that notification occurs through publication and potential add…
This provision establishes the CCPA/CPRA rights framework applicable to California residents, including the opt-out right for the sale or sharing of personal information with advertising partners des…
The provision operationalizes CCPA statutory rights by creating a documented mechanism for users to restrict data monetization practices. This establishes a procedural pathway for exercising consumer…
The self-certification establishes the legal mechanism by which Anyscale processes and transfers personal data from EU, UK, and Swiss users to U.S. operations in compliance with EU and Swiss regulato…
This provision directly affects how your personal information is used for advertising and whether it is shared with third parties you have no direct relationship with.
This provision establishes the stated legal transfer mechanism for personal data flows from EU, UK, and Swiss data subjects to Anyscale's U.S. operations. Enterprise customers and their legal teams c…
This provision establishes a structural boundary between Anyscale's own data processing and the data processing it performs as a service provider to enterprise customers. Individuals whose data is pr…
This carve-out means that if you are an end user of a business that uses Anyscale's infrastructure, your data rights must be exercised with that business directly, not with Anyscale. Anyscale will no…
This provision conditions App Store distribution of gambling apps on jurisdiction-specific licensing compliance and geo-restriction, which are requirements under most gambling regulatory frameworks g…
This provision establishes a disclosure mechanism that consumers can use to assess an app's data practices before downloading, covering identifiers, location data, usage data, contact information, an…
This provision establishes a consent gate that users must pass through before cross-app and cross-website behavioral tracking for advertising can occur, and prohibits retaliatory restriction of app f…
This provision establishes a disclosure requirement that standardizes privacy transparency across App Store applications, enabling the App Store Review Guidelines to enforce consistent documentation …
International data transfers mean your personal data may be subject to the laws and government access regimes of countries other than your own, which is particularly significant for EU users whose da…
Children's online privacy is subject to strict legal requirements in the US and internationally, and the App Store's role as a distribution platform for children's apps means Apple's age verification…
This provision implements age-based account creation restrictions and establishes a data deletion procedure for non-consented collection of minors' personal information, addressing regulatory complia…
The clause establishes Apple's data usage practices for advertising and marketing purposes while providing users with the procedural means to disable personalized ad targeting and marketing communica…
The geographic conditionality of user rights means that your entitlements depend significantly on your jurisdiction. EU and UK users have strong GDPR-based rights, California users have CCPA and CPRA…
Voice data can contain highly sensitive information including personal conversations, health concerns, financial details, and communications with others who have not consented to being recorded, maki…
Precise real-time location data is one of the most sensitive categories of personal information because it can reveal where you live, work, worship, seek medical care, and who you associate with. The…
The clause establishes Apple's operational requirement to apply heightened data safeguards for child users and mandates account structure as a condition of service access for minors. This creates a d…
Because Apple products are tightly integrated, data collected across your iPhone, Apple Watch, iCloud, App Store, and other services can be associated together, creating a detailed profile that spans…
Health data is among the most sensitive categories of personal information because its misuse can affect insurance eligibility, employment decisions, and personal relationships. The policy's stated p…
The provision establishes a transparency mechanism that standardizes privacy disclosure across the App Store ecosystem, enabling comparative assessment of data practices and creating uniform reportin…
This provision states that even compelled access by Apple employees is technically prevented, which is a materially specific claim about resistance to insider access and potentially to legal compulsi…
This provision states a direct commitment that user request data is not retained or accessible after processing, which is the primary privacy assurance underpinning Apple Intelligence cloud features.
The routing decision between on-device and cloud processing determines which data is subject to PCC's privacy architecture, and understanding this routing is material for users and organizations asse…
The clause incorporates Apple's Privacy Policy by reference as a binding contractual document, making the specific data practices and sharing arrangements described in that policy legally operative t…
The provision creates a regulatory compliance framework for child data protection under applicable laws governing personal information collection from minors. It establishes parental consent and over…
Parents who set up Family Sharing are on the hook for any purchases their children make through their Apple IDs unless Ask to Buy is enabled, which means a child's accidental or intentional app or in…
The OneTrust implementation establishes the technical infrastructure through which cookie consent notices are displayed and user consent choices are recorded and applied across the Arlo domain. This …
The OneTrust implementation creates the operational mechanism through which Arlo collects, records, and honors user consent decisions regarding cookies and data collection practices. This establishes…
A persistent 366-day tracking cookie means your browsing behavior on Arlo's site can be linked across visits for over a year, enabling longitudinal profiling of your product interests, purchase patte…
Cookie consent choices affect what behavioral and analytics data Asana and its advertising partners collect about your website activity. Failing to review cookie settings means default tracking may a…
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace …
This clause operationalizes regulatory data subject rights obligations, establishing Asana's procedural framework for responding to user requests and enabling compliance with jurisdiction-specific pr…
This provision operationalizes Asana's compliance obligations under California privacy law by enumerating the specific consumer rights the company recognizes and the corresponding mechanisms resident…
California residents have some of the strongest statutory privacy rights in the US. Understanding these rights and how to exercise them is practically important for CCPA-protected users.
The legal mechanism used for international data transfers affects the protections your data receives when it moves to US servers. If the framework is challenged or invalidated, the basis for your dat…
Most people using Asana for work are on an employer-controlled account, meaning their work data belongs to the organization, not to them personally, and can be accessed by administrators.
By accepting these terms, you also agree to the Privacy Policy, which governs how Asana collects, uses, and shares your personal and usage data. Reviewing the Privacy Policy separately is important f…
The policy states that content created or uploaded within Atlassian products, including messages and files, is collected as personal information, meaning material you create in Jira or Confluence may…
The policy states that personal data from EU and UK users may be transferred internationally and that Standard Contractual Clauses are the stated mechanism, which matters because the adequacy of thes…
The use of third-party analytics and marketing cookies, including pixels and web beacons, means data about your browsing activity on Atlassian properties may be shared with third-party advertising an…
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechani…
This provision states that enterprise administrators have access to and may restrict deletion rights over employee content in Atlassian products, which affects the practical ability of employees to c…
This provision establishes Audible's COPPA compliance posture and is operationally relevant because Audible offers content categories that may attract minor users. The FTC enforces COPPA and has purs…
This provision establishes that listening and content interaction data is used not only for service delivery but also for advertising measurement and personalization, including interest-based adverti…
This provision establishes that Audible recognizes GDPR and UK GDPR rights for EEA and UK users, which creates operational obligations to respond to data subject requests within statutory timeframes …
This provision establishes the legal basis and scope for Audible's use of tracking technologies that generate device identifiers, browsing activity, and behavioral data used in advertising and analyt…
This provision describes the statutory rights available to California residents under CCPA and CPRA and establishes the mechanisms through which those rights may be exercised. The non-discrimination …
Many users encounter Okta or Auth0 without realizing it, as it powers login for thousands of enterprise apps. Those users cannot rely on this policy for their data rights; they must look to their emp…
Third-party tracking technologies set by advertising partners can follow users across websites beyond Okta's own properties, and users should actively manage cookie preferences to limit this tracking…
The breadth of data collected, spanning identifiers, behavioral signals, and inferred profiles, means Okta is building a fairly detailed picture of users who visit its websites or use its marketing p…
The clause operationalizes Auth0's compliance obligations under privacy regulations (GDPR, CCPA) by establishing a formal mechanism for data subject requests. The provision conditions the availabilit…
Cross-border data transfers from the EU and UK to the US remain a significant regulatory concern following the Schrems II ruling, and the adequacy and current status of Okta's SCCs and any supplement…
This clause operationalizes Bank of America's CCPA compliance obligations by defining permissible information-sharing categories and restricting external disclosure. It establishes the bank's consent…
This category covers the broadest and most sensitive financial data, including transaction history and credit bureau reporting, and consumers have no ability to restrict it.
The provision establishes a procedural mechanism for California residents to access information about state-specific privacy protections, including rights that may exist independently under Californi…
Without opting out, affiliated Bank of America companies such as Merrill Lynch or other subsidiaries may use your banking data to target you with marketing for their own products.
California law provides consumers with rights that may go beyond federal GLBA protections, including rights to know, delete, and limit use of sensitive personal information, but those rights are in a…
This means your data may flow to financial companies outside Bank of America's corporate family for co-branded or partner marketing without any opt-out right available to you.
This provision authorizes data flows to external companies including credit bureaus and service providers without any consumer opt-out right, covering core banking data such as payment history and ac…
The scope of data collected is broad and includes information that, if improperly handled or disclosed, could facilitate identity theft or financial harm.
The 30-day window for new customers and the post-account-closure sharing provision mean your data may be shared even during and after your banking relationship in ways you cannot immediately prevent.
The policy establishes an opt-in requirement for sale of minors' personal information consistent with CCPA requirements, distinguishing between the 13 to 16 age group and children under 13, for whom …
The policy does not specify fixed retention periods for different categories of personal data, instead using purpose-based and legal-obligation criteria, which means users cannot determine from this …
The policy states that usage data is collected automatically, meaning this data collection occurs regardless of whether a user actively provides information, and includes device identifiers and behav…
The policy authorizes transfer of personal data to a successor entity in a business transaction; while notice is promised, the policy does not specify how far in advance notice will be given or what …
The policy states that a broad range of personal identifiers may be collected, and the phrase 'may include, but is not limited to' means the listed categories are not exhaustive.
The policy states that California residents can exercise rights to know, delete, and opt out of sale; the one-month response commitment is explicitly stated and provides a concrete timeline for users…
The policy authorizes international data transfers and asserts that policy acceptance constitutes consent to such transfers; this approach may not satisfy GDPR requirements for lawful transfer mechan…
The provision creates an operational framework for honoring California Consumer Privacy Act (CCPA) opt-out rights through both direct contact and automated browser-based signaling mechanisms, establi…
The absence of specific retention timelines for categories of data such as dual-camera imagery and location data makes it difficult for users to know exactly how long their most sensitive information…
The use of third-party tracking technologies for advertising means multiple companies can collect data about your behaviour on the BeReal platform, often without clear individual notice for each trac…
These rights give users in covered jurisdictions meaningful control over their personal data, but they are only valuable if users know they exist and how to exercise them.
A corporate transaction could result in your personal data being controlled by an entirely different company with different privacy practices, and you may have limited ability to prevent this transfe…
The provision establishes Best Buy's authority to initiate marketing communications across multiple channels while simultaneously creating procedural pathways for users to restrict receipt of such co…
The policy authorizes collection of a broad range of personal information including identifiers, commercial records, and electronic network activity, which may be used for advertising, analytics, and…
This clause operationalizes statutory privacy rights obligations by designating specific request mechanisms and channels. The provision establishes procedural pathways through which consumers can exe…
The policy enumerates consumer privacy rights including access, deletion, correction, and opt-out rights, which are enforceable under CCPA/CPRA for California residents and under analogous laws in ot…
This provision establishes the mechanism by which consumers can exercise their statutory opt-out rights under CCPA/CPRA and analogous state laws, and discloses that opting out may affect the personal…
The policy authorizes third-party partners to independently collect and use tracking data from Best Buy's website for their own advertising purposes, meaning consumer data may be used in contexts bey…
This clause operationalizes Betterment's obligations under the CCPA and CPRA by establishing the procedural mechanisms through which California residents can exercise statutory data subject rights, i…
The collection of Social Security numbers, bank account numbers, and full financial transaction histories creates significant risk exposure if the data is ever breached, misused, or shared beyond wha…
These rights give California users meaningful control over their sensitive financial data, including the ability to stop Betterment from sharing it with advertising and analytics partners.
Financial services companies like Betterment collect sensitive personal and financial data, and the applicable privacy policy determines what data is shared with third parties, how it is used for mar…
The clause establishes the operational framework for cross-context behavioral advertising practices and specifies the mechanism through which users can restrict participation in these advertising pro…
This provision operationalizes California privacy law requirements within Binance.US's data governance framework, establishing the procedural mechanism by which California residents invoke statutory …
The provision operationalizes CCPA/CPRA statutory rights by specifying the company's data practices and establishing mechanisms for residents to exercise access, opt-out, and limitation rights. This …
The CCPA and CPRA give California residents enforceable rights to control their personal data held by companies like Binance.US, including the right to know what data is collected, to request deletio…
Cookies and tracking technologies allow Binance.US and its third-party vendors to build behavioral profiles of users across sessions. Users who want to limit this tracking can use the OneTrust consen…
The agreement states that Binance.US collects and retains personal information including identity verification data, and that this information may be retained after account closure, which means users…
As a regulated money services business subject to Bank Secrecy Act requirements, Binance.US is legally obligated to file Suspicious Activity Reports and Currency Transaction Reports and to respond to…
Because Bluesky runs on the AT Protocol, public content is not just visible on Bluesky's own servers but can be replicated by any third-party node on the network, which means a deletion request submi…
Bluesky collects detailed behavioral data about your activity within the app, including content you view but do not interact with, which goes beyond what many users expect from a social media platfor…
EU, UK, and Brazilian users should know their data may be transferred to the US or other countries with different privacy protections, though Bluesky states it uses legally recognized transfer mechan…
Age verification and children's data protection are active regulatory priorities in the US and internationally, and Bluesky's use of birth date collection and third-party verification services to gat…
Unlike platforms that offer end-to-end encrypted messaging, Bluesky explicitly confirms that direct messages can be accessed by the company, which means users should not treat DMs as confidential com…
Users who delete their accounts expecting full erasure of their content may find that posts persist on other AT Protocol applications, which has direct implications for data subject rights under GDPR…
This provision authorizes Bluesky to share your data, including unencrypted direct messages, with law enforcement or government agencies based on the company's good faith belief, which extends beyond…
The 13-year minimum age threshold and reference to jurisdiction-specific age assurance processes indicate Bluesky's engagement with child safety regulations, but the terms do not specify the age assu…
This provision establishes the operational framework for data collection, processing, and distribution across Booking.com's service delivery network. The clause conditions certain data uses on explic…
Tracking technology deployment for behavioral data collection engages CCPA/CPRA opt-out obligations for data sharing through tracking pixels with advertising partners, as well as ePrivacy Directive r…
This provision establishes Brex's GDPR and UK GDPR compliance framework for EU and UK users, requiring the company to maintain lawful bases for all processing activities, respond to data subject requ…
This provision establishes the contractual framework for vendor data sharing and the scope of permitted downstream use, which is directly relevant to CCPA service provider qualification, GDPR process…
This provision establishes the full scope of personal data Brex processes, which spans both standard digital identifiers and sensitive financial account details, creating compliance obligations under…
The scope of data collected, including government identifiers and financial account data, means a significant amount of sensitive personal information is held by Brex and subject to its data handling…
This clause establishes Brex's acknowledgment of California statutory privacy rights and describes the specific consumer control mechanisms available under state law. The provision operationalizes Br…
This provision establishes the operational framework for Brex's CCPA/CPRA compliance obligations, requiring functioning request intake mechanisms, defined response timelines, and non-discrimination a…
This provision engages GDPR Chapter V cross-border transfer requirements for EU and UK users, requiring that Standard Contractual Clauses be accompanied by a Transfer Impact Assessment where transfer…
California residents have legally enforceable rights to access and delete their data and to stop certain data sharing, and Brex is required under state law to honor these requests within defined time…
Collection of data from credit bureaus and identity verification services triggers FCRA obligations, including permissible purpose requirements and adverse action notice rights, which are distinct fr…
This provision authorizes access to Facebook friend information and location data at account creation, and the complete scope of accessed data is defined by reference to a separate Privacy Policy doc…
This provision explicitly states that content review rights extend to direct messages between users, which is operationally significant given the private communication context. The clause reserves di…
Automated profiling and recommender systems that affect which users you see or who sees you involve processing of your personal data for algorithmic decision-making, which has specific rights implica…
This provision operationalizes Bumble's obligation to provide users procedural mechanisms for exercising statutory data protection rights. The enumeration of these eight specific rights establishes t…
Automated profiling in a dating app context can significantly affect who you are able to connect with, and under GDPR users have specific rights related to automated decision-making that produces sig…
This provision establishes an 18-plus age requirement and asserts active monitoring for underage use, which engages COPPA obligations in the US for users under 13 and may also engage state-level mino…
Precise geolocation data is one of the most sensitive personal data categories because it can reveal where you live, work, worship, and socialize, creating real-world safety and privacy risks for dat…
The provision operationalizes statutory privacy obligations applicable to California residents by explicitly enumerating the access, deletion, correction, and opt-out mechanisms that Bumble must prov…
These rights give you meaningful control over your personal data on the platform, including the ability to request deletion of your entire profile and data history, which is particularly important gi…
Message content is among the most private information users share on a dating platform, and its collection, storage, and potential disclosure in legal proceedings or safety investigations is a signif…
The age restriction and active monitoring for underage use engage COPPA and equivalent regulations, and the verification obligation creates data processing implications for users asked to confirm the…
International data transfers mean your personal information may be processed under legal frameworks that provide different or potentially lower levels of protection than your home country's laws.
Cross-border data transfers to the US have been subject to significant legal scrutiny in Europe, and the adequacy of Standard Contractual Clauses depends on additional safeguards and transfer impact …
The provision operationalizes Calendly's compliance obligation to recognize statutory data protection rights in specified jurisdictions and establishes the procedural mechanism (email contact) throug…
This provision operationalizes statutory privacy rights by establishing the mechanism through which California residents can exercise consumer privacy protections under state law. The clause specifie…
Legitimate interests is a flexible legal basis that does not require user consent, but under GDPR users have the right to object to processing based on legitimate interests, which Calendly must honor.
Calendar content can include highly sensitive professional and personal information, such as medical appointment titles, confidential meeting descriptions, or client names, and this data is processed…
Without specific retention periods, users and organizations cannot easily predict how long their data remains in Calendly's systems, which complicates data minimization and deletion compliance effort…
Mood and reflection data is among the most personal information a user can share with a wellness app; understanding how this data is stored, used, and potentially shared is important for users trusti…
For EU, UK, and Swiss users, the lawfulness of data transfers to the US depends on these mechanisms being properly implemented and maintained.
The 16-year minimum threshold is lower than the 13-year COPPA threshold in the US but may interact with stricter age requirements under GDPR, which sets a default age of digital consent at 16 (with m…
Inferred demographic characteristics can be used to personalize content and advertising without your explicit knowledge, and inferences about protected characteristics may engage additional legal pro…
Third-party tracking extends beyond Calm's own services and may result in your browsing behavior across other websites being collected and used to target you with ads.
Sleep data from health apps is sensitive personal information; while Calm states it limits use of this data to its original purpose, users should understand what they are consenting to when granting …
This provision operationalizes compliance with state privacy statutes (such as CCPA and similar laws) that restrict sale and sharing of minors' personal information. It establishes a baseline data pr…
This provision describes the mechanism through which users can exercise data rights under GDPR, CCPA, and equivalent frameworks. The conditional framing ('depending on where you live') means that the…
Cross-border data transfers involving EU personal data require legally adequate safeguards under GDPR. Canva's reliance on Standard Contractual Clauses is a recognized mechanism but requires accompan…
The policy distinguishes between essential and optional cookies, and the availability of a cookie settings tool is relevant to GDPR and ePrivacy consent obligations for EU users. The practical adequa…
The agreement places responsibility on users to self-certify their age and on parents to supervise minor users, rather than implementing verified age-gating mechanisms; this structure may not satisfy…
This provision establishes the minimum age threshold for Service use and conditions access for minors between 13 and 18 on parental approval. The provision engages COPPA (Children's Online Privacy Pr…
This provision authorizes transfer of user personal data to third parties in the context of a corporate transaction. The notice commitment provides some protection, but the practical ability of users…
This provision implements compliance with the Children's Online Privacy Protection Act (COPPA), which requires services to obtain parental consent before collecting data from children under 13. The d…
This provision authorizes sharing of behavioral and device data with third-party ad and analytics networks, which has implications for CCPA opt-out rights and GDPR consent requirements for tracking-b…
The provision operationalizes Cash App's obligation to comply with state privacy laws that grant residents rights such as access, deletion, and opt-out capabilities. This section signals the existenc…
The sponsored account framework for minors creates specific governance obligations regarding parental consent, applicable fee disclosures, and the scope of services available to users under 18, inclu…
The policy identifies internal affiliates including Square as a category of entities with whom personal data collected through Cash App may be shared, which means data provided to Cash App may flow a…
This provision links service use to affirmative acceptance of privacy terms without requiring separate, explicit opt-in. It establishes the operational basis by which Cash App's data practices become…
Precise geolocation data is classified as sensitive personal information under the CCPA/CPRA and analogous state laws, and the policy states this data may be collected by default unless the user take…
The collection of salary information, paystubs, benefits enrollment data, and timecard records represents a category of sensitive financial and employment data that extends beyond standard payment ap…
The presence of a children's personal information section indicates that Cash App's services are directed at or accessible to users who may be under 13, and the policy's treatment of this category de…
This section establishes the data ownership framework applicable to user-submitted content and platform data, and its interaction with the Privacy Notice (referenced as a binding policy) determines h…
The Sponsored Account provision creates a distinct account type for minors aged 13-17, which engages COPPA requirements for the collection of personal information from children under 13 (if applicabl…
The GLBA notice requirement creates a regulatory framework governing how Cash App must communicate its data handling practices to consumers. This disclosure obligation establishes the baseline transp…
These rights are legally enforceable under California law and give California residents meaningful control over how Cerebras handles their personal data, including the ability to stop data sharing fo…
Users submitting potentially sensitive business, technical, or personal information to Cerebras AI services may rely on this commitment as a data minimization assurance, though the policy does not de…
The 13-year minimum age engages U.S. COPPA requirements for services that may be accessed by children, but the document does not describe any age verification mechanism, which may create compliance g…
The linking of automatically collected behavioral and device data to personally identifiable information such as your email and phone number creates a more comprehensive profile than anonymous browsi…
This means your data profile at Cerebras may include information you never directly provided, sourced from social media activity, public records, or commercial data brokers, which can result in a mor…
The provision operationally links data retention to service functionality, establishing that certain data categories are designated as essential to service delivery. This framework conditions continu…
This provision establishes that parental access to teen activity data is gated by the teen user's affirmative action rather than by a parent-initiated or platform-initiated consent mechanism. This de…
This provision discloses that human reviewers have access to user content and AI-generated outputs, which is relevant to user privacy expectations and may engage data protection obligations depending…
This provision establishes a specific data disclosure mechanism in which teen usage data, including session duration and character interaction records, is transmitted to a third-party email address (…
The document's reference to a teen safety commitment without disclosing specific protective measures, age-based content restrictions, or account controls on this page means the Safety Center function…
This provision discloses a material architectural difference in how minors experience the platform, which has direct implications for child safety compliance under COPPA and analogous state laws.
The clause establishes Chase's baseline practice of targeted advertising across third-party platforms while providing a standardized industry opt-out mechanism, creating a dual-track system where the…
California's CCPA and CPRA give residents meaningful control over their personal data held by financial institutions, including rights not available to consumers in most other U.S. states.
Your browsing behavior on Chase's digital platforms is tracked and may be used to serve you targeted advertising across the internet, meaning Chase's data collection extends beyond its own services i…
Real-time location data is among the most sensitive categories of personal information, and its collection for marketing offers goes beyond what is strictly necessary to deliver core banking services.
International data transfers mean personal financial and identity data may be processed in countries with different privacy laws, and the adequacy of protection depends on the specific mechanisms use…
The clause operationalizes data subject rights required under data protection regulations by specifying the submission mechanism (privacy@checkout.com), response timeline, and conditions for fulfillm…
Automated fraud decisions can result in transactions being declined or accounts being flagged without any human judgment involved, and individuals may not always know when they have been subject to s…
Legitimate interests is a flexible but contested legal basis under GDPR; individuals have the right to object to processing on this basis, and Checkout.com must stop unless it can demonstrate compell…
This distinction determines who is legally accountable for cardholder data rights requests: if a cardholder wants to exercise GDPR rights over their payment data, they may need to contact the merchan…
California residents have enforceable statutory rights to access, delete, and control the sale of their personal data, and Chegg is obligated to respond to these requests, though the process and resp…
This is a legally required right under CCPA and CPRA, and exercising it stops Chegg from sharing your data with advertising partners for targeted advertising purposes.
This provision is important for parents, as it indicates that Chegg's primary services are targeted at users 13 and older, and that parental consent obligations exist for certain uses by minors, thou…
This provision implements statutory requirements under California privacy law (CCPA/CPRA) by establishing a procedural mechanism through which eligible users can exercise data subject rights and ensu…
FERPA compliance provisions are operationally significant because they define the legal boundaries for handling sensitive student data and establish requirements for data security, access controls, a…
The clause establishes the operational basis for Chegg's use of persistent tracking technologies across user browsing activity, enabling both service functionality and cross-context behavioral data c…
Tracking technologies enable detailed profiling of your behavior on Chegg's platform, and this data is shared with advertising partners; you can manage some of this through cookie consent settings.
The operational significance is that Chegg's data handling practices for EU and UK users are governed by mandatory regulatory requirements under GDPR and UK GDPR, which establish specific requirement…
These rights are meaningful protections, but they are conditioned on the user's location, meaning their availability varies and users must proactively exercise them rather than being protected by def…
The absence of specific retention periods means Chegg may hold your personal data indefinitely under broad justifications, limiting users' ability to predict when their data will be deleted.
The provision establishes a mandatory data-sharing framework for core operational functions and regulatory obligations, with no opt-out mechanism available for these specific categories of disclosure…
This provision establishes the operative scope of opt-out rights available under federal privacy law, defining which sharing practices fall within permissible categories that consumers may limit. The…
California residents have stronger privacy protections than most other US users, including the right to stop Chime from sharing your data with advertising partners, which is directly relevant given t…
Chime's website actively loads tracking pixels from Facebook, TikTok, Google, Reddit, Taboola, Bing, and LiveRamp, meaning your visit to Chime's site or use of its app may contribute to advertising p…
The provision establishes a default sharing authorization for non-affiliated marketing purposes, with the operational significance that data sharing occurs unless the customer exercises the available…
The combination of sensitive financial identifiers, government identification, and behavioral tracking data creates a comprehensive profile; understanding what is collected helps you assess your expo…
Identity resolution services like LiveRamp can connect your Chime activity to your broader online identity across websites, apps, and devices, potentially creating a richer advertising profile than t…
Because Chime is a financial technology company and not a bank itself, your account and financial data flows to Chime's bank partners, which means your information is governed by multiple entities' p…
Knowing exactly what categories of data are collected helps you assess the scope of your privacy exposure and whether the collection is proportionate to the service provided.
For EU and UK users, data transfers to the US require legally valid safeguards under GDPR, and the policy's reliance on consent as a transfer mechanism may not satisfy GDPR requirements in all circum…
Open-ended retention language means your data could be kept indefinitely without a clear endpoint, which affects both your privacy expectations and your ability to request deletion.
Cookies and tracking technologies create a persistent record of your behavior across ClickUp's platform and potentially across other sites, and some of these technologies are shared with advertising …
This provision operationalizes ClickUp's compliance obligations under GDPR and related data protection regimes by establishing a formal mechanism for users to exercise statutory rights and defining t…
These are enforceable statutory rights under California law, meaning ClickUp must comply with valid requests and cannot retaliate by degrading service for users who exercise them.
This provision operationalizes CCPA compliance obligations by specifying which statutory consumer rights ClickUp recognizes and the procedural mechanisms (privacy request form and website opt-out lin…
If you are in the EU, UK, or Switzerland, your data is transferred to the U.S. under Standard Contractual Clauses, a mechanism whose adequacy has been subject to ongoing legal scrutiny, and you may h…
This clause establishes Cloudflare's recognition of statutory data subject rights under GDPR and UK data protection frameworks. The provision operationalizes Cloudflare's obligation to facilitate exe…
Incorporating the privacy policy by reference means changes to that document affect your rights under this agreement, and the acknowledgment that transmissions are never fully secure may affect any e…
These are legally enforceable rights under California law, not just policy commitments, and include the right to opt out of data sharing for behavioral advertising, which is relevant given Cloudflare…
This provision means your IP address, account data, and traffic logs could be disclosed to government or law enforcement agencies in response to legal process, which is particularly relevant given th…
The absence of specific retention periods in the public policy makes it difficult for users to know how long their IP addresses, usage logs, and account data are stored, which is relevant to understa…
This clause operationalizes Cloudflare's compliance obligations under California privacy law by establishing the procedural mechanism through which residents may exercise statutory rights and specify…
This provision operationalizes California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory rights by establishing the procedural framework through which California resid…
Third-party advertising and cross-site tracking technologies extend Cloudflare's data collection beyond its own services into your broader browsing behavior, which is a category of processing that ca…
Your IP address and browsing behavior are collected passively across a vast range of internet destinations that use Cloudflare's infrastructure, which represents a significant breadth of data collect…
This provision covers location tracking, communications monitoring, and unauthorized profiling, which are categories of data processing subject to significant regulatory obligations under privacy fra…
The clause operationalizes legal rights granted under GDPR, UK GDPR, and CCPA by establishing a procedural mechanism for data subjects to request exercise of those rights. The designation of a specif…
This provision is particularly significant for EU and UK users because transfers of personal data from the EEA and UK to the United States require a lawful transfer mechanism under GDPR and UK GDPR, …
Logical isolation is a key data security commitment for enterprise customers, particularly those in regulated industries. The document states this separation applies to customer data within Cohere's …
This provision determines whether the prompts, documents, and queries you submit to Cohere's AI services are retained and used to further develop Cohere's models, which has implications for confident…
This provision addresses a key concern for enterprise customers about whether their proprietary business data submitted to an AI platform could be disclosed or monetized by the platform provider.
This provision defines the scope of personal data collection and establishes that content submitted through the service is collected alongside standard account identifiers, which is relevant to under…
This provision acknowledges the statutory rights California residents possess under state privacy law. The clause operationalizes these rights within Cohere's privacy framework and establishes the co…
This clause operationalizes GDPR and related regulatory requirements by specifying the individual data subject rights that Cohere recognizes and the mechanisms through which users may exercise them. …
The right to request data deletion is a core data governance right for enterprise customers and aligns with regulatory requirements under GDPR and CCPA. The document's recognition of this right indic…
This provision establishes the mechanism for users to exercise their privacy rights and names the contact point for submitting data requests, which is the primary action channel for consumers wanting…
The provision operationalizes Coinbase's compliance framework with GDPR, CCPA, and related privacy statutes by explicitly recognizing and establishing procedures through which users in covered jurisd…
For EU and UK users, data transferred to the US is subject to US surveillance laws and the adequacy of Standard Contractual Clauses as a safeguard depends on Coinbase conducting and maintaining trans…
The provision operationalizes privacy rights that vary by jurisdiction and establishes the procedural mechanism—a dedicated portal and contact email—through which users can submit requests to exercis…
The provision operationalizes privacy rights compliance by creating dedicated request channels and designating a Data Protection Officer as the point of contact, establishing the procedural framework…
Tracking technologies may be used by advertising and analytics partners to build profiles of user behavior on and potentially beyond the Coinbase platform, and users in some jurisdictions have the ri…
This provision establishes Coinbase's obligations under California privacy law to provide California residents with specific data access, deletion, and control mechanisms. The clause operationalizes …
The provision establishes the framework through which users can exercise data subject rights under applicable privacy regulations. The availability and scope of these rights are conditioned on the us…
Because Coinbase is subject to financial regulatory recordkeeping requirements under the Bank Secrecy Act and related rules, certain data including transaction records and identity documents may be r…
GDPR and UK GDPR rights are legally enforceable and Coinbase must respond to requests within defined timeframes, making these provisions more than contractual commitments for EU and UK users.
This clause operationalizes compliance with jurisdictional privacy regulations by establishing a defined mechanism for users to exercise statutory rights. The provision conditions the availability an…
California residents have enforceable rights under CCPA and CPRA that give them more control over their personal data than the general policy terms, including the right to opt out of data sharing for…
These provisions establish procedural pathways for users to exercise statutory data subject rights under privacy regulations such as GDPR and CCPA. The specification of submission mechanisms (Privacy…
Your service usage patterns, device information, and network data are collected and can be used for internal marketing purposes in addition to service delivery, which means your data informs how Comc…
Without defined retention periods for specific data categories, users and enterprise customers cannot easily assess how long their submitted content, usage data, or account information will be stored.
For EU users in particular, relying on use of the service as consent to international data transfer may not satisfy GDPR's requirements for a valid transfer mechanism, as consent alone is generally n…
Session replay tools can capture detailed behavioral data including form inputs, navigation patterns, and potentially sensitive content entered during a session, going beyond standard analytics into …
EU users have enforceable rights under GDPR with regulatory backing from national data protection authorities, giving them stronger practical recourse than users in many other jurisdictions.
This provision operationalizes statutory data subject rights under GDPR and state privacy laws by specifying the mechanism (email contact), response timeline (45 days plus possible extension), and ca…
The opt-out of sale and sharing right under CPRA is particularly significant because Copy.ai's use of advertising networks and analytics vendors may constitute sharing of personal information for cro…
This provision establishes the GDPR rights framework applicable to EEA and UK users, including the right to object to processing based on legitimate interests, which is operationally relevant given C…
The age threshold of 16 in certain jurisdictions (consistent with GDPR requirements) is a legally significant distinction that parents and guardians of teenagers should be aware of when considering p…
EU, UK, and other non-U.S. users should be aware that their data is transferred to a jurisdiction with a different legal framework, and the adequacy of transfer mechanisms is a material compliance co…
This provision establishes the operative privacy rights framework for California-resident users, including the right to opt out of the sale or sharing of personal information for advertising purposes…
This provision establishes a minimum age threshold of 13 aligned with COPPA requirements and imposes parental involvement requirements for users under the age of majority, which varies by jurisdictio…
This provision establishes an open-ended retention standard based on operational and legal necessity without specifying maximum retention durations for most data categories, which may require evaluat…
The clause operationalizes data subject rights mandated by privacy regulations like GDPR, establishing Coursera's obligation to provide mechanisms through which users can exercise control over their …
This provision operationalizes California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory requirements within Coursera's privacy framework, establishing procedural mech…
Cookies and tracking technologies underpin the advertising and analytics data flows described elsewhere in the policy, and the legal requirements for their use differ significantly by jurisdiction.
EU users have legally enforceable rights under GDPR, and California users have rights under CCPA/CPRA, but the notice frames these as conditional on location and applicable law, which is accurate but…
This language limits Craigslist's liability in the event of a data breach, and means users cannot rely on a contractual security commitment when entrusting the platform with personal and financial in…
Users outside the US, particularly in the EU and UK, have stronger data protection rights under local law, and transferring data to the US without a specific legal mechanism may not satisfy those leg…
The absence of a defined retention period means your personal data, including contact details, location history, and device identifiers, could be held indefinitely as long as Craigslist determines a …
This provision operationalizes statutory obligations under the CCPA by specifying the data subject rights available to California consumers and establishing the procedural mechanism for submitting re…
This clause defines the operational scope of model training practices by establishing default non-use of user-generated content for training purposes and creating exceptions only for security analysi…
This footnote creates a class-based distinction in data sharing practices based solely on account creation date, meaning the scope of third-party data sharing differs materially between user cohorts …
The policy states that administrators can access and manage a user's service activity, which may include visibility into usage patterns or account-level data beyond just email and account status.
This provision distinguishes Usage Data from Content (code inputs and suggestions), authorizing Anysphere to collect and process interaction and log data for business purposes and to share it with th…
The security review exception means that Inputs flagged for Terms of Service enforcement purposes may be analyzed by Anysphere, which is a conditional pathway that applies even without the user's exp…
This provision establishes that the default position is no use of user content for AI training, which is a contractually explicit opt-in framework rather than a passive opt-out arrangement.
The policy identifies a single contact email for all data subject rights requests and appeals, and states that exercising these rights will not result in discriminatory treatment, which is a requirem…
This provision clarifies that users who supply their own API keys cannot avoid Cursor's data pipeline, meaning the same data handling terms apply regardless of whether a personal or organizational AP…
This provision establishes Privacy Mode as the operative mechanism for preventing code and prompt data from being used as AI training data, but notes that even with Privacy Mode on, Cursor may retain…
The document states that without Privacy Mode, code data may be stored or used for training by model providers; enabling it triggers contractual ZDR obligations on those third-party providers.
The policy references legally valid transfer mechanisms for EEA and UK data transfers but does not name the specific mechanism (such as Standard Contractual Clauses), which limits the ability of EEA …
This provision establishes that codebase indexing results in persistent storage of embeddings and metadata (including file names and hashes) even though plaintext code is not retained, which may have…
This provision establishes the mechanism by which policy modifications take effect without requiring affirmative user consent. It operates as a consent-by-continued-use framework, meaning users must …
The policy discloses that certain interactions not visible in a user's history may be retained for safety and system monitoring purposes, meaning the absence of data in a user's visible history does …
The policy states that continued use constitutes acceptance of changes, without specifying a minimum notice period or requiring affirmative consent for material changes; whether this meets applicable…
The policy states that personal data included in Inputs will be collected and may be reproduced in Suggestions, which is relevant for users who include third-party personal data, credentials, API key…
The document states that critical incidents will be communicated to affected users by email, which is the mechanism users should expect to receive breach or incident notifications; users should ensur…
Inference data is one of the more sensitive categories under modern privacy law because it represents conclusions drawn about you that you may not be aware of, and which may affect how you are market…
This clause documents Databricks' operational obligation to provide California residents with mechanisms to exercise their statutory privacy rights and establishes the procedural framework (privacy p…
Enterprise customers cannot rely on this public privacy notice to understand how their platform data is protected. The actual obligations and rights depend on separately negotiated contract terms.
The provision operationalizes compliance with data protection regulations that vary by jurisdiction, establishing a defined request mechanism and acknowledging specific data subject entitlements. Thi…
This clause implements statutory rights requirements under GDPR and equivalent regional data protection frameworks. The provision establishes Databricks' procedural mechanism for receiving and proces…
Cookie and tracking data can be used for behavioral advertising and analytics, and under GDPR and many US state laws, you have the right to consent to or reject non-essential tracking before it occur…
International data transfers from the EU require specific legal safeguards and the adequacy of Standard Contractual Clauses as a transfer mechanism has been the subject of ongoing legal scrutiny, mea…
This provision establishes the institutional framework for personal data processing activities that do not require explicit consent. By relying on legitimate interests as a legal basis, Databricks ca…
The policy authorizes collection of a broad range of professional and behavioral identifiers, including payment information and clickstream data, which are used for service delivery, marketing, and a…
The policy authorizes the use of persistent cookies and third-party tracking technologies including web beacons and pixel tags for behavioral tracking, which may require prior consent under the ePriv…
The clause creates a legal framework requiring the entity to implement processes and mechanisms to honor consumer requests for data access, deletion, correction, and opt-out elections. This establish…
The Data Privacy Framework certification provides the lawful basis for international data transfers from European and Swiss jurisdictions to U.S. operations. This framework establishes specific princ…
This provision documents Datadog's acknowledgment of California statutory privacy obligations and establishes the framework through which California residents may request exercise of their rights. Th…
The policy identifies Standard Contractual Clauses as the primary transfer mechanism for EEA personal data, which requires Datadog to conduct transfer impact assessments where required and to maintai…
The policy discloses specific CCPA rights available to California residents and identifies a direct contact mechanism for exercising them, which enables residents to act on rights that the California…
The clause creates a dual framework: it recognizes statutory data protection rights in specified jurisdictions while simultaneously authorizing cross-border data transfers under an EU-approved contra…
This provision explicitly acknowledges California residents' CCPA rights and the opt-out from sale of personal information. The non-discrimination guarantee means that California users who exercise p…
This provision establishes DeepL's acknowledgment of California statutory privacy obligations and identifies the specific rights that apply to California resident users under state law. It creates an…
Voice translation involves the real-time capture and processing of spoken audio, which may include sensitive or personally identifiable speech; the policy's no-storage claim is significant for users …
This provision authorizes the collection of behavioral and interaction data through cookies and similar technologies for multiple purposes including marketing, which engages ePrivacy Directive requir…
This provision establishes retention duration in general terms without specifying category-by-category retention periods, which may limit users' ability to assess how long specific data types are hel…
This provision authorizes the transfer of user personal data to multiple categories of third-party processors and asserts that GDPR-compliant data processing agreements govern these transfers. Compli…
This provision discloses that EEA user data may be routed to non-EEA processors, with Standard Contractual Clauses cited as the primary safeguard mechanism. Organizations subject to strict data resid…
Data transfers outside the EEA carry privacy risks if the receiving country has weaker legal protections or government access to data; the adequacy of SCCs as a transfer mechanism has been the subjec…
This commitment is particularly important for users who translate confidential, proprietary, or sensitive documents, as it limits how DeepL can use the content they submit.
This provision establishes the conditions under which Delta will share your data with government authorities, including a 'good faith belief' standard that permits voluntary disclosures beyond those …
Behavioral tracking data can be combined with your booking and loyalty information to build a detailed profile of your travel habits, preferences, and online behavior, which may be shared with advert…
California's comprehensive privacy laws give residents more control over their personal data than federal law currently provides, including the right to stop Delta from sharing data with promotional …
The provision establishes Delta's operational framework for privacy management and partner data sharing disclosures, which are core requirements under CCPA/CPRA for California residents. This structu…
The policy does not specify fixed retention periods for most data categories, relying instead on a reasonableness standard; data may persist after account closure for legal and enforcement purposes, …
The policy grants California residents specific rights under CCPA and CPRA, including the right to opt out of data sharing for cross-context behavioral advertising, which is directly relevant given t…
This provision establishes Discord's compliance posture under the Children's Online Privacy Protection Act (COPPA), which restricts collection of personal information from children under 13 without v…
The provision creates age-based eligibility criteria that Discord enforces through user attestation, establishing a contractual mechanism by which users confirm their age status and, where applicable…
The collection of email address, phone number, date of birth, payment method, and a unique persistent identifier means Discord holds a detailed profile linked to your real identity across your use of…
The terms acknowledge CCPA rights for California residents, including access, deletion, and opt-out of sale rights, which are enforceable under California law regardless of what the broader terms sta…
The collection of IP addresses, device identifiers, and behavioral logs enables Discord and its partners to associate activity across sessions and devices, which is relevant to advertising targeting,…
The policy acknowledges GDPR and UK GDPR rights for EEA and UK users and provides accessible channels for exercising them, including in-app settings and a direct email address, which represents a con…
Subscriptions purchased by minors may be voidable, and using a Disney+ account for commercial or group purposes violates the terms and could result in account termination.
California and other US state residents have legally enforceable rights to control how Disney uses their data, including the right to opt out of data sales and targeted advertising, but exercising th…
Your Disney+ streaming activity and device information may be used to build an advertising profile that follows you across the internet, not just within Disney's own properties.
The provision operationalizes statutory privacy rights under California law within Disney+'s service terms, requiring the company to implement procedures for verifying resident identity and processin…
Precise GPS-level location data is a sensitive data category under multiple privacy laws and can reveal sensitive information about where you live, work, or spend time; knowing when and how to grant …
This provision operationalizes California Consumer Privacy Act (CCPA) requirements within Disney+'s service terms, establishing specific mechanisms by which California residents can request data acce…
Third-party tracking technologies embedded in Disney's services can follow your behavior across the internet, enabling advertising that persists beyond the Disney platform you visited.
These rights are only available in certain jurisdictions, primarily California, EU/EEA states, and a growing number of US states; users in other locations may have fewer or no enforceable rights unde…
Voice data is particularly sensitive because it can be used for voice recognition and biometric identification, and the collection of audio through smart speakers or streaming devices may occur in sh…
A profile built from data across Disney+, Hulu, ESPN+, parks visits, merchandise purchases, and third-party sources could be significantly more detailed than any single service's data, potentially re…
Precise geolocation and persistent device identifiers are among the most sensitive categories of data for advertising and tracking purposes, and their collection by Disney for cross-platform profilin…
If you opt out of data collection on your smart TV or streaming device, those choices do not carry over to Disney's own data collection, meaning you may need to manage privacy settings separately in …
Your data from a theme park visit or retail purchase can be linked to your Disney+ streaming profile, creating a more comprehensive picture of your behavior than users may expect from a streaming ser…
The breadth of data categories collected across all Disney services means that activity on one platform can be linked to your profile on others, building a detailed picture of your preferences, habit…
The provision establishes procedural mechanisms for users to exercise statutory data rights that vary by jurisdiction. It creates an operational framework for DocuSign to receive and process such req…
The provision creates an explicit consent mechanism that conditions service use on acceptance of DocuSign's data processing framework as detailed in the referenced Privacy Notice. This establishes th…
Cross-site tracking extends DocuSign's data collection beyond its own platform, potentially building a profile of your online behavior that informs advertising and product decisions.
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, tho…
Open-ended retention language means your data, including document content, may be retained for extended periods beyond the immediate transaction, and the specific retention periods are not detailed i…
These are legally enforceable rights under California law that DocuSign is required to honor, giving California residents meaningful control over how their personal data is used.
This provision implements California Consumer Privacy Act (CCPA) requirements by establishing an operational mechanism through which California residents can restrict specific data practices. The cla…
This distinction determines which privacy protections apply to your data. For document content, your rights may depend on the business that sent you the document rather than DocuSign directly, which …
The provision operationalizes DocuSign's obligation to provide California-specific disclosures and acknowledge state-level privacy rights separate from the baseline privacy notice, establishing the r…
Documents signed through DocuSign frequently contain sensitive personal, financial, legal, or medical information, and this clause confirms that content is collected and processed by DocuSign as part…
This provision implements California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory requirements by establishing the procedural framework and enumerated rights that Ca…
The terms authorize consent to data collection and disclosure through the act of using the Service, and users are also bound by additional policies published on the website or app even if those polic…
The policy states that personal information may be transferred and processed outside the user's home jurisdiction, including outside Australia, Canada (and Quebec specifically), New Zealand, and the …
The policy states that by placing an order, users acknowledge and agree that merchants may contact them directly using the personal information DoorDash provides, and that DoorDash disclaims responsi…
The policy authorizes collection of precise location data during background app activity, meaning location tracking may occur beyond the moments of active app use, and this data is stored and may be …
The policy's inclusion of a dedicated section on children's personal information indicates that DoorDash has considered COPPA and analogous obligations, though the specific terms of that section are …
The policy identifies government-issued identification and signatures as potentially sensitive personal information and states that consent will be obtained where legally required, but does not speci…
This provision operationalizes CPRA compliance obligations within DoorDash's privacy framework by explicitly recognizing the enumerated consumer rights that California law mandates. The clause establ…
Session replay technology captures detailed interaction data including keystrokes, cursor movements, and browsing behavior on the platform, and this disclosure is embedded in a broader list of activi…
The policy authorizes use of personal data for ad targeting on third-party platforms, which under CCPA and CPRA constitutes a sale or sharing of personal information requiring an opt-out right for Ca…
The policy discloses that pixels and SDKs, in addition to cookies, are used to collect data. Pixels and SDKs can transmit data to advertising and analytics partners and may operate independently of b…
The availability and scope of privacy rights, including the right to delete data, opt out of data sale or sharing, correct inaccurate data, and receive a copy of data, depends on the user's jurisdict…
The default public visibility of detailed gambling activity including wager amounts, entry fees, and contest lineups is a meaningful privacy exposure for users who may not realize the extent of their…
The right to use de-identified data derived from personal information 'for any purpose' and share it with third parties 'for any reason' is broad, and the practical privacy protections depend on the …
If you live in or travel to an excluded state or region, you cannot enter real-money contests, and participating from an excluded region could be treated as a violation of the terms, with potential c…
This provision shifts the legal burden of third-party consent to the user rather than retaining it with DraftKings as the data controller, which may be inconsistent with how data controller obligatio…
This provision operationalizes GDPR data subject rights by establishing the procedural mechanisms through which users exercise access, rectification, erasure, and portability rights. It specifies bot…
EU, UK, and Swiss users have strong data protection rights, and the legal mechanisms Dropbox relies on to transfer data to the US have been subject to legal challenge; if those mechanisms were invali…
Many users assume their stored files are private and unexamined; this clause establishes that Dropbox reserves the right to process file content itself, which may have implications for confidential b…
Deleting your account does not immediately erase all of your data; Dropbox retains information for legal compliance, dispute resolution, and contract enforcement purposes for unspecified additional p…
Tracking technologies allow Dropbox and its advertising partners to build a behavioral profile based on your usage, which is shared with third parties for marketing purposes and may persist across br…
The clause establishes the operational procedure through which Dropbox implements California Consumer Privacy Act (CCPA) data access and deletion rights, specifying the submission channels that trigg…
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a dire…
AI-generated scores and ratings produced by D&B may influence credit decisions, business risk assessments, and professional due diligence about individuals, making the governance of these systems mat…
The existence of a rights portal is the primary mechanism through which individuals can discover and control what data D&B holds about them, particularly relevant given D&B's data broker status and t…
This provision establishes the company's operational framework for handling data subject access requests and rights exercises under applicable data protection regimes. The reference to a separate Glo…
The good faith standard for disclosure, combined with the broad category of protecting D&B's rights and property, gives the company significant discretion to share your account data without requiring…
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of thos…
Data broker registration confirms that these entities may collect, aggregate, and license personal and professional information, and that state-specific rights and opt-out mechanisms apply, including…
For EU and UK users, international data transfers are subject to strict legal requirements under GDPR, and a general website consent embedded in terms of use may not constitute a sufficient legal bas…
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is…
Your authentication behavior data, including login patterns, device types, and application access, may contribute to training AI models, which raises data minimization and purpose limitation question…
California residents have more enforceable privacy rights against Cisco than users in most other US states, including the right to opt out of data sharing and to limit use of sensitive personal infor…
Cross-border transfers of authentication data to the US are subject to EU privacy rules, and Standard Contractual Clauses are the primary safeguard Cisco uses, but the adequacy of those safeguards de…
The clause establishes Duo's operational framework for complying with California privacy statutes and defines the baseline rights California residents may exercise with respect to personal informatio…
Authentication logs are sensitive because they reveal patterns of behavior, work hours, device usage, and application access, and this data is collected automatically every time you log in using Duo.
The absence of defined retention periods for specific data types like authentication logs means Cisco may retain this data for an extended and indeterminate period, which is relevant to privacy right…
This provision operationalizes Duolingo's compliance obligations under GDPR and related data protection regimes by explicitly acknowledging and authorizing the exercise of statutory rights by a defin…
The policy states that by using the service, users consent to data transfer to the US, which for EU and UK users intersects with GDPR requirements for lawful international data transfer mechanisms th…
This provision operationalizes Duolingo's compliance with the Children's Online Privacy Protection Act (COPPA), which imposes specific requirements on online services regarding data collection from c…
The policy explicitly enumerates CCPA and CPRA rights for California residents, including the right to opt out of data sharing for cross-context behavioral advertising, which is a concrete and exerci…
The breadth of data categories collected, including learning performance, streaks, device identifiers, and IP addresses, means Duolingo builds a detailed profile of each user's activity and behavior …
The policy confirms that EU and UK users have GDPR rights enforceable by local supervisory authorities, including the right to lodge complaints without needing to take legal action directly against D…
This provision establishes mechanisms for account termination and data portability, creating procedural pathways for users to exercise data deletion and export rights. The retention exceptions for le…
The policy reserves the right to transfer all user personal data, including learning history, identifiers, and payment information, to a third party in the context of a corporate transaction, without…
EU, UK, and Swiss users' data is processed in the US under the DPF framework, which provides specific rights including access to a free dispute resolution mechanism and, as a last resort, binding arb…
This provision operationalizes EA's legal compliance obligations under California privacy statutes, which impose disclosure requirements, access rights, deletion rights, and opt-out mechanisms that d…
Gameplay recordings and statistics can be made publicly visible beyond the game itself, including at live events; players in competitive modes should understand their gameplay may be broadcast in con…
California residents have legally enforceable rights to access, delete, and limit the sharing of their personal data with EA and its advertising partners, and EA is required to respond to these reque…
The absence of defined retention periods means users cannot predict when their data will be deleted, and the broad 'operational or other legitimate reasons' exception could support extended retention…
The legal mechanism used for international data transfers affects whether your data is protected under EU standards when it is processed in the United States, and the DPF's long-term legal stability …
The provision operationalizes data subject protections by establishing the mechanism through which users can request Egnyte to perform specific data handling actions. The availability and scope of th…
This distinction determines who you must contact to exercise privacy rights over your data and which policies govern your information depending on context.
Third-party tracking technologies can share your browsing behavior with advertising and analytics companies, and under CCPA/CPRA this may qualify as 'sharing' personal data that California residents …
The corporate transaction carve-out means your personal data could be transferred to a new company if Egnyte is acquired, and that new company's privacy practices may differ from Egnyte's current pol…
These are legally enforceable rights under California law, not just policy commitments, and Egnyte is required to respond to verified requests within legally mandated timeframes.
Understanding what data Egnyte collects helps you assess what personal information is being stored and potentially used for marketing, product analytics, or shared with third-party services.
This provision establishes the mechanism through which data subjects exercise statutory rights under GDPR, UK GDPR, and CCPA/CPRA; the policy routes all such requests through a single email contact, …
This provision establishes CCPA/CPRA compliance obligations for ElevenLabs with respect to California residents, including a specific opt-out right for the sale or sharing of personal information wit…
These rights give EU and California users meaningful control over their personal data including voice recordings, but they only apply if users actively exercise them by contacting ElevenLabs.
Age verification practices for voice AI platforms are under increasing regulatory scrutiny, and a policy relying on 'knowing' collection without active verification may not fully satisfy COPPA obliga…
The use of tracking technologies for advertising purposes engages GDPR's consent requirements under the ePrivacy Directive for EU/EEA users and CCPA/CPRA sharing opt-out requirements for California r…
These rights are enforceable under GDPR and UK GDPR, and ElevenLabs is obligated to respond to valid requests within statutory timeframes; failure to honor these rights can be reported to national da…
The absence of specific retention schedules for voice recordings and other data categories creates compliance exposure under GDPR's storage limitation principle and under state biometric statutes tha…
This provision authorizes cross-site tracking through third-party partners, which engages GDPR and ePrivacy Directive consent requirements for cookie placement in EU contexts and triggers CCPA/CPRA d…
Cross-border transfers of personal data from the EEA or UK to the US require a valid transfer mechanism under GDPR Chapter V, such as Standard Contractual Clauses; the policy acknowledges transfer bu…
This provision engages COPPA obligations for US users; the policy does not describe age verification mechanisms, which is relevant given that voice cloning tools could be accessed by minors.
The provision establishes a procedural mechanism for users to exercise legal rights that vary by jurisdiction, requiring the entity to maintain a defined request process. The clause operationalizes c…
EU/EEA users' data transferred to the US must be protected by an adequate transfer mechanism under GDPR; relying on consent as the basis for international transfers may not fully satisfy GDPR require…
Cross-border data transfers from the EU/EEA to the United States require an approved transfer mechanism under GDPR Chapter V. The policy does not specify in detail which transfer mechanisms are relie…
This provision may trigger CCPA/CPRA obligations regarding the sale or sharing of personal information with advertising partners, requiring ElevenLabs to offer California residents an opt-out mechani…
The absence of specific retention periods for individual data categories, particularly voice recordings and voice models, creates potential tension with GDPR's data minimization and storage limitatio…
This provision establishes an open-ended retention standard that does not specify maximum retention durations for sensitive data categories such as Social Security numbers, financial account data, or…
This provision establishes that Equifax may disclose personal information to government entities not only in response to formal legal process but also based on Equifax's own assessment of necessity t…
The provision operationalizes California statutory obligations by establishing the procedural framework through which Equifax receives and processes consumer rights requests. It designates specific s…
The clause operationalizes state-specific privacy obligations by explicitly recognizing privacy rights regimes beyond California and establishing a centralized mechanism for rights exercise. This ref…
These rights give California residents concrete, legally enforceable tools to manage how Equifax collects and uses their personal and financial data, including data used for marketing and profiling b…
Location data can reveal sensitive patterns about where you live, work, seek medical care, or worship, and precise geolocation is classified as sensitive personal information under California law and…
This provision establishes the consumer rights infrastructure for multiple U.S. state privacy statutes, including CPRA, VCDPA, CPA, CTDPA, and TDPSA, and specifies the operational channels available …
This provision establishes that behavioral and device data is collected through automated tracking technologies not only by Equifax but also by third-party service providers and advertising partners,…
This provision establishes that Equifax processes personal data of EU and UK residents subject to GDPR and UK GDPR obligations, including the requirement to document and disclose lawful bases for eac…
Open-ended retention language means Equifax may hold sensitive personal and financial data for extended periods, and consumers have limited visibility into how long specific data types are retained u…
Smart home devices installed in family households routinely collect audio, video, and behavioral data from children, raising questions about whether Eufy's COPPA compliance extends to household data …
Precise location data reveals sensitive behavioral patterns including your home address, daily routines, and periods of absence, making it one of the most privacy-sensitive data categories collected …
California residents have legally enforceable rights to control how their data is used and shared, including the right to stop Eufy from selling their personal information, but these rights only appl…
Without specific retention periods stated for sensitive data categories like video footage and biometric data, users cannot know how long their most sensitive information is kept, and regulators may …
The scope of automatic data collection means that even casual browsing of Eventbrite creates a detailed behavioral profile that may be used for advertising or shared with third parties.
The absence of active age verification means minors may access the platform and provide personal data, and the protection depends on users or parents self-reporting, which is a common but limited saf…
These rights allow users to actively manage their data held by Eventbrite, but the scope of rights available depends on the user's location and applicable law, so not all rights apply to all users eq…
The provision operationalizes GDPR/UK GDPR compliance by specifying the lawful bases under which data processing occurs and enumerating the data subject rights that Eventbrite must facilitate upon re…
This provision creates operational obligations for Eventbrite to process consumer privacy requests from California residents and establishes the procedural mechanisms through which those requests are…
EU and UK users' data is processed under US law once transferred, and the adequacy of Standard Contractual Clauses as a transfer mechanism is subject to ongoing regulatory and legal scrutiny.
The provision establishes mechanisms for users to exercise data subject rights under privacy regulations, allowing direct access to personal data holdings and the ability to request modifications to …
The policy's protection applies only where FanDuel has actual knowledge that a user is a minor, and the first sentence's reference to 'without legally-required affirmative authorization' introduces a…
Cross-device and cross-site advertising tracking using hashed email addresses means your FanDuel activity can follow you across the internet even if you do not use cookies, making it difficult to ful…
This clause means your personal data, including identity documents, payment information, and precise location history, could be transferred to a new owner whose privacy practices may differ from FanD…
The cookie-dependent opt-out mechanism means your data sale opt-out can be inadvertently reset simply by clearing your browser history or cookies, requiring ongoing vigilance to maintain the protecti…
The requirement to provide and update your Social Security number creates ongoing sensitive data exposure, and consenting to electronic tax form delivery means you may miss important documents if you…
The phrase 'or for any reason set forth in this Privacy Policy' is notably broad and links audio recording to FanDuel's full suite of data use purposes, including marketing and analytics, beyond the …
Cross-border transfer mechanisms are a significant area of GDPR enforcement, and the adequacy of Standard Contractual Clauses depends on whether the destination country provides essentially equivalen…
Cross-site tracking by advertising and analytics companies is a primary mechanism through which personal data is aggregated and profiled at scale. For EU users, this activity typically requires expli…
Cookie and tracking technology use is the primary mechanism through which personal data is collected from casual website visitors, and it triggers consent and disclosure obligations in the EU, UK, an…
Vague retention language without specific time limits makes it difficult for users to predict how long their data will be held or to plan deletion requests effectively. GDPR requires that retention p…
This provision operationalizes California's statutory privacy framework within Fastly's terms by acknowledging the legal requirements that apply to the entity's data practices and establishing the me…
These rights are enforceable under California law and provide concrete mechanisms for California residents to control their personal data held by Fastly, including the ability to request full deletio…
This distinction determines who you can hold accountable for your personal data and where to direct privacy requests. Most end users will not interact with Fastly directly, meaning their primary poin…
This provision operationalizes Fastly's compliance obligations under data protection regulations by establishing a documented mechanism for processing user requests related to personal data rights. T…
The clause operationalizes statutory data subject rights under GDPR and related frameworks by explicitly confirming Figma's obligation to provide mechanisms through which eligible users can exercise …
California's CCPA and CPRA give residents enforceable rights over their data that go beyond what most other US users have, including the right to stop Figma from sharing personal data with advertisin…
The provision operationalizes statutory data subject rights by documenting Figma's recognition and processes for fulfilling access, deletion, portability, and objection requests across multiple regul…
EU users have strong legally enforceable rights over their personal data, and the lawfulness of Figma transferring their data to the US depends on whether adequate transfer safeguards are in place.
EU and UK users' personal data is processed by Figma in the US, and the adequacy of the transfer mechanism used is subject to ongoing regulatory scrutiny, meaning users should understand that their d…
This provision operationalizes California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory obligations within Figma's privacy framework. The clause establishes the proce…
The scope of data collection determines what information Figma retains about you and your work, including potentially sensitive professional design assets.
Professional users who store confidential client designs, proprietary assets, or sensitive business information in Figma should understand that this content is collected and retained by the platform.
California residents have legally enforceable rights to access, delete, and control how their personal data is used, which go beyond what other US users are granted under this policy.
EU, UK, and Swiss users have meaningful legal rights over their personal data under GDPR, including the ability to request deletion or a copy of their data, and Figma is required to respond to such r…
If a minor under the applicable age threshold uses Figma, any personal data collected may be improperly processed, and parents or guardians should be aware of the age restrictions and Figma's deletio…
The collection of the actual content of design files, not just metadata, means that proprietary creative work, business strategies, and client materials stored in Figma are within the scope of Figma'…
This provision establishes a minimum age for Figma use and engages COPPA compliance obligations in the US, though the policy relies on self-reporting and account holder representations rather than ac…
Employees using Figma under a company account should understand that their employer may be able to view their work, activity, and communications within the platform.
Tracking technologies collect behavioral data about your use of Figma that may be shared with third-party analytics or advertising providers.
Tracking technologies used by Figma and third parties can build detailed profiles of your online behavior across websites, not just on Figma itself, which may be used for targeted advertising.
If Fireworks AI makes significant changes to how your data is used, you may only receive an email or a website notice, and continuing to use the service will be treated as agreement to the new policy…
If you interact with an application or product built on top of Fireworks AI by a third-party business, this privacy policy may not protect your data in that context, and your rights and protections d…
California residents have enforceable statutory rights under CPRA that go beyond what this general privacy notice describes, including the right to opt out of the sale or sharing of personal data, th…
This provision attempts to restrict minors from using the platform independently, which is relevant for COPPA compliance and parental liability, but places the verification and supervision obligation…
This means your contact information could appear in Fireworks AI's systems even if you never directly provided it, and that externally sourced data will be merged with your existing profile, potentia…
Employees using Fireworks AI under an enterprise account should be aware that their activity and personal data may be visible to their employer or other company representatives through Fireworks, whi…
These rights are only available to users in specific jurisdictions, meaning the majority of global Fitbit users may have significantly fewer enforceable rights over their health data depending on whe…
A change in ownership could mean your sensitive health and fitness data, collected under Fitbit's current privacy practices, is governed by a different company's policies, potentially with different …
The policy relies on a reactive approach to children's data rather than proactive age verification, meaning children under 13 may use the service and provide health data before the issue is identifie…
A large number of Fitbit users have linked their devices to Google Accounts, meaning they are subject to a different and much broader privacy framework than what this document describes. Users may no…
The clause establishes user-initiated data management mechanisms, permitting self-service access, portability, and deletion of personal information without requiring company assistance or administrat…
Precise GPS data can reveal where you live, work, and travel routinely, and when combined with workout schedules, creates detailed location profiles that go beyond what is necessary for basic fitness…
The minimum age of 13 (rather than 18) means that teenagers between 13 and 17 may create accounts and engage in commercial transactions as sellers or buyers, which creates parental oversight consider…
Persistent tracking cookies and pixels from third-party advertising partners extend Fiverr's ability to monitor your behavior beyond just the Fiverr website, potentially across many other sites you v…
These rights give users in the EU, UK, and California meaningful control over their personal data held by Fiverr, including the ability to request deletion or opt out of data sharing for advertising.
For EU and UK users, international data transfers carry legal significance because your data may leave a jurisdiction with strong privacy protections and be processed under different legal regimes, w…
The breadth of data collected, spanning identity, financial, behavioral, and device-level information, means Fiverr holds a detailed profile of each user that extends well beyond what is needed to pr…
Retention periods are not specified with precision, meaning Fiverr may retain your personal data for extended periods after you stop using the service, including for unspecified legal obligation and …
The provision operationalizes statutory data subject rights under GDPR and CCPA by specifying a procedural mechanism through which users may submit requests. The clause establishes Fiverr's obligatio…
The inclusion of GDPR rights acknowledgment establishes the legal framework applicable to EU/EEA user data and defines Fiverr's obligations under European data protection law. This provision signals …
This provision establishes the operational framework through which Fiverr acknowledges and processes user data subject access requests, deletion requests, and data portability requests. The provision…
Open-ended retention language means your personal data may be held indefinitely unless you actively request deletion, and the criteria for determining retention length are not defined with precision.
The clause operationalizes GDPR compliance by explicitly recognizing specific statutory rights that EEA-based users may exercise against the service provider regarding their personal data holdings an…
This clause establishes the operational framework for Fly.io's compliance with California privacy law by explicitly recognizing the four primary consumer rights that the CCPA/CPRA mandates. The provi…
Understanding what data is collected helps users assess their privacy exposure and decide what information they are comfortable providing to a cloud infrastructure provider.
If you are in the EU, UK, or another jurisdiction with strong data protection laws, transfers to the US require specific legal safeguards that must be in place for the transfer to be lawful.
These rights are legally enforceable under California law and give California residents meaningful control over their personal data held by Ford, including the ability to stop data being shared with …
This provision establishes the procedural rights available to California residents regarding their personal information held by Ford, including an opt-out mechanism for data sale and sharing and a no…
An open-ended retention standard means Ford may retain your data including vehicle telematics, location history, and consumer profiles for extended periods unless you submit a deletion request.
Cross-site tracking for targeted advertising is subject to opt-out rights under CPRA and is the type of data sharing that California residents can stop by using the Do Not Sell or Share mechanism or …
This provision establishes Ford's use of tracking technologies for collecting behavioral and device data, which is managed through a OneTrust consent management platform as evidenced in the document'…
This provision operationalizes California Consumer Privacy Act (CCPA) requirements by specifying the categories of consumer rights Ford recognizes and establishing the procedural mechanisms—portal su…
The cookie consent system determines what tracking technologies collect data about your browsing behavior; choices made at the consent banner affect what data Ford and its advertising partners can co…
The CCPA/CPRA creates operational obligations for GOAT regarding data transparency, consumer access requests, deletion requests, and opt-out mechanisms for data sales or sharing. Compliance with thes…
This right, established under CPRA, gives California residents meaningful control over how their data is used for advertising purposes, including by third parties outside GOAT.
Behavioral inferences are a distinct category of personal data that can reveal sensitive information about your lifestyle, spending habits, and interests, and their use for marketing or sharing with …
The OneTrust CMP integration creates an operational framework for implementing cookie consent requirements under privacy regulations such as GDPR and CCPA. This provision establishes the procedural m…
These rights provide EU and UK users with substantially more control over their personal data than users in most other jurisdictions, including the ability to compel deletion or restriction of proces…
This restriction reflects legal obligations under COPPA for children under 13, but GOAT's policy extends the restriction to all users under 18, which is a broader threshold than federal law strictly …
Open-ended retention periods mean your data could be held indefinitely under broad business justifications, with limited ability for users in most jurisdictions to compel deletion beyond what specifi…
Precise geolocation data is a sensitive category of personal information that can reveal your home, workplace, daily routines, and patterns of movement, and its use for advertising or sharing with pa…
Default public or semi-public visibility of fitness data including GPS routes, pace, and workout frequency can reveal sensitive information about your physical location habits and daily routines to a…
The clause establishes procedural obligations for Garmin to respond to consumer data access, deletion, and privacy control requests from California residents. These rights are operational requirement…
GDPR rights are among the strongest data protection rights globally and are legally enforceable; identifying Garmin Ltd. in Switzerland as the data controller clarifies which entity is legally accoun…
These rights under California law are among the strongest consumer data rights in the U.S. and cover the full range of sensitive data Garmin collects including health metrics, precise location, and f…
This clause operationalizes statutory data subject rights under GDPR and UK data protection frameworks by explicitly acknowledging their applicability to Garmin users in those jurisdictions, establis…
Standard Contractual Clauses are the primary mechanism used to legally authorize EU personal data transfers to countries like the U.S., and their validity has been subject to legal challenge; underst…
Garmin sells products such as junior GPS watches and family tracking devices that may be used by children, creating a practical tension between the stated policy exclusion of under-13 users and the p…
Third-party advertising cookies can result in your browsing behavior on a health and fitness platform being shared with advertising networks, which may draw inferences about your health interests.
Because Gemini can change its data practices at any time, the terms governing how your personal data is used may shift without direct notification beyond a website update.
Understanding how long your data is retained is important, particularly given the sensitivity of the financial and identity data Gemini collects and the regulatory requirements that mandate retention…
The clause operationalizes regulatory requirements for user control over personal information and establishes the administrative processes through which users may exercise statutory data rights, crea…
Your ability to control your personal data depends on which rights Gemini acknowledges for your jurisdiction, and the GLBA exemption claim limits which US state law rights are available to most US us…
The provision creates a defined mechanism for privacy rights requests and acknowledges jurisdiction-specific privacy obligations, establishing the procedural framework through which users can assert …
This provision establishes the service's operational scope regarding minor users and creates a data deletion obligation upon discovery of inadvertent collection from users under 18. The clause reflec…
Cookies and tracking technologies can collect detailed behavioral data about how you use the platform, which may be shared with advertising and analytics partners.
As a cryptocurrency exchange with KYC and AML obligations, Gemini is subject to regulatory requirements to report suspicious activity and respond to lawful requests for user data from government auth…
International data transfers from the EU and UK are subject to GDPR transfer restrictions, and Gemini's compliance with these requirements affects the legal basis for processing EU and UK user data.
These rights give California consumers meaningful control over a wide range of data GM holds about them, including vehicle location, driving behavior, and biometric data — but these rights must be ac…
Open-ended retention language means that sensitive data including vehicle location history and driving behavior may be held indefinitely, increasing the risk of exposure and limiting consumers' pract…
The policy states that public repository content is not treated as private personal data in terms of access controls; once posted publicly, GitHub asserts no responsibility for its visibility, which …
This provision establishes a consent-based standard for posting third-party personal information, which has operational significance for repositories that include user-generated data, research datase…
The policy authorizes disclosure to law enforcement and government agencies under legal compulsion and also in circumstances where GitHub determines disclosure is necessary to protect rights or safet…
The policy discloses that third-party analytics and advertising partners may set cookies on GitHub services, meaning data about your browsing behavior on GitHub may be collected by third parties unde…
This provision establishes a minimum age requirement consistent with COPPA obligations and authorizes immediate account termination for underage users, which is operationally relevant for educational…
This provision establishes GitHub's compliance posture with the Children's Online Privacy Protection Act (COPPA) and similar regulations by defining both a data collection restriction for minors and …
The breadth of collection covers both identity-linked data (name, email, payment) and behavioral data (usage patterns, device fingerprint), meaning GitHub builds a detailed profile of both who you ar…
ISO/IEC 42001:2023 is the first international standard specifically addressing AI management systems, and its disclosure is directly relevant to organizations assessing GitHub Copilot under emerging …
This disclosure fulfills California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requirements that businesses inform residents about the specific categories of personal inform…
The policy does not specify retention periods for individual data categories, stating instead that retention is based on necessity and legal obligation; this means users cannot determine from this do…
The policy confirms data subject rights for users in applicable jurisdictions including GDPR rights for EU users and CCPA rights for California residents, with GitHub committing to respond in accorda…
The policy confirms California residents have enforceable rights under CCPA and CPRA including the right to opt out of data sharing with third parties, which is practically significant given the poli…
Behavioral tracking of communication interactions is used to build user profiles and inferences, which can feed into targeted advertising and personalization in ways users may not expect from a job p…
Users may assume that direct messages on a professional networking platform are private, but the policy discloses that message content is collected as personal data, which has implications for how co…
Naming specific GDPR representatives means EU and UK users have clear entities to contact with data rights requests, complaints, or regulatory concerns, which is a meaningful compliance commitment.
The designation of local representatives in the UK and EU is a GDPR requirement for non-EU controllers processing personal data of EU and UK residents. This structure enables compliance with Articles…
Cross-border data transfers are a key GDPR compliance obligation. If the transfer mechanisms are not properly implemented, data flows to the US could be challenged by regulators or privacy advocates.
Sub-processor visibility is a GDPR requirement and a practical security concern, since each sub-processor represents an additional party with access to potentially sensitive workplace data.
This clause determines where your privacy rights can actually be exercised. Employees cannot bypass their employer to make data requests directly to Glean, which may create practical barriers.
This provision operationalizes California's statutory privacy framework within Glean's terms by establishing the procedural mechanism (email contact point) through which residents must submit rights …
This shapes whether individual employees can effectively exercise GDPR, UK GDPR, or CCPA rights in practice, since Glean inserts an intermediary that controls the response process.
Retention timelines and post-termination deletion are critical for enterprise data governance, particularly where workplace searches include sensitive business information or personal employee data.
Website visitors who are not Glean customers still have their browsing data collected and shared with third parties for marketing purposes, which engages cookie consent requirements in the EU and UK.
This provision identifies specific protected characteristics that Google states its AI systems should not disadvantage, which is relevant for consumers who interact with AI-powered Google products in…
This provision discloses a specific operational practice whereby Google support personnel may access the account holder's Analytics account and its associated Customer Data using the account holder's…
This provision connects Google's broader privacy commitments to its AI development process, which is relevant for consumers whose personal data may be processed by AI systems used across Google produ…
The terms place responsibility for a minor's use of Google services on the parent or legal guardian who permits that use. The minimum age varies by country and is not specified as a single global thr…
The clause creates a dual compliance structure: it conditions service access on parental authorization for minors and extends contractual liability to parents or guardians who permit access. This est…
This provision determines the allocation of data protection responsibilities between the advertiser and Google. The advertiser, as data controller, bears primary responsibility for establishing a law…
This clause establishes the mechanism by which advertisers can obtain Google's technical assistance when processing data subject rights requests such as access, erasure, restriction, or portability. …
This clause establishes that the advertiser's documented instructions govern the scope of Google's processing activities. It places on the advertiser the obligation to provide clear, complete, and la…
This clause establishes the mechanism by which advertisers are notified of sub-processor changes and granted an objection right. Advertisers must actively monitor Google's sub-processor notifications…
This clause establishes Google's contractual security obligation for advertiser personal data processed through Google Ads services. The obligation mirrors the GDPR Article 32 requirement for appropr…
This clause establishes the breach notification pipeline from Google as processor to the advertiser as controller. The advertiser remains responsible for evaluating the breach and determining whether…
This provision authorizes inbound data flows from third parties (merchants, issuers) to Google, supplementing data collected directly from users. The reference to 'provide and improve its services' a…
The inclusion of product development and tailored content as stated purposes means usage data collected through Google Cloud may inform broader Google product decisions and, in some contexts, adverti…
California residents using Google Cloud have legally enforceable rights beyond what this notice grants to other users, including the right to obtain a copy of their data and to opt out of certain sha…
EU, UK, and Swiss users should know their data may be transferred to the United States, but Google states it uses legal transfer mechanisms to maintain applicable protections.
The absence of specific retention periods for most data categories means users cannot easily determine how long their personal information, including billing, usage, and communication records, will b…
The combination of account registration data, payment information, and detailed usage logs creates a comprehensive profile of each direct Google Cloud user, which may be used for service improvement …
This provision establishes that disabling Gemini Apps Activity does not prevent human reviewer access to conversation content, meaning the opt-out control available to users does not fully restrict h…
The provision creates a gatekeeping mechanism for minors' access by requiring documented parental involvement and creates institutional responsibility for enforcement through family policy frameworks…
The provision establishes the operational mechanisms and submission channels through which users may exercise their statutory data rights. It specifies that Google will process requests for data acce…
The terms authorize Google to use conversation content for AI model training and product improvement, which means information submitted in conversations may inform future AI outputs and training data…
This provision establishes age-based access restrictions for Gemini apps, with jurisdiction-specific variations that create compliance obligations for Google and operational considerations for instit…
This provision establishes that user-generated conversation content, including feedback, constitutes training data for Google's AI models unless users actively opt out via Gemini Apps Activity contro…
This provision establishes the operational mechanisms by which users can control data retention, including manual deletion options and automatic deletion timelines. The clause specifies that activity…
The age restriction disclosure creates compliance obligations for Google regarding enforcement of the age limit, and the country-specific minor restriction acknowledges that applicable law in certain…
This provision establishes a user control for limiting AI training use of Gemini conversation data, but the notice explicitly limits the scope of this control to Gemini apps, meaning data that crosse…
The activity control does not provide complete data elimination; a 36-hour retention window remains regardless of user preference, and the distinction between what the control does and does not gover…
The scope of data collection includes not just text conversations but also uploaded files, images, and documents, as well as location information and behavioral usage data, meaning interactions with …
This provision creates an age-based access restriction and establishes a parental deletion mechanism. It allocates responsibility to parents or guardians to initiate data removal requests when unauth…
The 3-year default retention period means conversation data, including any personal information submitted, is stored for an extended period unless the user actively manages deletion. The 36-hour rete…
The clause establishes user-initiated controls over conversation storage and retention, while specifying that deletion operates on a delayed schedule and permits interim retention for designated safe…
The clause creates eligibility requirements that determine which user populations may access the service. Compliance with these restrictions requires verification of user age against both the specifi…
The terms authorize sharing of conversation content with third-party extension providers, whose data practices are governed by their own policies rather than Google's, meaning users interacting with …
A parent could be held liable for purchases a child makes through Google Pay, and by allowing access, they are also making a legal representation about the child's authorization to use the stored pay…
Google collects a broad set of device-level data including all installed applications, not just those from Google Play, for security analysis purposes, and some data collection continues even after a…
This provision establishes two distinct personal data sharing flows: transaction-related sharing of name and email with Content Providers governed by each Provider's independent privacy policy, and t…
This provision discloses collection of device-level data including the full list of installed applications and network connection information, not limited to apps installed through Google Play, for s…
This provision establishes a parental consent requirement for minor users but relies on self-reporting and parental authorization without describing a verification mechanism. Under this clause, the a…
Your personal data is shared with third-party content providers whose privacy practices may differ from Google's, and by accepting these terms you agree to that data sharing without necessarily revie…
GDPR rights are among the strongest consumer data protections globally, and Grammarly's policy acknowledges them for EEA and UK users, meaning those users have enforceable legal recourse if their dat…
Grammarly is widely used in educational settings, and this clause defines the minimum age for compliant use; parents and educators should ensure that children under 13 are not creating individual Gra…
Children's data is subject to heightened legal protections under COPPA in the US, and the policy's reliance on a self-declaration model means the enforcement of this restriction depends primarily on …
Enterprise users may have different and potentially stronger data protections depending on their employer's negotiated agreement with Grammarly, but this also means employees may not be able to rely …
For users in the EU, UK, or other jurisdictions with strong data protection laws, transferring data to the US requires specific legal safeguards, and the adequacy of those safeguards has been subject…
California's CCPA and CPRA give residents stronger data rights than many other US states, including the right to opt out of data sharing for advertising, which is practically significant given Gramma…
The policy does not specify fixed retention periods for different data categories, meaning personal data and submitted content could be retained for extended periods unless you actively request delet…
Account deletion does not guarantee complete erasure of all personal data, particularly sensitive health and location information, due to carve-outs for legal obligations and retention policies.
These rights are among the most important protections available to users, but they only have practical effect if users know they exist and how to exercise them.
For EU and UK users, transferring sensitive personal data to the US without adequate transfer mechanisms can violate GDPR and create legal exposure for Grindr and reduced rights protections for users.
The provision establishes user-initiated mechanisms for data transparency and account removal, establishing the operational procedures by which users may exercise data access and deletion rights unde…
Open-ended retention periods for sensitive data including health information, sexual orientation, and location mean your most private information could be held indefinitely, increasing the risk of br…
California law gives residents enforceable rights to access, correct, and delete their personal data held by Groq, and to stop Groq from sharing their information with advertising partners.
This automatic data collection feeds into advertising and analytics systems operated by third parties, meaning your behavior on Groq's websites may be used to target you with ads across the web.
Enterprise and developer customers may assume this privacy policy covers their API usage, but their data processing rights and obligations are actually set out in separate contractual documents that …
This clause operationalizes statutory privacy obligations for a defined user population by acknowledging Groq's duty to honor access, deletion, correction, opt-out, and limitation requests without pe…
This provision means Groq's profile of you may be richer than what you personally provided, drawing on external data sources that you may not be aware of or have consented to.
This clause confirms Groq collects information from website visitors and places a contractual obligation on users to ensure any submitted information is accurate, while directing detailed privacy dis…
This clause creates a broad exception that could allow Groq to commercially exploit aggregated or de-identified information derived from your activity, including sharing it with third parties, withou…
Precise geolocation is classified as sensitive personal information under several state privacy laws, and its collection for purposes beyond core delivery, including analytics, may require affirmativ…
Health-related and belief-related inferences drawn from food ordering data represent a sensitive category of personal information that carries heightened privacy risk, particularly if shared or used …
The additional retention period beyond account closure is not defined by a specific timeframe, meaning your data may be retained for an indeterminate period after you close your account, which limits…
These are legally enforceable rights under California law, not just company policy, meaning Grubhub is required by law to honor requests within specific timeframes, including responding to opt-out re…
This provision establishes Grubhub's framework for complying with state privacy laws, particularly the California Consumer Privacy Act (CCPA). It delineates the specific consumer requests the company…
This provision binds users to the terms of service and privacy policies of two separate third-party payment processors as a condition of using Gumroad's payment services, and authorizes data sharing …
These rights give California residents meaningful control over highly sensitive payroll, financial, and health data held by Gusto, including the ability to request deletion of that data.
Employees have limited direct control over data their employer submits to Gusto, and they must navigate both Gusto's and their employer's privacy frameworks to understand their full rights.
There is no opt-out described for this use, and the exclusion of de-identified data from the privacy notice means consumers have no stated rights over how this derived data is used.
The processor designation clarifies the legal relationship between Gusto and employers regarding data responsibility. Under data protection frameworks, processors have specific obligations regarding …
The provision operationalizes Gusto's compliance obligations under state privacy regimes, establishing the legal framework governing data collection, processing, retention, and user access/deletion/o…
The existence of a separate Consumer Health Data Privacy Policy signals that Headspace collects health-related data in contexts not fully protected by HIPAA, such as mood tracking or meditation usage…
Given that Headspace handles sensitive mental health data, the age restriction and COPPA compliance commitment is an important protection, though users between 13 and 17 may still use the platform wi…
This provision establishes Headspace's operational compliance framework with children's privacy regulations, including COPPA in the United States. It defines the service's intended user population an…
This clause creates procedural mechanisms through which users can exercise control over their personal information within regulatory frameworks that vary by jurisdiction. The provision establishes He…
HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and ac…
These rights are particularly meaningful on a mental health platform because they allow users to review what sensitive data Headspace holds about them, request corrections to health information, or a…
Advertising cookies can track your activity across the web, not just on Headspace, and in the context of a mental health platform, the data derived from your usage patterns may infer sensitive inform…
Minors using a mental health and meditation platform need clear protections; the terms create a framework but enforcement relies on users self-reporting age, and the platform's ability to verify pare…
Targeted advertising on a dating app draws on highly personal data including your interests, preferences, and platform behavior, and the policy asserts legitimate interest as a sufficient legal basis…
Cross-border transfers of personal data from the EEA to the United States require specific legal safeguards under GDPR, and users in the EEA should understand that their data is ultimately processed …
Users who delete their accounts expecting a clean break may not realize that interaction and safety-related data persists, which affects any right to erasure requests and means your history on the pl…
Government-issued ID contains highly sensitive identity information including your full legal name, date of birth, address, and ID number, and submitting a copy to a third-party app creates risks if …
This is a self-reported eligibility requirement with no stated independent verification mechanism, meaning its practical effect depends on user honesty and Hinge's separate background check or safety…
The provision creates a tiered privacy framework in which certain jurisdictions receive enhanced data protections through a separate governing document. This bifurcated structure means privacy obliga…
This provision operationalizes state-level privacy statutory rights by establishing the procedural framework through which Home Depot processes consumer requests for data access, deletion, correction…
These rights are your primary legal tools for controlling your personal data, but the policy conditions their availability on your state of residence, meaning consumers in states without comprehensiv…
Precise geolocation data can reveal sensitive details about your daily movements, routines, and personal life, and is classified as sensitive personal information under CPRA and several other state p…
Open-ended retention periods tied to broad business purposes can result in personal data being kept for many years, limiting the practical effect of deletion requests and increasing the risk of data …
This opt-out right is one of the most significant consumer protections in the policy, allowing you to limit how your personal data is used for commercial advertising and data sharing with third parti…
This provision establishes HubSpot's use of persistent and session-based tracking mechanisms across its services, which engages consent requirements under GDPR and ePrivacy rules for EU users and dis…
This provision authorizes disclosure of user browsing and activity data to advertising technology vendors for cross-site targeting purposes, which may require evaluation under GDPR consent requiremen…
The CCPA opt-out right for data sharing is particularly significant because HubSpot shares data with advertising partners for cross-context behavioral advertising, which qualifies as regulated sharin…
This provision establishes a principles-based rather than fixed-period retention framework, which may require evaluation under GDPR data minimization and storage limitation principles where specific …
This provision establishes HubSpot's acknowledgment of California statutory privacy obligations and operationalizes specific data subject rights that California law grants to residents. The clause id…
The clause conditions the availability of data subject rights on applicable law and jurisdiction, creating a location-dependent framework for how HubSpot processes individual requests for control ove…
Legitimate interests is a flexible legal basis that does not require your consent but is subject to a balancing test. Individuals in the EU and UK have the right to object to processing based on legi…
This provision establishes the three primary collection channels and authorizes ingestion of data from external third-party sources in addition to direct user input and behavioral data, which has imp…
This provision establishes Standard Contractual Clauses as the primary mechanism for cross-border data transfers out of the EEA, which requires that a transfer impact assessment be conducted and docu…
This provision operationalizes HubSpot's compliance obligations under GDPR by explicitly acknowledging enforceable individual rights and establishing a mechanism (contact process) through which data …
Sharing personal data with advertising partners in particular expands the number of organizations that may have access to your information, which increases privacy risk and may involve cross-context …
This provision documents HubSpot's CCPA and CPRA compliance posture for California residents and establishes the non-discrimination guarantee, which is a statutory requirement under CPRA.
International data transfers are a high-scrutiny area under GDPR following the Schrems II ruling. The use of SCCs is legally recognized but may require additional technical safeguards depending on th…
This provision documents HubSpot's acknowledgment of GDPR and UK GDPR data subject rights and the supervisory authority complaint pathway, establishing the operational framework for EU and UK individ…
Behavioral advertising tracking involves collecting data about your online movements across multiple websites over time, which is a significant privacy consideration and subject to consent requiremen…
The provision establishes that HubSpot's privacy practices are subject to California statutory requirements regarding consumer data rights and non-discrimination. This provision operationalizes compl…
These rights are a core privacy protection, but they apply only to data for which HubSpot is the controller. If your data is in a business customer's HubSpot account, you must contact that business i…
This provision establishes Hugging Face's operational compliance framework for GDPR-regulated data processing. It creates enforceable procedures and response obligations when individuals exercise sta…
The provision operationalizes GDPR Article 6 transparency requirements by identifying the lawful bases under which the entity processes personal data. This disclosure framework establishes the instit…
Training data disclosure is directly relevant to intellectual property compliance, data provenance assessments, and bias risk evaluation, particularly as regulatory frameworks increasingly require tr…
The minimum age of 13 engages COPPA obligations regarding the collection of personal information from users under 13; the authority representation for organizational accounts creates a binding contra…
The policy authorizes use of user personal data for scientific research and business analysis purposes, which is a notable purpose given Hugging Face's role as an AI and machine learning platform whe…
This provision reserves a right for the Company to access privately stored user content, including potentially proprietary models, datasets, or communications, without prior user consent, grounded in…
This provision operationalizes compliance with GDPR Article 6 transparency obligations, requiring the entity to establish and communicate the lawful basis for each processing activity. This establish…
This provision discloses automatic collection of IP addresses and session location data, which under GDPR and other frameworks qualify as personal data; this collection occurs passively for all users…
This clause establishes a mechanism for policy updates that does not require affirmative user consent, instead relying on continued service use as constructive acceptance. The 10-day notice period cr…
This cross-platform data combination means your activity on one Disney service directly informs how you are treated on others, and third-party data may be added to your profile without a direct relat…
This clause means your Hulu activity can follow you to unrelated websites in the form of targeted ads, and the advertising companies receiving your data operate under their own privacy policies, whic…
Precise geolocation is considered sensitive personal information under California's CPRA and can reveal home address, daily movements, and other private behavioral patterns; limiting location sharing…
The age restriction creates an eligibility condition for service purchase and establishes legal capacity requirements. The use restriction clause defines the permitted scope of service consumption an…
This provision establishes Hulu's operational procedure for recognizing and processing opt-out signals from California residents exercising their statutory right to direct limitation of personal info…
The provision establishes a framework of privacy rights contingent on jurisdiction, creating operational obligations for Hulu to respond to consumer requests for data access, correction, deletion, an…
COPPA imposes strict federal requirements on how children's data is collected and used, and violations can result in significant FTC penalties; parents should verify that any Disney or Hulu accounts …
The California Privacy Rights Act gives California residents enforceable rights to stop their data from being used for cross-context behavioral advertising, and this clause describes how to exercise …
GDPR grants EU and UK users substantially stronger data rights than US users, including the right to object to profiling and to request erasure; these rights are directly enforceable against Disney's…
Users may not expect that their creative prompts and generated images become training data for an AI system, and there is no clearly described opt-out mechanism for this specific use within the polic…
The opt-out right for sale or sharing of personal information is particularly relevant given Ideogram's use of analytics and advertising-related third-party services, which may constitute sharing und…
This provision operationalizes statutory obligations under California privacy law by identifying the five core consumer rights Ideogram acknowledges it must honor. The clause establishes the framewor…
If a minor uses the platform and generates or shares content, their account may be terminated and data deleted when discovered, which could result in loss of access and generated content.
Tracking technologies operated by third-party partners may enable those partners to build profiles of user behavior across multiple websites, which raises concerns under both GDPR's ePrivacy requirem…
Users in the EU, UK, and Switzerland have data transferred to jurisdictions without equivalent privacy protections, and the adequacy of the standard contractual clauses mechanism depends on the trans…
Automatic collection of IP addresses, device identifiers, and browsing behavior creates a detailed profile of your usage even beyond the content of your conversations.
This clause establishes the procedural mechanism by which privacy policy modifications become binding on users. It creates an operational framework where policy changes take effect upon posting and e…
Open-ended retention language tied to broad purposes like service improvement and AI training means personal data, including conversation history, could be retained for extended and indeterminate per…
These rights give you meaningful control over your personal data, but they are only available to users in specific jurisdictions and typically require you to actively submit a request to exercise the…
If a child under 13 uses Inflection AI's services, there is no proactive age verification mechanism described in the policy, meaning the protection relies on reactive deletion rather than prevention.
A change in ownership could mean your data, including sensitive conversations, is transferred to a company with different privacy practices, even if you originally consented to Inflection AI's terms.
Setting the age threshold at 18 rather than 13 (the COPPA threshold) means the policy asserts a higher minimum age for service use, which affects how accounts created by users under 18 are treated an…
This clause operationalizes Instacart's compliance obligations under alcohol sales regulations by placing verification responsibility on the delivery stage and establishing the merchant's authority t…
Canadian users' data may be subject to U.S. legal process and law enforcement access once transferred to the United States, and the protections available under Canadian law may not apply in full to d…
Retention periods determine how long your purchase history, location data, and behavioral profiles are held by Instacart and potentially shared with third parties; longer retention periods extend the…
For EU and UK users, international data transfers require specific legal safeguards, and the adequacy of those safeguards is subject to ongoing regulatory and judicial scrutiny.
Using sensitive financial and tax data to train AI models raises questions about data minimization, consent, and the long-term retention of user data beyond the immediate service transaction, especia…
The provision operationalizes jurisdictional data protection requirements by establishing a defined mechanism for rights requests. It designates a specific portal as the administrative pathway throug…
Tracking technologies collect behavioral data continuously across browsing sessions, and the involvement of third-party advertising partners means this data flows to external companies who may combin…
Open-ended retention language tied to legal obligations and dispute resolution means sensitive financial data, including tax records and government identifiers, could be retained for extended periods…
These rights are most robust for California residents under CPRA and EU or UK residents under GDPR, and exercising them can limit how Intuit uses your sensitive financial data for advertising and thi…
EU and UK users whose data is transferred to the United States or other countries must be protected by an appropriate transfer mechanism under GDPR; the policy does not specify which mechanisms Jaspe…
Personal data could transfer to a different company with potentially different privacy practices in a corporate transaction, and users may have limited ability to prevent this under the terms as stat…
This provision establishes that personal data including submitted content and user identifiers may be disclosed to prospective acquirers or transaction counterparties prior to any transaction closing…
This provision establishes the legal rights framework Jasper applies to EU, UK, and Swiss data subjects and the procedural mechanism for exercising those rights, which is operationally relevant for e…
The policy acknowledges data subject rights under GDPR and CCPA, providing a contact mechanism for users to exercise access, correction, deletion, and restriction rights, which is a material protecti…
This provision establishes a purpose-based retention standard without specifying defined retention timelines for different categories of personal data, which may present disclosure adequacy considera…
This provision establishes the specific data rights Jasper recognizes for California residents and the mechanisms through which those rights may be exercised, including contact via privacy@jasper.ai …
This provision establishes that tracking data is collected both by Jasper directly and by third-party partners through the platform, with the data uses extending to advertising interactions, which is…
The terms authorize sharing personal data with a broad range of third parties including advertising partners, which may be relevant for users who assumed their data remained within Jasper's systems, …
This provision establishes that personal data including identifiers, usage activity, and device information may be disclosed to advertising and analytics third parties whose data handling is governed…
AI conversation data may include sensitive academic questions, personal disclosures, or learning difficulties that users share in an educational context, and the use of this data to improve AI models…
This provision establishes COPPA compliance through dual consent mechanisms: direct parental consent or school operator consent delegation, which is the standard approach for educational platforms se…
Student data in school-deployed accounts is accessible to institutional administrators beyond just the assigned teacher, which expands the audience for sensitive academic performance data without add…
The absence of specific retention periods means users cannot know how long their or their children's data is kept, and deletion requests are handled on a case-by-case basis rather than through an aut…
This provision operationalizes Khan Academy's compliance obligations under California privacy statutes by explicitly recognizing resident rights to control personal information handling and prohibiti…
Students accessing Khan Academy through a school may have stronger data protections than general users, depending on what the School Agreement says, but those terms are not publicly disclosed in this…
This creates a detailed longitudinal record of a student's academic performance and learning behavior, which is visible to teachers and administrators and retained by Khan Academy for operational and…
Account data forms the foundation of how Kick identifies you and links your activity across the platform, and understanding what is collected and retained is important for assessing your privacy expo…
The age restriction and parental consent requirement for minors engage COPPA in the US context and similar frameworks in the EU and UK, and parents should be aware that minors using the platform with…
Your financial and personal data may be held by Klarna for an extended and unspecified period after you stop using the service, and the policy does not commit to specific maximum retention periods fo…
Using legitimate interest rather than consent as a legal basis means Klarna does not need to ask your permission for certain profiling and marketing activities, though you retain the right to object,…
Legitimate interests is one of several legal bases that permits data processing without explicit user consent. This authorization enables Klarna to conduct certain processing activities—such as fraud…
The CCPA/CPRA provisions create specific operational obligations for Klarna regarding data transparency, consumer request processing, and limitations on data monetization activities. These statutory …
Your browsing activity may be tracked and shared with advertising partners to build a profile used for targeted advertising, and the effectiveness of your ability to limit this depends on how clearly…
When your data is transferred outside the EU or UK, it may be subject to government access or privacy standards that are different from those in your home country, even if contractual protections are…
Without access to the actual privacy policy, users cannot know what personal data Kling AI collects, how it is used, or what rights they have over their information.
Age restrictions on AI generative content platforms are legally required in many jurisdictions, and violations can expose the platform to regulatory action while leaving underage users without approp…
The policy authorizes transfer of all personal information, including AI trace data and account details, to a successor entity in a business transaction, which may result in your data being controlle…
Developers and businesses using LangSmith's tracing and evaluation features may transmit sensitive data, personal information, or proprietary business logic to LangChain's infrastructure, and the ter…
The policy does not specify fixed retention periods for any category of personal information, including AI trace data submitted through LangSmith, leaving the duration of data storage to LangChain's …
Given the sensitivity of data held by Ledger (home address linked to crypto wallet purchase), the right to request deletion is particularly relevant for customers concerned about their data remaining…
This provision operationalizes Ledger's compliance obligations under GDPR by explicitly acknowledging specific data subject rights and establishing a mechanism through which users may exercise those …
This provision operationalizes Ledger's legal obligations under California privacy law by specifying how the company must respond to resident requests and what categories of data control rights apply…
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is…
Data transferred outside the EEA may be subject to less protective legal regimes, and compliance with post-Schrems II transfer requirements depends on whether Ledger has implemented the 2021 updated …
For cryptocurrency hardware wallet users, the combination of identity data and purchase records effectively signals asset ownership, creating a risk profile that goes beyond typical retail data colle…
The legal basis used for each processing activity determines what rights users can exercise and whether they can object to or stop that processing; reliance on legitimate interests rather than consen…
This provision authorizes international transfers of user personal data and asserts that transfer safeguards such as Standard Contractual Clauses are in place, but does not identify specific recipien…
This provision establishes the procedural mechanism for exercising data subject rights, requiring email contact rather than an in-platform self-service tool, which is the primary avenue for users to …
This provision establishes Leonardo AI's stated COPPA compliance posture; the policy does not describe the technical or operational mechanism by which users under 13 are identified and excluded from …
Age restriction provisions protect younger users from data practices that may not be appropriate for minors, and parents or guardians should be aware of the platform's age requirements before allowin…
This provision establishes a hard age gate at 18 years, which is operationally significant given the platform's capacity to generate content including mature or explicit imagery in designated areas. …
Users of generative AI platforms have a reasonable expectation that their creative inputs are used to produce outputs for them, not necessarily to train the underlying AI systems. This provision exte…
This provision establishes data sharing with advertising and analytics partners, categories that under CCPA/CPRA may constitute sharing personal information for cross-context behavioral advertising, …
The minimum age of 13 is consistent with COPPA in the US but may not meet higher minimum ages required in certain countries, such as 16 under GDPR in some EU member states; parents should be aware th…
These rights give California users meaningful control over their personal data held by Lime, including the right to stop their data from being shared with advertisers and to have data deleted from Li…
The policy sets the age threshold at 18 rather than the COPPA standard of 13, which is a more protective approach for minors, but the enforcement mechanism relies on Lime discovering the collection r…
For EU, UK, and other international users, this means their personal data including location history may be transferred to a jurisdiction with a different privacy legal framework, and the adequacy of…
The clause operationalizes Lime's obligation to recognize and honor data subject rights mandated by EU/UK/Swiss data protection regulations. This establishes the procedural framework through which us…
Without a specified maximum retention period, your location history, trip records, and account data may be retained indefinitely, which has implications for both privacy risk and your rights to have …
Minors who use the service in violation of this age restriction do so outside the contract's terms, which may affect their legal protections and the enforceability of parental liability under applica…
These GDPR-based rights give European users strong legal tools to control their data, including the ability to object to processing based on legitimate interest and to demand deletion of their inform…
The retention policy means that profile data, behavioral data, and inferred data persist indefinitely unless you take active steps to close your account or submit a deletion request, even if you have…
This provision operationalizes data subject rights by specifying the categories of user requests LinkedIn accepts and the procedures through which users may assert control over their stored personal …
The default visibility of profile data to third parties including recruiters and employers means that professional and personal information shared on LinkedIn may be accessed and used by organization…
This provision establishes that continued use of LinkedIn constitutes acceptance of updated data practices, which means changes to how your data is collected or used take effect automatically unless …
This provision establishes the contractual framework for GDPR-compliant personal data transfers and processing through the LinkedIn Ad Services, incorporating the DPA and Standard Contractual Clauses…
This provision determines which legal entity is responsible for your personal data and which legal framework and dispute resolution mechanisms apply, which affects which rights you can exercise, whic…
The agreement establishes separate legal entities and data controllers depending on user geography, which determines which legal framework governs data rights, which entity is legally responsible for…
The agreement sets a minimum age of 16 globally but acknowledges that local laws may require a higher age threshold, which means the effective minimum age may vary by jurisdiction and affects whether…
This provision describes data collection that occurs outside the LinkedIn platform, meaning browsing behavior on third-party websites carrying LinkedIn tracking elements contributes to LinkedIn's pro…
This provision places the compliance burden for privacy and data protection obligations on the advertiser rather than LinkedIn, and specifically prohibits tracking technologies designed to persist de…
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
Use of user-generated video and text content to train or improve AI systems is a significant and evolving area of privacy concern, particularly where the content includes sensitive business or person…
This provision operationalizes regulatory requirements under data protection frameworks by establishing the company's obligation to process data subject access requests and honor deletion, correction…
This provision establishes Loom's acknowledgment of statutory consumer rights under California privacy law and specifies the company's data practices regarding sale restrictions and behavioral advert…
Video recordings can contain sensitive personal, business, or confidential information; understanding what data is retained and for how long is essential for both individual users and enterprise cust…
If you are based in the EU or UK, your Loom data may be transferred to and stored in the United States, and the legal adequacy of that transfer mechanism affects the protections your data receives.
This provision establishes COPPA compliance obligations and provides a reporting mechanism for parents who believe their child's data has been collected without authorization.
This provision establishes age-based access controls and a COPPA compliance commitment. The mechanism for enforcement relies on user self-representation at account creation rather than independent ag…
Users uploading personal images, videos, or sensitive text may not expect that content to contribute to AI model development, and no specific opt-out for this use is described in the policy.
Users may not be aware that Luma can build a more detailed profile of them by combining data from external sources with account and usage data, potentially without direct interaction from the user.
Users should be aware that sensitive personal information shared in AI chat conversations is collected and retained, and may be reproduced in AI outputs, which could have implications for confidentia…
Users accessing Luma through an employer or enterprise customer may have substantially different privacy protections than consumer users, and Luma explicitly disclaims responsibility for enterprise c…
The collection of advertising identifiers and application installation data alongside usage behavior enables detailed user profiling that goes beyond basic service delivery.
These rights are enforceable under California law and give California users meaningful control over their personal data held by Lyft, including the ability to stop their information being shared with…
Drivers' personal identifying information including real-time location is shared with riders and third-party vendors, which creates specific privacy and safety considerations for drivers as a distinc…
This provision operationalizes Lyft's compliance obligations under California privacy law by enumerating the specific data rights that must be made available to California resident users. The clause …
An open-ended retention standard without specific timeframes for each data category makes it difficult for users to know how long sensitive information like location history and trip data is retained…
The policy permits disclosure of your trip history, location data, and other personal information to government or law enforcement not only under compulsory legal process but also when Lyft determine…
EU and EEA users have significantly stronger data rights and consumer protections under GDPR and EU consumer law than users in many other regions, and the applicable terms variant for their country s…
State privacy laws in California and other states grant residents specific rights such as the right to know, delete, correct, and opt out of data sales; the supplement is the primary document where t…
State privacy laws impose different requirements regarding data subject rights, disclosure obligations, and operational procedures. By providing jurisdiction-specific supplements, Max establishes a m…
The global scope of WBD's services, including Max, means that personal data may be transferred across jurisdictions, and the protections available to any individual user depend on which regional poli…
Targeted advertising typically involves the collection and use of personal data including viewing behavior, device identifiers, and inferred interests; the Ad Choices portal is the disclosed mechanis…
Users in different countries or U.S. states may have materially different rights and protections under WBD's data practices, and this page does not itself disclose those differences.
While this provision provides a baseline COPPA commitment, it relies on a reactive 'if we learn' standard rather than proactive age verification, which may leave gaps in practice for a brand with sig…
This provision operationalizes McDonald's compliance obligations under the California Consumer Privacy Act and California Privacy Rights Act by establishing the procedural mechanism through which eli…
The clause establishes the operational basis for McDonald's marketing communications practices and specifies the procedural pathways through which users may modify their receipt of promotional conten…
Precise geolocation data is among the most sensitive categories of personal information because it can reveal where you live, work, and travel on a regular basis, and this data is used not just opera…
Age requirements in digital service terms are tied to legal protections for minors under federal and state law. If a child under the minimum age is using McDonald's digital services, the family shoul…
These rights give California consumers meaningful control over how their data is used, including the ability to stop it from being shared with advertising partners and to have it deleted entirely.
This provision establishes that third-party tracking for targeted advertising is permitted on Medium's platform, which engages GDPR consent requirements under the ePrivacy Directive and CCPA opt-out …
Parents and guardians should be aware that Medium does not have mechanisms to verify user age at sign-up, which means the platform relies on users to self-report compliance with the age restriction.
This provision establishes the operational mechanisms through which California residents can exercise CCPA and CPRA rights, including the opt-out of data sale or sharing, which is a concrete and time…
This provision establishes Medium's COPPA compliance posture, but enforcement relies on user reporting rather than active age verification, which may be a meaningful gap in practice.
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects w…
This provision establishes the contractual basis under which Medium transfers personal data to external parties for operational purposes, which implicates GDPR Article 28 data processor agreement req…
This provision establishes that personal data may be disclosed to prospective acquirers or transaction counterparties prior to deal completion, which creates data exposure outside Medium's direct ope…
The policy's disclosure of cross-border data transfers without specifying the legal mechanism used for EEA transfers, such as Standard Contractual Clauses or an adequacy decision, creates a complianc…
This provision establishes the claimed legal bases for EEA data processing, but the absence of a processing activity-level mapping to specific legal bases may present a compliance gap relative to GDP…
Cookies and tracking technologies enable Medium and its partners to build a profile of your browsing habits, which can be used for advertising and analytics purposes both on and off the Medium platfo…
California law gives residents enforceable rights to control how their personal information is used and shared, including the right to stop Medium from selling their data to third parties.
The provision establishes a procedural framework for exercising data subject rights and acknowledges regulatory obligations under EEA data protection law. The use of "reasonable steps" rather than ab…
This provision establishes the categories of personal data Medium collects across both direct user input and automated technical collection, which determines the scope of data subject rights requests…
These rights are legally enforceable under GDPR and give EU users meaningful control over their personal data held by Medium, including the ability to request full deletion of their account data.
This clause establishes the procedural mechanism by which Mercury may unilaterally update privacy practices and the conditions under which those updates become binding. It creates an operational fram…
This clause documents Mercury's acknowledgment of California statutory privacy obligations. The provision operationalizes CCPA/CPRA compliance requirements by explicitly enumerating the consumer righ…
Using financial account data to inform marketing by Mercury's partners goes beyond core service delivery and means your banking behavior may influence commercial outreach you receive.
Individual employees, owners, and signatories associated with a Mercury business account have their personal data collected and governed by this policy, which may not be obvious to those individuals …
This is the core data Mercury holds about you and your business, and its breadth means a wide range of sensitive financial and identity information is within Mercury's data environment.
The provision operationalizes parental supervision by granting account administrators the authority to regulate which users can communicate with the child through the platform. This mechanism establi…
This provision establishes a contractual obligation on developers to honor user deletion requests for platform-sourced data, creating an operational dependency between developer data retention practi…
This provision applies to developers and their associated account data, meaning that information about a developer's app usage, data practices, and platform activity may be disclosed to government au…
Key data rights disclosures, including what information is collected, how it is shared, and what user choices exist, are not contained in the Terms of Service itself but in an external document subje…
The terms assert age restrictions for minors but rely on self-declaration rather than active verification, which is a common but increasingly scrutinized practice in the context of child safety regul…
The real name requirement is a contractual obligation enforced through Meta's Authentic Identity Policies, and Meta reserves the right to request identity verification at any time, which may affect p…
This provision restricts developers from applying Facebook-sourced data, including user identifiers, location signals, and social graph information, to surveillance or monitoring applications, which …
This provision establishes a contractual security standard obligation for developers that runs parallel to, and must be assessed against, applicable regulatory security requirements such as GDPR Arti…
The phrase 'knowingly collect' is the operative standard under COPPA, but the policy does not describe what age verification or detection mechanisms Meta uses in practice, and regulatory and legislat…
This provision establishes the stated age restriction framework for Meta's products and the policy's asserted exclusion of child personal data collection, with the applicable minimum age varying by j…
This provision establishes that Meta collects multiple categories of location data, ranging from precise GPS-level device location to inferred location from social activity, and applies this data to …
The absence of fixed, disclosed retention periods for most data categories makes it difficult for users to understand how long their information is held or to exercise time-based deletion rights with…
The availability and practical accessibility of these rights varies significantly by region, and the actual mechanisms for exercising them, such as submitting deletion requests or objecting to proces…
This provision establishes the user-facing rights framework Meta asserts is available under applicable privacy law, while disclosing that those rights may be limited by competing legal obligations, M…
These access, deletion, and portability mechanisms establish operational procedures for Meta to fulfill data subject rights under privacy regulations including GDPR and similar frameworks. The provis…
This provision establishes Meta's operational framework for user data subject access and deletion requests, defining the mechanisms through which users may exercise data rights rather than requiring …
This provision establishes that Meta does not apply fixed retention periods across data categories but instead determines retention duration on a case-by-case basis, with 'protection of interests' an…
The clause operationalizes mandatory statutory rights under GDPR and UK GDPR by explicitly recognizing their availability to affected users and establishing MetaMask's obligation to facilitate their …
This provision operationalizes statutory California privacy obligations within MetaMask's contractual framework, establishing the procedural and substantive mechanisms through which California reside…
For EU and UK users, data transferred to the US must be protected by appropriate legal mechanisms; while SCCs are an accepted GDPR transfer tool, their adequacy in practice depends on the specific su…
For users in the EU, UK, and California, these rights are legally backed by GDPR, UK GDPR, and CCPA/CPRA respectively; however, the policy's conditional framing means users outside these jurisdiction…
The clause operationalizes data subject rights by designating a specific mechanism through which individuals can manage personal data retention and use. This establishes Microsoft's procedural obliga…
This provision operationalizes privacy governance by requiring systematic integration of data protection measures into product development cycles, establishing privacy as a foundational design requir…
The clause articulates a design principle requiring AI systems to incorporate privacy and security considerations as foundational operational requirements, particularly given AI's expanding capacity …
The provision creates operational mechanisms through which data subjects may exercise statutory rights under data protection regulations. It designates account.microsoft.com/privacy as a primary cont…
Users accessing Microsoft products through organizational accounts should be aware that their employer or institution may have access to their communications and files and may control their privacy s…
This provision establishes the internal ruleset Microsoft states governs AI product development, which is relevant to understanding what review processes exist before AI systems that affect consumers…
This principle addresses explainability and disclosure in AI systems, which is directly relevant to regulatory requirements around automated decision-making and the right to explanation under framewo…
This commitment describes how Microsoft states it addresses algorithmic bias in AI systems, which is relevant to consumers and regulated entities concerned about discriminatory AI outputs in areas su…
The statement establishes that children under 13 are subject to parental consent requirements before data collection occurs, which is relevant to families using Microsoft products and to compliance w…
Voice data is a sensitive biometric-adjacent category of personal data; the statement authorizes its collection and use for service improvement, and consumers in states with biometric privacy laws su…
The statement identifies residents of multiple U.S. states as having enforceable privacy rights under applicable state law, including the right to opt out of data sales and sharing for targeted adver…
This provision describes Microsoft's stated approach to personal data handling within AI systems, which affects how personal data provided to or processed by Microsoft AI products such as Copilot is …
The statement authorizes use of collected personal data including browsing behavior and interests for targeted advertising across Microsoft platforms and potentially on third-party platforms, which i…
This provision states a commitment to AI explainability that is directly relevant to regulated industries such as financial services, healthcare, and employment, where algorithmic decisions may be su…
This provision states a commitment to non-discrimination in high-stakes AI applications including medical treatment, loan decisions, and employment; these are areas where discriminatory AI outcomes m…
This clause implements compliance with the Children's Online Privacy Protection Act (COPPA), which mandates verifiable parental consent before collecting personal information from children under 13. …
This provision establishes Microsoft's acknowledgment of state-level privacy obligations and frames the privacy statement as operating within the parameters of existing state privacy legislation. The…
This provision establishes Microsoft's stated compliance with COPPA's minimum age threshold by prohibiting account creation for users under 13, but the enforcement mechanism and verification process …
The provision establishes operational mechanisms for users to exercise data subject rights under privacy frameworks. It obligates Microsoft to provide access, deletion, and portability tools or assis…
The statement describes a broad range of collected data categories including identifiers, device and configuration data, browsing and search history, location data, voice and audio recordings, and co…
The statement authorizes use of user-generated content and AI interaction data for model training and improvement, which may affect users who share sensitive or confidential information through Copil…
This provision acknowledges the applicability of privacy laws to AI systems and states that data collection, use, and storage in AI contexts should be transparent and subject to user control, which e…
This provision operationalizes compliance with the Children's Online Privacy Protection Act (COPPA) by establishing a consent requirement and deletion protocol. It creates a procedural framework wher…
The provision establishes a procedural mechanism for users to decline personalized advertising while defining the technical implementation and duration of the opt-out preference. The cookie-based app…
Employees and students using Microsoft products through their organization may not be able to exercise data rights (like deletion or access) directly with Microsoft and must instead go through their …
Interest-based advertising means your activity across Microsoft services, including search, browsing, and product use, may be used to build a profile for ad targeting, and you should be aware of how …
COPPA requires parental consent before collecting personal data from children under 13 in the U.S.; parents who discover their child has a Microsoft account or has used Microsoft services should act …
For users in the EU, UK, or other jurisdictions with strong data protection laws, international data transfers carry legal significance and Microsoft must rely on approved transfer mechanisms such as…
The privacy statement defines what data Azure collects from you, how it may be used for service improvement or diagnostic purposes, and what rights you have to access, correct, or delete your data.
Cookies used for interest-based advertising track your behavior across Microsoft and third-party sites; you can manage these through your browser settings or Microsoft's cookie preference tools.
Multiple U.S. states now have enforceable privacy rights that go beyond federal law; knowing your state-specific rights and how to exercise them with Microsoft can meaningfully limit how your data is…
This provision operationalizes data subject rights typically required under privacy regulations like GDPR and CCPA. It establishes the procedural mechanisms by which Microsoft will respond to individ…
The breadth of collection sources means that even data you did not actively provide to Microsoft may be held and used, including data obtained from third parties, which many users may not anticipate.
By agreeing to the Services Agreement, users also accept the data collection and processing practices described in the separate Privacy Statement, which covers all Microsoft consumer services includi…
Parents and guardians should be aware that children below the applicable age threshold, typically 13 in the US under COPPA, should not be creating or using Microsoft accounts without proper parental …
This provision allocates contractual responsibility by requiring either individual user age attestation or documented parental consent, and establishes parental liability for minor account holders' a…
The policy confirms that Midjourney generates and discloses inferences about user characteristics and behavior, which under CCPA and CPRA may be subject to specific opt-out and deletion rights beyond…
The clause establishes the operational scope of data sharing practices and designates the mechanism through which users can modify those practices. It clarifies that sharing for advertising purposes …
This provision clarifies that privacy settings, Stealth Mode, and content deletion do not remove content from the scope of guideline enforcement, meaning Midjourney retains the ability to review and …
The clause operationalizes legal obligations imposed by GDPR and UK data protection statutes rather than contractual obligations. It confirms the entity's recognition of statutory data subject rights…
The policy explicitly grants EU and UK users a defined set of GDPR data subject rights, including the right to erasure and the right to object to processing, which are enforceable under GDPR against …
The policy discloses that Midjourney does not sell personal information under CCPA but does not address whether data shared with business partners for advertising or other purposes constitutes CPRA-r…
The policy establishes a minimum age of 13 and invokes a COPPA-aligned framework for handling children's data, but relies on a reactive deletion approach rather than proactive age verification at poi…
This clause operationalizes statutory data protection rights under GDPR and equivalent regulations by explicitly confirming Midjourney's obligation to honor these requests and establishing the proced…
This provision establishes operational compliance with the Children's Online Privacy Protection Act (COPPA) and similar age-restriction regimes by defining the service's applicability threshold and o…
The agreement sets a minimum age of 13 and defers to each country's digital consent age, but relies on self-attestation for compliance; parents who permit minors to use the service accept contractual…
The policy authorizes sharing of personal data with advertising partners through cookies, which may result in your browsing activity and profile data being used to deliver targeted advertising.
The policy asserts that consent to cross-border data transfer is established by a user's agreement to the policy itself; whether this mechanism satisfies GDPR Chapter V transfer requirements may requ…
The policy discloses a broad set of data categories collected across account, device, behavioral, and content dimensions, including the content of prompts and uploaded images, which may contain perso…
The policy does not specify fixed retention periods for most data categories, instead using purpose-based retention language; the carve-out allowing extended retention to improve service functionalit…
The policy distinguishes between selling and sharing personal data under CCPA, acknowledging that advertising cookie sharing may qualify as sharing under CPRA, and provides California residents with …
The policy states that generated images are public by default, meaning any image you produce, along with the prompts associated with it, may be visible to other platform users unless you take affirma…
The policy explicitly identifies machine learning training as a context in which personal data is collected and used, which has implications for how users' submitted content and behavioral data may b…
Users need to read the Microsoft Privacy Statement separately to understand how their data is collected, used, and shared, as this EULA does not contain those details.
The policy states that gameplay interactions, purchase history, device identifiers, and IP addresses are collected, which together can form a detailed behavioral profile of each user.
The clause allocates account creation authority and terms acceptance responsibility to parents or legal guardians rather than minors, establishing a parental gatekeeping mechanism for account establi…
This provision establishes the scope of data collection across Minecraft services. The integration of Microsoft account data means that Minecraft-specific data collection is linked to Microsoft's bro…
The policy states that personal data including gameplay activity and account identifiers may be used for advertising and analytics purposes, which may affect users who do not expect their gaming acti…
Incorporation by reference creates a multi-layered privacy framework where Minecraft users are subject to both the Minecraft Privacy Statement and the Microsoft Privacy Statement. This structure cent…
The provision operationalizes regulatory obligations under GDPR and CCPA by establishing a documented mechanism for rights exercise and identifying the specific jurisdictional triggers and available …
This provision establishes operational content moderation standards for the platform. The restriction defines prohibited content categories and creates a baseline requirement for user-generated submi…
This provision establishes that Minecraft user data, including account identifiers, gameplay data, and device information, may be processed across Microsoft's global affiliate network. Compliance tea…
This provision establishes the procedural mechanisms through which users in regulated jurisdictions can exercise their statutory privacy rights in relation to Minecraft data. The rights are administe…
This provision establishes the conditions under which personal data collected through Minecraft is retained and the mechanism for requesting its deletion, which is operationally relevant for users wh…
The provision operationalizes GDPR compliance requirements within Minecraft's data processing framework, establishing legal obligations regarding data subject rights, lawful basis for processing, dat…
The provision creates a bifurcated privacy governance structure where the majority of Minecraft Services fall under Microsoft's privacy framework, while a distinct commercial component (the Shop) ope…
This incorporation by reference mechanism consolidates privacy obligations across Microsoft properties under a single governing document. The operational effect is that personal data practices applic…
This provision creates a bifurcated privacy framework where data handling obligations differ depending on which Minecraft service component the user accesses. By designating Snow Commerce as a separa…
The policy's reliance on a separate Microsoft document means users must review two distinct policies to understand the full scope of data collection, sharing, and rights applicable to their Minecraft…
This provision establishes that personal data collected from users of the Miro platform may be disclosed to advertising and analytics vendors, which is operationally significant for enterprise custom…
This provision defines the full scope of personal data Miro processes, which is material for enterprise data governance assessments because board content may include sensitive business information al…
Key obligations about data processing, AI use, cookies, and acceptable behavior are scattered across multiple separate documents, each of which may be updated independently, making it difficult to ma…
The CDPA establishes Miro's obligations as a data processor under GDPR and similar frameworks, defining the legal basis and conditions under which customer personal data is processed. Enterprise cust…
For business customers under GDPR or other data protection laws, the DPA is the operative legal instrument defining Miro's obligations as a data processor, and the subprocessors list determines which…
The provision operationalizes compliance with jurisdiction-specific data protection regulations by establishing a defined channel for rights requests. This structure creates procedural obligations fo…
If Miro retains your data for extended periods after account closure or inactivity, your information may remain in Miro systems longer than you would expect. Users who close accounts should consider …
This provision establishes the legal mechanism for cross-border data transfers, which is a material compliance consideration for EU and UK enterprise customers following Schrems II and the EU-US Data…
These rights give users meaningful control over their data and create enforceable obligations for Miro, but they only apply to users in covered jurisdictions and may require users to proactively subm…
The existence of a separate AI Terms Addendum means that users of Miro's AI features are subject to additional data processing terms that must be reviewed in conjunction with the privacy policy to as…
Board content often contains sensitive business or personal information, and users may not expect this content to be subject to the same data processing practices as account or usage data.
The existence of a separate DPA means that individual and free-tier users may have fewer contractual data protections than enterprise customers who have negotiated or accepted a formal DPA.
Le Chat conversations do not automatically expire, meaning every prompt and response you have ever sent is retained by Mistral AI until you take action to delete it, which creates a significant accum…
This provision places the full responsibility for child data protection compliance on the commercial Customer, including obtaining parental consents, which is a significant operational obligation for…
Your personal data may be included in Mistral AI's AI training even if you have never used any Mistral AI product, because the company sources training data from public internet content and third-par…
The Privacy Policy governs how Mistral AI collects, uses, stores, and shares your personal data across all of its services, making it one of the most consequential documents for all users.
Sensitive personal data such as health information that you casually mention in a chat prompt could be automatically stored and retained by the Memory feature, creating a personal profile that persis…
The 'without undue delay' notification standard aligns with GDPR Article 33's 72-hour supervisory authority notification requirement, but the DPA does not specify a fixed notification deadline to cus…
The 13-year minimum age is consistent with US COPPA thresholds but may not align with higher digital age of consent standards in other jurisdictions, such as 16 in some EU member states or 13 in the …
By incorporating external policies into the governing agreement through reference, this clause creates a unified regulatory framework where the Privacy Policy, Cookie Policy, and Usage Policy operate…
Free-tier users' conversations are treated as training data by default, meaning your personal questions, instructions, and AI responses could influence how Mistral AI's models behave for all users un…
This provision directly addresses deepfake-style generation and AI impersonation, which are areas of increasing regulatory attention and potential legal liability for users.
The agreement discloses that conversation links create publicly accessible records of potentially sensitive interactions, and Mistral AI expressly disclaims any responsibility for controlling or moni…
This allocation of responsibility clarifies the operational structure of data collection under the agreement: customers act as the party responsible for legal compliance with consent and disclosure r…
Retention periods are not defined with specific timeframes in this provision, meaning the duration for which personal data may be held is discretionary within the bounds of stated business necessity …
The use of cookies and tracking technologies for analytics and behavioral profiling is subject to consent requirements in the EU and UK under the ePrivacy Directive, and the data collected feeds into…
This provision establishes the mechanisms through which individuals can exercise statutory data rights; the availability of specific rights depends on the user's jurisdiction, so not all rights liste…
This provision is the stated legal basis for Mixpanel's cross-border transfer of EU, UK, and Swiss personal data to the U.S.; if Mixpanel's certification lapses or the framework is invalidated, the l…
This provision operationalizes Mixpanel's compliance obligations under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), establishing specific mechanisms through wh…
The provision establishes a mechanism through which users can control whether Mixpanel collects data from their device. The opt-out relies on a persistent cookie, meaning the user's opt-out preferenc…
This provision establishes a procedural mechanism for users to exercise control over whether their data is collected by Mixpanel's analytics platform. The availability of an opt-out mechanism defines…
This provision grants California residents a specific statutory right to stop their data from being shared for behavioral advertising, and Mixpanel acknowledges that its advertising-related data shar…
This provision operationalizes Mixpanel's compliance obligations under GDPR and UK data protection law by explicitly recognizing and establishing a procedural mechanism (designated contact email) thr…
These rights give users meaningful control over their personal data, but the policy qualifies them as dependent on location and applicable law, meaning not all users have the same rights.
Cookies and tracking technologies enable monday.com and its advertising partners to build behavioral profiles based on your browsing and platform activity, which can be used for targeted advertising.
This provision establishes Monday.com's acknowledgment of California statutory privacy rights and creates operational obligations for the entity to implement mechanisms through which California resid…
The clause establishes Monday.com's recognition of statutory data protection rights under GDPR and UK data protection frameworks, creating operational obligations for the entity to enable these right…
This distinction means individual employees using monday.com through a corporate account should look to their employer's privacy policy for rights over their work data, as monday.com does not act as …
The breadth of data collected, spanning identifying information, payment details, and behavioral usage data, means monday.com builds a detailed profile of each user over time.
Transferring personal data out of the EEA to the United States means your data is subject to US law, including potential government access requests, and the adequacy of the transfer mechanism may be …
The absence of specific retention periods means personal data may be retained for an indeterminate period after you stop using the service, until you actively request deletion or your account is clos…
This clause establishes the legal foundation for data processing activities that do not require explicit user consent under GDPR. It permits the entity to conduct processing for operational and busin…
Using AI features may result in your work data or personal information being used to train or improve AI models, which is a secondary use of data beyond the core service delivery purpose.
The retention period is not precisely defined, which means your health and fitness data could be held for an extended and uncertain duration even after you stop using or delete your account.
Fitness and calorie tracking apps can appeal to younger teenagers, and the policy's minimum age threshold and compliance with COPPA is important for parents and for regulatory compliance.
Tracking technologies enable the collection of behavioral data that can be linked to your health app usage and used to build advertising profiles, extending data use beyond what you actively input in…
This provision operationalizes a statutory right required under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), establishing the company's process for honoring Ca…
GDPR provides strong legal protections for EU users, particularly relevant when a company processes sensitive health data, and these rights are enforceable through national data protection authoritie…
Connecting wearables or other health apps creates a more detailed health data profile within MyFitnessPal, which is then subject to the same data use and sharing practices described in this policy.
California's CCPA/CPRA gives users meaningful control over how their health and fitness data is used and shared, including the ability to opt out of data sharing with advertising partners without los…
The policy discloses that data subject rights are available and exercisable via a stated portal; the availability and scope of these rights depends on jurisdiction, with EU/EEA and California users h…
The policy discloses that personal data may be transferred internationally and that NVIDIA relies on Standard Contractual Clauses or equivalent mechanisms; the adequacy of these mechanisms and NVIDIA…
The provision establishes a procedural mechanism for users to exercise data rights that may be mandated under applicable privacy laws in their jurisdiction. The authorization to submit requests creat…
International data transfers from the EU/EEA and UK to countries without an adequacy decision require specific legal mechanisms under GDPR and UK GDPR; the policy's reference to transfer mechanisms i…
The policy acknowledges user privacy rights under applicable law, with the specific rights available depending on the user's jurisdiction; EU/EEA users have rights under GDPR, California residents ha…
The provision defines what categories of technical and behavioral information Netflix may gather during service operation. This establishes the informational scope applicable to the privacy practices…
This provision creates a procedural mechanism through which users may initiate communications about privacy practices and submit formal data subject access requests, which are typically required unde…
This provision establishes Netflix's obligations to provide data subject access upon request, maintain mechanisms for data correction and deletion requests, and enable data portability. These obligat…
This provision establishes Netflix's operational position regarding compliance with the Children's Online Privacy Protection Act (COPPA) and similar regulatory frameworks governing collection of data…
The policy discloses the use of advertising identifiers and third-party tracking technologies for behavioral advertising, which may require consent under EU and UK cookie laws and GDPR, and opt-out m…
This provision operationalizes Netflix's compliance with regional privacy regulations by establishing a framework through which users can exercise legally recognized data rights. The provision condit…
The policy does not state specific retention durations for most data categories, instead reserving discretion to determine retention based on business and legal purposes; this may be relevant to user…
The policy's assertion that Netflix does not knowingly collect personal information from children under 13 engages COPPA obligations; however, the presence of Kids Profile features and the collection…
The policy explicitly states collection of voice recordings and transcripts, which may implicate state wiretapping statutes and biometric privacy laws depending on jurisdiction and implementation.
This provision conditions the availability of privacy rights on the user's jurisdiction, meaning the scope of rights available to a given user depends on their location and the applicable legal frame…
This provision authorizes data sharing with third-party advertising and analytics partners, which under CCPA/CPRA may constitute a sale or sharing of personal information and triggers opt-out obligat…
Your neighborhood conversations, neighbor connections, and browsing behavior within Nextdoor are tracked and used for profiling, meaning your community activity generates advertising data.
This provision authorizes collection of precise location data as both a functional and advertising-related data practice, which implicates heightened sensitivity classifications under CPRA and requir…
Providing a verified home address is a mandatory condition of using Nextdoor, meaning your physical location is always known to the platform and is foundational to all data Nextdoor collects and proc…
This provision establishes a mandatory association between a user's verified home address and their platform account, which represents a persistent high-sensitivity data linkage that compliance teams…
This provision establishes Nextdoor's compliance framework with California privacy statutes by affirming consumer rights that are mandated by law. The clause confirms the operational mechanisms throu…
California residents have stronger legal rights than users in most other US states, including the ability to stop Nextdoor from sharing their data with advertising partners.
Contact list uploads can expose the personal information of people who have not consented to Nextdoor's data collection, raising significant third-party privacy implications.
This provision establishes that account closure does not necessarily result in immediate deletion of all user data, which is a material consideration for users seeking to exercise deletion rights and…
A corporate transaction could result in your neighborhood, location, and behavioral data being transferred to a new entity with different privacy practices, potentially with limited user recourse.
EU and UK users have stronger and more broadly applicable data rights than US users in most cases, including the right to object to processing and to receive a copy of their data in a portable format.
The breadth of data collected across multiple touchpoints (console, mobile, web, retail) means Nintendo builds a detailed profile of each user's gaming behavior, spending patterns, and device usage, …
The provision establishes Nintendo's acknowledgment of California statutory consumer privacy rights and creates a framework through which California residents may exercise those rights under state la…
CCPA gives California residents enforceable rights over their personal data that go beyond what Nintendo extends to users in other states; if you are a California resident, you have specific mechanis…
The provision establishes user control mechanisms over direct marketing communications and personal data management. These controls establish procedural pathways for users to manage their engagement …
This provision establishes Nintendo's COPPA compliance posture for the main websites and places responsibility on parents to monitor and report unauthorized child data collection.
Voice communications are a sensitive category of personal data; their collection during gameplay is not always expected by users and the policy reserves the right to use them for compliance and safet…
Tracking technologies allow Noom and advertising partners to build profiles of user behavior that extend beyond the Noom platform, including users who have entered sensitive health information.
Many users assume that a health and wellness app is subject to HIPAA protections; this disclaimer clarifies that Noom's data practices are governed by its own privacy policy and applicable consumer p…
This provision operationalizes statutory GDPR rights by designating a specific contact mechanism and establishing procedures through which residents can exercise data access, correction, deletion, po…
This provision operationalizes Noom's compliance framework for children's privacy protections under federal law. The restriction on selling and sharing minor users' personal information establishes a…
This provision operationalizes California privacy law requirements by establishing the procedural mechanism through which users can exercise statutory data control rights. It delineates the scope of …
Health data is among the most sensitive categories of personal information; its collection and potential sharing creates meaningful privacy exposure for users.
The terms confirm that prompts, uploaded files, and AI outputs are collected by Google and subject to its Privacy Policy; users who want to understand the full scope of data collection and retention …
The policy explicitly grants access, correction, deletion, portability, restriction, and objection rights to users in applicable jurisdictions, and directs users to contact privacy@makenotion.com to …
The policy authorizes use of cookies and tracking pixels by both Notion and unnamed third-party partners; the HTML source of the privacy policy page itself loads tracking scripts from Facebook, Googl…
The policy asserts consent to international data transfer based on use of the service, but under GDPR this type of implied consent is generally insufficient as a transfer mechanism; the policy separa…
This clause operationalizes California statutory rights under CCPA/CPRA by specifying the submission mechanism and contact points through which residents may direct the entity to cease sale or sharin…
This provision authorizes workspace administrators, which may include employers or institutional operators, to access and act on member content and personal data without requiring member consent for …
The Privacy Policy is the primary document through which Notion discloses its data collection and processing practices, and it is the basis on which users can exercise data rights including access, d…
The provision establishes Notion's structural compliance mechanism for California-specific privacy obligations by creating a distinct notice separate from the general privacy policy. This approach al…
The clause operationalizes Notion's compliance obligations under GDPR and related regional data protection frameworks by explicitly recognizing and documenting the statutory rights available to users…
This clause creates a procedural framework for privacy request submission and establishes Okta's obligation to honor rights that vary by jurisdiction. The provision operationalizes compliance with da…
This means Okta may hold and use personal data about you that you never knowingly provided to them, sourced from data brokers or list vendors, and you may be unaware of its existence or how it was ob…
EU, UK, and Swiss users' personal data is being transferred to the United States, and the legal validity of that transfer depends on Okta's correct implementation of the current SCCs, which were upda…
Sharing data with advertising and analytics partners means your personal information may be used by companies beyond Okta to build profiles or serve targeted advertising, which is a significant pract…
Even though Okta states it does not 'sell' data in the traditional sense, California law's definition of 'sharing' for advertising purposes is broad enough to capture certain analytics and advertisin…
Tracking technologies on okta.com collect behavioral and device data that can be used for advertising targeting and analytics, and some of this data may be shared with third-party advertising partner…
This clause documents OneLogin's acknowledgment of mandatory California privacy law obligations. The provision operationalizes CCPA/CPRA requirements by explicitly recognizing resident entitlements t…
These rights allow you to take control of your personal data, but they are jurisdiction-dependent, meaning users outside the EU and California may have more limited enforceable rights under this poli…
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes…
Personal data including government IDs, financial information, and usage data is shared with multiple external vendors, each of which represents an additional data security and privacy risk vector ou…
Knowing your data rights and how to exercise them is essential for controlling how OnlyFans uses your personal information, particularly for users in the EU, UK, and California where these rights are…
Privacy practices could change materially after you sign up, and because updated terms are effective upon posting rather than upon explicit re-consent, users may be bound by new data practices withou…
The 18+ requirement and age verification process directly affect the type of personal data collected during onboarding, including biometric-adjacent selfie data, and create legal obligations around a…
Content Collaborators, who may not be active platform users, are required to submit highly sensitive personal and identity data to OnlyFans, creating privacy obligations for individuals who may not h…
Private chat messages on OnlyFans are retained by the platform as personal data, which means they could be accessed by OnlyFans staff, shared with third parties under applicable circumstances, or exp…
Your financial information, including payment card details, is shared with third-party processors and OnlyFans subsidiaries, expanding the circle of entities that hold your sensitive financial data.
The distinction between enterprise and consumer product data governance is operationally significant: employees or contractors who use personal free ChatGPT accounts for work tasks would not benefit …
The provision creates an operational framework for OpenAI to comply with GDPR obligations applicable to EU residents. This establishes formal procedures and institutional responsibilities for data su…
This provision establishes that OpenAI offers BAA execution as a contractual mechanism for healthcare sector customers subject to HIPAA, which is a prerequisite for lawful processing of protected hea…
The clause operationalizes California's statutory privacy framework by specifying the mechanism for exercising CCPA rights and clarifying OpenAI's position on data sales practices. This establishes t…
The provision operationalizes compliance with regional data protection regulations by establishing a procedural mechanism for users to submit and exercise statutory rights. The location-dependent fra…
This provision authorizes sharing of personal data including identifiers, usage data, and behavioral data with advertising partners, which under CCPA may constitute a 'sale' or 'sharing' of personal …
This provision establishes the minimum age requirement and places compliance responsibility on parents for minors aged 13 to 17, which has implications for both COPPA compliance and parental liabilit…
This provision operationalizes OpenAI's compliance with California's statutory privacy obligations by establishing the specific rights holders, the categories of rights available, and the procedural …
This provision establishes the legal mechanism for transferring EU/EEA, UK, and Swiss personal data to OpenAI in the United States, which is a mandatory requirement under GDPR Chapter V. Operators re…
GDPR data subject rights are legally mandated protections that exist independently of what the contract states; the document's disclosure of these rights and the mechanism for exercising them is oper…
The agreement places responsibility on parents or legal guardians for minors' use of the services, which has direct implications for parental liability and the attribution of contractual obligations …
This provision operationalizes OpenAI's compliance with data protection regulations that vary by jurisdiction, such as GDPR and comparable statutes. It establishes that users can exercise legally-man…
The provision operationalizes California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory obligations within the contractual framework, establishing the entity's complia…
The distinction between enterprise and consumer data handling terms is operationally significant: organizations that use both consumer and enterprise OpenAI products may be subject to different data …
Security certifications and commitments in the enterprise context affect whether business customers can rely on OpenAI's infrastructure for processing sensitive organizational or personal data, and w…
GDPR Article 28 requires processors to obtain prior authorization from the data controller before engaging subprocessors, and the controller must be informed of any intended changes; the subprocessor…
The provision creates a verification and consent framework that governs account eligibility and establishes a mechanism for parents or guardians to request account removal if unauthorized use occurs …
This provision establishes the age threshold for service eligibility and invokes COPPA compliance obligations; the 'knowingly' qualifier means enforcement depends on OpenAI's ability to detect undera…
This provision identifies the specific state-law rights available to users in California, Virginia, Colorado, Connecticut, and Texas, and directs users to a single privacy request portal to exercise …
The policy identifies conversation content, uploaded files, images, and audio as data categories collected, which means that any personal, professional, or sensitive information submitted during a Ch…
The terms prohibit use by children under 13, engaging COPPA compliance obligations, and require parental consent for users aged 13 to 17, but the document does not specify a verified consent mechanis…
This provision identifies the specific rights available to U.S. state residents under applicable privacy statutes, which are legally enforceable regardless of OpenAI's policy terms.
This provision establishes the minimum age as 13, which aligns with COPPA's threshold; however, it does not describe age verification mechanisms, which may affect practical enforcement of this restri…
This provision establishes that a significant category of OpenAI-powered interactions, those occurring through third-party API applications, falls outside the protections described in this policy, an…
The scope of data collected includes both identifiers and the substantive content of user interactions, meaning OpenAI retains records of what users type, upload, and discuss across its services.
This provision determines whether the content of your interactions, including text prompts, uploaded files, and feedback, may be incorporated into future AI model development, which has implications …
This provision establishes the primary data use boundary for enterprise and API customers, directly affecting purpose limitation and data minimization compliance under GDPR and equivalent frameworks.…
The document discloses that synthetic voice generation is a core capability of GPT-4o and that consent-based controls were applied for the voice presets used in ChatGPT, which is directly relevant to…
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification l…
This provision establishes the minimum age threshold and parental consent requirement, which carry significant compliance implications under COPPA in the US and equivalent child protection frameworks…
This provision places primary legal responsibility on the operator for the lawfulness of data processing instructions, meaning that if a business submits personal data to the API without a valid lega…
This provision establishes OpenAI as a service provider rather than a third party under CCPA/CPRA, which is a legally significant distinction that affects how the business customer can characterize i…
This provision establishes that the operator, not OpenAI, is the primary party responsible for responding to data subject rights requests, and that OpenAI's assistance is conditional on what is techn…
The provision establishes the operational framework for compliance with data subject access rights under privacy regulations like GDPR and CCPA. It defines the process by which users exercise control…
The provision operationalizes OpenAI's obligations under California state privacy law, establishing procedures through which California residents can request data access, deletion, and opt-out electi…
This distinction is material for businesses processing employee or customer data through OpenAI products, as it affects whether submitted inputs could be incorporated into future model outputs access…
The clause creates a procedural framework for incident disclosure that establishes OpenAI's notification timeline and the scope of information that must be communicated to customers. This framework e…
The 30-day retention limit with automatic deletion is a specific, time-bounded data handling commitment that is material for organizations with data minimization obligations under GDPR or other regul…
This provision directly addresses one of the most common concerns for enterprise customers: whether their proprietary data, client information, or confidential inputs could be incorporated into OpenA…
This provision establishes minimum age eligibility for all OpenAI services and imposes a parental consent requirement for minors between 13 and 17. The provision creates compliance obligations for op…
The clause operationalizes statutory obligations under GDPR and UK data protection law by explicitly enumerating the mechanisms through which EEA and UK users may exercise their rights against the co…
This provision establishes OpenAI's eligibility framework and allocates responsibility for compliance with the Terms to parent or guardian entities when minors are involved. It creates a contractual …
This provision covers both cybersecurity intrusion and privacy-violating data aggregation, addressing a broad range of potential misuse from hacking to building unauthorized surveillance tools, and t…
Under GDPR Chapter V, cross-border transfers of personal data to non-adequate third countries require an approved transfer mechanism; this provision discloses that OpenAI uses Standard Contractual Cl…
This provision establishes OpenAI's acknowledgment of California privacy statutes and the consumer rights those statutes create. The clause operationalizes the company's compliance framework for resi…
This provision authorizes disclosure of personal data to government and law enforcement entities without specifying whether OpenAI provides notice to affected users or applies additional safeguards s…
This provision implements age-gating requirements under children's privacy regulations, particularly COPPA in the United States. The deletion obligation establishes a procedural response to unauthori…
The service provider designation under CCPA has direct implications for enterprise customers' compliance obligations: if OpenAI qualifies as a service provider, its processing is excluded from the de…
This provision directly affects enterprise customers' data minimization posture and their ability to represent AI data governance to regulators and auditors. The default exclusion from model training…
Data retention terms directly affect enterprise customers' compliance with GDPR storage limitation principles, CCPA deletion rights obligations, and internal data governance policies. The distinction…
This provision authorizes transfer of personal data during corporate transactions, including during the negotiation phase, without requiring individual user notification prior to the transfer, which …
The provision conditions the availability of data rights on user jurisdiction, establishing that OpenAI recognizes regulatory frameworks that vary by location and commits to honoring applicable statu…
The absence of fixed retention timelines means users cannot rely on a defined period after which their data will be deleted, and the scope of legitimate retention grounds is broad.
This provision establishes the contractual mechanism for GDPR Article 28 processor compliance and cross-border data transfer requirements for EU/EEA customers, and is the operative instrument for org…
This provision creates a contractual framework for minors' access to the service by requiring parental or guardian consent and establishing parental responsibility for the minor's compliance with the…
The provision operationalizes data subject rights obligations under privacy regulations by specifying the rights available based on user location and establishing the procedural mechanisms through wh…
The policy states that tracking technologies are used to market additional products or services, which may constitute cross-context behavioral advertising subject to opt-out rights under CCPA and con…
The policy does not specify defined maximum retention periods for specific data categories, meaning personal data including account information, transaction records, and browsing data may be retained…
The policy acknowledges GDPR and UK GDPR rights for EEA and UK users but does not specify the lawful basis for processing under GDPR Article 6, which may be material for users or regulators assessing…
The policy authorizes sharing of personal data with advertising and analytics vendors in addition to operational service providers, which may result in personal data being used for purposes beyond se…
This provision authorizes cross-site behavioral tracking through third-party cookies, a data practice that engages both GDPR consent requirements and CCPA opt-out rights, and that the policy links to…
The policy states that Inputs containing personal data are collected by OpenRouter, which means content submitted through the service interface, such as names, contact details, or other identifiable …
The policy states changes apply to existing data retroactively, meaning processing practices for data already collected may change without the user needing to take any affirmative action to accept ne…
This provision establishes that personal data may be disclosed to an unspecified number of third-party vendors and business partners across analytics, marketing, and distribution functions, without e…
This provision establishes that personal data may be transferred to prospective acquirers or transaction counterparties prior to completion of a corporate transaction, without individualized user con…
This provision establishes that CCPA-specific rights are documented in a separate notice rather than in the main policy, requiring California residents to locate and review an additional document to …
The policy enumerates the full set of CCPA rights available to California residents, including the right to opt out of sharing for cross-context behavioral advertising and the right to limit use of s…
The policy authorizes transfer of user personal data, including account information and transaction records, to acquiring or successor entities as part of corporate transactions, without requiring us…
The agreement sets a minimum age of 13 and requires parental consent for users under 18, but the enforcement mechanism is self-representation rather than verified age gating, which may create complia…
This provision establishes that non-material policy modifications take effect upon posting without individual notification, and that continued use of the Site or Service constitutes acceptance of rev…
This provision authorizes collection of a broad set of behavioral and device-level identifiers through automatic technologies, including data categories such as location data and browser history that…
These rights give California users meaningful control over how their personal data, including wallet addresses and transaction history, is used and shared by OpenSea.
Wallet addresses can be linked to real-world identities and reveal complete financial and transaction histories, making their treatment as personal data a significant privacy consideration for NFT us…
The provision creates a procedural mechanism for California residents to exercise rights under California privacy law by designating specific channels for opt-out requests and establishing a 15 busin…
This provision establishes that wallet addresses are treated as personal data subject to the policy's terms, while simultaneously acknowledging that on-chain activity is publicly accessible by the na…
Tracking technologies collect detailed behavioral data that can be combined with wallet address and transaction data to create comprehensive user profiles, which may be shared with advertising partne…
EEA and UK users have strong GDPR protections that may not be replicated in the US, and cross-border data transfers require specific legal mechanisms to be lawful under GDPR.
This provision establishes GDPR-based rights for EEA and UK users and requires OpenSea to identify the lawful basis for each category of processing, which creates obligations around consent managemen…
This provision establishes minimum age thresholds and parental consent requirements for minor users, which creates COPPA compliance considerations for users under 13 and operational consent verificat…
Given that OpenSea holds sensitive financial data including wallet addresses and NFT transaction histories, the security disclaimer means users bear residual risk from potential data breaches.
This provision establishes specific procedural rights for California residents, including the right to opt out of the sharing of personal data with advertising partners, which requires OpenSea to pro…
This provision establishes that data exchanged through third-party integrations is governed in part by the third parties' own terms and policies, and that Oura's compliance with those terms is condit…
This provision authorizes advertising-related data processing on behalf of third-party partners in addition to Oura itself, with the details of those partner relationships and data flows deferred to …
This provision asserts that Oura does not sell personal data; however, the policy separately discloses advertising-related data processing on behalf of partners using cookies and similar technologies…
California law provides stronger privacy protections than the baseline policy, including opt-in rights for sensitive personal information and the right to limit use of sensitive data, which are opera…
This provision applies the legitimate interest basis to processing that includes health-adjacent data (service improvement involving sleep and readiness data), which EU supervisory authorities may sc…
Legitimate interest as a lawful basis for marketing-related processing means Oura may use your data for these purposes without a separate consent prompt, though you have the right to object to this p…
Precise location data combined with detailed health and biometric data creates a particularly sensitive data profile; users should be aware they can disable location tracking without losing core Oura…
This provision establishes that data deletion upon account closure is subject to carve-outs for legal obligation and protection of Oura's legal interests, the latter of which is a broad retention bas…
This provision establishes that precise location data may be collected via GPS and Wi-Fi triangulation for activity tracking purposes, conditioned on device-level consent. The policy notes that disab…
Third-party analytics tools can share your browsing data with advertising platforms, and their use on a privacy policy page specifically has attracted regulatory attention in some EU jurisdictions re…
Legitimate interests is a flexible but contestable lawful basis; individuals in the EU and UK have the right to object to processing conducted on this basis, and Palantir must stop if it cannot demon…
This clause operationalizes jurisdictional data protection obligations by establishing a defined contact mechanism and acknowledging that rights availability depends on applicable law in the individu…
Recruitment data is sensitive and may be retained beyond the hiring decision; the policy should specify retention periods and whether applicant data may be used for future roles or shared with third-…
Precise geolocation is considered sensitive personal information under CPRA and several other state laws, meaning its collection and use is subject to heightened restrictions and disclosure obligatio…
Tracking technologies enable Paramount+ and its partners to build detailed behavioral profiles of users across sessions and devices; users who do not manage cookie preferences may have more data coll…
This provision operationalizes Paramount+'s compliance obligations under California privacy law by articulating the specific individual rights mechanisms available to California residents. The enumer…
California residents have specific and enforceable legal rights over their personal data, including the right to stop Paramount+ from sharing their information with advertising partners, which is a s…
Parents should actively supervise minors' accounts on Paramount+, as the terms require parental involvement for users under 16 and the platform collects personal information that may include data abo…
Location data enables Paramount+ to control which content you can access based on where you are, and may also be used for advertising targeting purposes, making it a category of data with both servic…
The provision establishes that Paramount+ recognizes jurisdiction-specific data subject rights that operate independently of the privacy policy terms. This framing indicates the company acknowledges …
The provision operationalizes GDPR and similar privacy law obligations by designating a specific administrative channel for rights requests, standardizing the submission process and establishing a do…
This provision establishes PayPal's authority to unilaterally modify privacy terms and specifies the notice procedures that apply. The distinction between legally-mandated notice (30 days) and non-ma…
This provision establishes ongoing consent for credit report pulls tied to PayPal's unilateral determination of elevated risk, without defining specific criteria for what constitutes an increased ris…
This provision authorizes ongoing credit report access beyond initial account opening, triggered by PayPal's internal risk assessment, which may result in multiple credit inquiries over the life of t…
This provision discloses that data collection and the associated Privacy Statement obligations apply even to individuals who have not affirmatively created a PayPal account, and that historical trans…
This provision discloses that transaction and experience data from three distinct PayPal-affiliated services is combined into a unified profile for personalization purposes, which may aggregate data …
This provision establishes the procedural framework through which PayPal modifies its privacy obligations and data handling practices. The 30-day notice requirement applies conditionally based on leg…
The statement asserts that precise geolocation data is collected while users are logged into their financial account, meaning location tracking occurs during active financial account sessions even if…
This clause operationalizes Peacock's compliance obligations under California privacy statutes by explicitly acknowledging resident entitlements and establishing a procedural mechanism for exercising…
Joint controller status under GDPR means both companies share legal responsibility for compliance with data subject rights, and users should be aware they may need to direct certain requests to both …
This provision is designed to comply with COPPA, which restricts the collection of personal information from children under 13 without verifiable parental consent. Parents who discover a child has an…
Health and fitness data is increasingly treated as sensitive personal information under state and federal frameworks, and combining it with NBCUniversal's existing behavioral and demographic data cre…
This clause removes all policy-based protections from a broadly defined category of data derived from your personal information, creating a potential pathway to unrestricted commercial use of data ab…
This clause establishes Peacock's operational procedure for processing opt-out preference signals transmitted through browser mechanisms. The provision conditions recognition on legal requirements, m…
The policy relies on a knowledge-based trigger for child data protections in the U.S. ('actual knowledge'), which is the COPPA standard, but does not describe what age verification measures are in pl…
EU and UK users are entitled to have their data protected to GDPR standards even when transferred abroad, and this clause creates an obligation on Peloton to implement legally adequate transfer mecha…
These rights give California users meaningful control over their Peloton data, including the ability to stop their fitness and health metrics from being used for advertising, which is particularly si…
The absence of specific retention periods for health and fitness data means Peloton could retain your detailed workout history indefinitely unless you actively request deletion, which limits users' p…
Tracking technologies enable Peloton and third parties to build a behavioral profile of your online activity, which can affect the ads you see and how your data is shared across the advertising ecosy…
The provision creates a procedural structure for compliance with California state privacy law by segregating state-specific rights and data handling practices into a dedicated notice. This modular ap…
This provision acknowledges and codifies Peloton's obligation to honor California statutory privacy rights without requiring affirmative consumer action to establish eligibility. The clause confirms …
These age restrictions are legally significant because COPPA imposes specific consent and data protection requirements for users under 13, and the under-18 requirement creates compliance obligations …
GDPR provides some of the strongest data protection rights globally, and EU and UK Peloton users can exercise these rights to control health and fitness data collected through their equipment and app.
This provision operationalizes Peloton's compliance obligations under GDPR and comparable regional data protection regimes by explicitly acknowledging the statutory rights holders may exercise. The c…
The controller-processor designation determines who bears primary legal responsibility for data protection compliance and how data subject rights must be handled. Under GDPR, the controller (the busi…
This provision establishes COPPA compliance posture for US operations. The absence of described age verification mechanisms raises a practical question about how the under-13 restriction is enforced …
This provision establishes GDPR data subject rights for EU/EEA, UK, and Swiss users and references the right to complain to supervisory authorities, which is a mandatory GDPR transparency requirement…
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within t…
Sharing data with advertising networks means your usage patterns and potentially your query behavior could inform targeted advertising across the internet, not just within Perplexity.
This provision establishes the minimum age requirement for platform access and conditions adolescent use on parental consent, creating compliance obligations under COPPA for users under thirteen and …
A future acquirer of Perplexity would receive your historical query data and account information, and may operate under a different privacy policy than the one you originally agreed to.
The adequacy of security measures directly affects whether personal data processed through Perplexity AI's services is protected against breaches. The DPA's language on security typically defines bot…
Search queries often contain sensitive personal, professional, or financial information, and users may not expect that a search-style interaction is contributing to AI model development.
For users in the EU, UK, and other jurisdictions with strong data protection laws, transferring personal data to countries without equivalent protections requires specific legal safeguards that the p…
This provision establishes a COPPA-aligned age threshold, but relies on a reactive rather than proactive verification mechanism. The policy does not describe what age verification procedures are in p…
This provision implements California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) statutory requirements, establishing the operational framework through which the entity must …
This clause implements the GDPR Article 28(3)(g) data return and deletion requirement and is operationally significant for customers managing data lifecycle obligations and vendor offboarding procedu…
The clause operationally implements statutory data protection obligations applicable to those jurisdictions by confirming users' ability to invoke individual rights and establishing a contact mechani…
The policy relies on a reactive deletion mechanism rather than an active age verification process, which may leave children's data at risk until discovered, and some jurisdictions set higher age thre…
This provision establishes a prohibited use category that interacts with GDPR, CCPA, and other privacy frameworks, and may be relevant for enterprise users who query the platform using third-party pe…
This provision establishes the full scope of personal data collection, including voice and audio data which may be subject to additional state-level protections (such as Illinois BIPA or Washington's…
This clause governs the sub-processor oversight mechanism required by GDPR Article 28(2); the practical enforceability of the objection right depends on the notice period length and whether the termi…
This clause establishes Perplexity's security obligations under GDPR Article 32 and its breach notification obligation under GDPR Article 33; the 'without undue delay' standard for processor-to-contr…
This clause addresses the GDPR Article 28(3)(e) requirement that processors assist controllers with data subject rights obligations; the 'insofar as this is possible' qualification may limit the scop…
Audit rights are required under GDPR Article 28(3)(h) and are operationally significant for customers conducting vendor due diligence; the practical scope of the audit right, including whether it cov…
Transfers of personal data from the EU or UK to countries without an adequacy decision require a legal transfer mechanism. The adequacy and implementation of that mechanism determines whether the tra…
Without defined retention periods, users have no clear expectation of when their query history, account data, or interaction records will be deleted, and data may be retained indefinitely under broad…
California law gives you specific, enforceable rights over your data with legal backing, not just a courtesy option, and Perplexity is required to honor these requests within statutory timeframes.
Third-party tracking tools embedded in the service can collect data about your browsing and query behavior across sessions and potentially across other websites, building a profile beyond what you di…
The absence of specified retention periods for distinct data categories, including query content, voice audio, and conversation history, creates uncertainty for compliance assessments and may engage …
The prohibition on under-13 use and the stated data deletion commitment engage COPPA compliance obligations, but the terms rely primarily on users self-certifying their age rather than implementing a…
This provision establishes the legal framework governing EEA and UK user data, including the reliance on standard contractual clauses for international transfers. The adequacy of these safeguards and…
The 13-year minimum age threshold is the COPPA boundary in the United States, and the parental consent requirement for minors under 18 creates compliance obligations for the platform regarding how it…
This provision does not specify retention periods for individual data categories, including conversation history and voice data, which creates compliance uncertainty under GDPR's data minimization an…
This provision establishes the mechanism through which California residents may exercise statutory rights under CCPA and CPRA. The operational completeness of the privacy rights form and Perplexity's…
This provision governs how enterprise customers' proprietary business information submitted through or in connection with the platform is treated, which is operationally significant for organizations…
This provision establishes the operational framework under which California residents can exercise statutory privacy rights. Compliance teams should verify that each enumerated right is technically a…
This provision establishes COPPA-relevant age thresholds and conditions platform access for minors aged 13-17 on parental consent. The operational implementation of the consent mechanism is not descr…
This is a legal compliance baseline under COPPA but relies primarily on self-reporting and parental monitoring rather than technical age verification, meaning children may still access and interact w…
Third-party tracking can result in your usage data being shared with advertising or analytics companies, potentially beyond Pika's direct control, which affects your privacy and how your data is used…
The 13-year minimum age threshold means the platform may be used by teenagers, and parental consent obligations are stated but rely on user self-reporting with no described verification mechanism, wh…
US residents in states with privacy laws have legally enforceable rights to know what data Pika holds about them, request its deletion, and opt out of certain uses, but these rights only apply if you…
The provision creates an internal escalation mechanism for consumer rights disputes, establishing procedural timelines and review standards that structure how the entity processes appeals. The requir…
If Pika's service is not intended for children, this section likely prohibits minors from using the platform and explains what happens if such data is collected, which is relevant for parents and gua…
Understanding when and to whom Pika shares your personal information is important for evaluating your privacy exposure, particularly if sensitive information such as your creative content or usage pa…
Automatic data collection means Pika may build a profile of your usage patterns, device characteristics, and behavior on the platform even beyond what you actively submit, which can affect how your d…
This process is your primary internal recourse if Pika rejects a privacy rights request, and knowing the 30-day deadline is critical because missing it may limit your options.
If you are in the EU or UK, you have strong legally enforceable data rights under GDPR, including the right to have your data deleted and to complain to a supervisory authority if you are unsatisfied…
The provision defines the legal boundaries within which Pika collects and processes user data in Canadian jurisdictions. It establishes procedural obligations for data handling, consent mechanisms, a…
The DPA defines Security Incidents broadly to include accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Customer Personal Data. Timely notificat…
This provision establishes specific enforceable rights for California residents under CCPA and CPRA, including the right to opt out of data sharing with advertising partners, and provides a direct co…
This provision establishes the legal bases Pinecone relies on to process European users' personal data under GDPR and UK GDPR, and identifies the data subject rights available, including the right to…
This provision authorizes disclosure of personal information to potential and actual acquirers, and separately acknowledges that in insolvency proceedings Pinecone may not be able to control how pers…
The provision authorizes unrestricted use and sharing of de-identified data derived from personal information, but does not describe the technical standards or organizational safeguards applied to ac…
This clause permits Pinecone to alter its technical and organizational security measures unilaterally, subject only to a non-material-diminishment constraint. Business customers relying on specific s…
The policy authorizes Pinecone to obtain personal data about individuals from data providers and marketing partners, meaning individuals may have personal data held by Pinecone without having directl…
Organizations using Pinecone's vector database services for their own applications should be aware that the protections and disclosures in this website privacy policy do not apply to any personal dat…
This clause establishes that data subjects seeking to exercise rights such as access, deletion, or correction under GDPR or CCPA must work through the business customer, not directly with Pinecone. B…
This clause reserves Pinecone's right to modify the DPA unilaterally, which may affect the data protection commitments business customers rely upon for their own regulatory compliance. The modificati…
This provision establishes Pinterest's stated COPPA compliance position; parents or guardians who discover a child under 13 has created an account should contact Pinterest to request account removal …
This provision operationalizes Pinterest's compliance obligations under the Children's Online Privacy Protection Act (COPPA) by establishing age-gating requirements and obligating the company to remo…
This provision states that user personal data is an asset that may be transferred to a new entity in a corporate transaction, and the receiving party may operate under different data practices than t…
Pinterest's policy states it collects financial information including payment card data when transactions occur on the platform, which means sensitive financial data is processed by Pinterest in addi…
The age requirement establishes a foundational eligibility criterion for service access and creates a compliance mechanism aligned with children's privacy regulations. The deletion obligation operati…
The policy states that data subject rights are available on a jurisdiction-dependent basis, meaning not all users have the same rights and the policy does not enumerate which rights apply in which ju…
The policy states that Pinterest builds inferred interest profiles using both on-platform and off-platform activity data, which means the data used to target you reflects a combination of your Pinter…
The policy states that personal data of non-US users is processed in the United States, which does not have a general federal privacy law equivalent to GDPR, and that transfers are protected through …
This provision operationalizes Pinterest's compliance with the Children's Online Privacy Protection Act (COPPA), which restricts data collection from users under 13 and requires parental consent for …
Given that Plaid handles highly sensitive financial data including account credentials and transaction histories for a large portion of the US fintech user base, the adequacy of its security practice…
CCPA and CPRA provide California residents with more specific and enforceable privacy rights than federal law currently requires, including an explicit opt-out of data sale or sharing that can limit …
This provision establishes the specific statutory privacy rights available to California residents under CCPA/CPRA in the context of Plaid's financial data collection and use activities, including th…
This provision establishes the legal framework and consumer rights applicable to EU and UK users whose financial data is processed by Plaid, including the lawful basis asserted for processing and the…
This provision establishes that disconnecting an application through a partner interface does not automatically result in deletion of financial data from Plaid's systems, and that consumers must take…
This provision operationalizes Plaid's legal obligations under California privacy law by defining the request processes, verification procedures, and response timelines for consumer privacy rights ex…
Users who believe they have ended their relationship with Plaid by disconnecting apps may not realize their transaction history and financial data remains stored, creating ongoing privacy exposure wi…
This provision establishes the primary operational mechanism through which consumers can exercise data rights, including revocation of financial account access and deletion requests, under both Plaid…
These rights are meaningful for EU, UK, and California users who have statutory entitlements to data access, portability, correction, and deletion, though the policy notes that some requests may be l…
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF …
This provision establishes PlanetScale's regulatory compliance framework for cross-border data transfers and specifies the enforcement mechanism that governs the company's obligations. It clarifies t…
Diversity information, which may include characteristics protected under federal or state law, is collected from job applicants and retained for recruitment statistics purposes; applicants should und…
EU, UK, and Swiss users have a formal mechanism to raise privacy disputes through VeraSafe's dispute resolution process and ultimately through binding arbitration if PlanetScale and VeraSafe cannot r…
Relying solely on a website date update for material privacy policy changes means users who do not proactively check the policy may miss significant changes to how their data is used or shared.
The policy relies on a reactive rather than proactive approach to COPPA compliance, stating that Poe will delete data upon discovery rather than describing age verification mechanisms that would prev…
The agreement states that users under 13 are not permitted and that teens between 13 and 18 require parental permission; these provisions have implications for COPPA compliance and the responsibiliti…
The deployment of third-party tracking technologies for advertising purposes may require prior consent under the EU ePrivacy Directive and GDPR for EU users, and may engage CPRA opt-out rights for Ca…
The policy discloses collection of message content alongside device identifiers and usage patterns, which together create a detailed profile of user behavior and communication that may be used for se…
The policy grants data rights on a jurisdiction-dependent basis, meaning the availability and scope of rights (such as GDPR erasure rights or CCPA deletion rights) depend on where the user lives; use…
There is no specific retention period stated in the policy, meaning Poshmark may retain your personal data for an extended and indefinite period, and some data may be kept even after you delete your …
This provision establishes Poshmark's compliance posture under the Children's Online Privacy Protection Act, but does not address the growing regulatory trend toward higher age thresholds or enhanced…
Users may not realize that their Poshmark activity, including photos they post and comments they make, is fully public and searchable online by default, which has implications for personal privacy be…
This provision gives California users a legally enforceable right to limit how their personal data is used for advertising across the internet, which can meaningfully reduce targeted advertising base…
This provision operationalizes statutory privacy rights by explicitly confirming Poshmark's obligations to honor California residents' data access, deletion, and opt-out requests, and establishes the…
For users in the EU, UK, and other jurisdictions with strict data transfer rules, relying on implied consent from platform use as the legal basis for international data transfers may not satisfy appl…
The clause operationally designates California-specific consumer protections as taking precedence over other agreement terms, and establishes a regulatory notification requirement that Poshmark must …
This cross-site tracking means your Poshmark browsing and purchase behavior can follow you across the web and influence what ads you see on unrelated platforms and websites.
The breadth of data collected means Poshmark has a detailed picture of your identity, financial habits, interests, and device, which is used for personalization, advertising, and sharing with third p…
Deleting your account does not guarantee the removal of your publicly posted content from the internet, which may include photos, personal descriptions, and transaction-related communications.
This disclosure establishes Progressive's acknowledgment of California residents' privacy rights as defined by state law. The provision functions as notice of statutory entitlements rather than as a …
Tracking technologies allow Progressive and its advertising partners to build a profile of your online behavior, which may be used for targeted advertising and analytics purposes beyond your direct i…
Social Security numbers and financial account details are among the most sensitive categories of personal data; their collection by an insurer creates material data breach and identity theft risk, an…
California residents have enforceable statutory rights to access and delete their personal data held by Progressive, rights that do not currently exist for most consumers in other US states, making t…
The age eligibility requirement is legally significant because investment accounts for minors typically require custodial account structures with specific regulatory requirements, and the terms creat…
The absence of specific retention periods for sensitive financial and identity data means Public may retain your SSN, trading history, and financial account information for an indeterminate period af…
California residents have enforceable rights under state law that go beyond what Public's general policy offers to all users, including the right to limit use of sensitive personal information such a…
The clause operationalizes Public.com's Regulation S-P compliance obligations by establishing the annual notice requirement and creating a procedural mechanism through which users may exercise opt-ou…
This is some of the most sensitive personal and financial data that exists, and its collection creates significant obligations for Public and meaningful risks for users if it is mishandled or exposed.
This provision operationalizes statutory obligations under California privacy law by explicitly acknowledging consumer rights and establishing a designated contact channel for their exercise. The cla…
This provision operationalizes California statutory privacy rights by confirming the company's obligation to honor consumer requests to restrict sales and sharing activities and by specifying the mec…
This automatic collection occurs whether or not you actively provide information, and the data gathered may be shared with advertising and analytics vendors, some of whom may use it for cross-site tr…
The provision operationalizes statutory privacy obligations applicable to California residents by explicitly recognizing CCPA/CPRA rights and establishing a defined process for rights requests. This …
Transferring personal data from the EU to the US requires specific legal mechanisms under GDPR, and users should understand their data may be processed under US law rather than their home country's p…
This provision establishes the data collection permissions applicable to platform users, including developers and API providers, covering usage telemetry, account identifiers, and API transaction met…
Behavioral tracking data shared with advertising partners can be used to build detailed profiles of users, and in the EU this type of tracking typically requires explicit opt-in consent under the ePr…
This clause establishes RapidAPI's recognition of GDPR-mandated data subject rights as operational requirements for EEA users. The provision clarifies that these statutory rights apply to the process…
California residents have stronger privacy rights than users in most other US states, including the right to stop RapidAPI from selling their personal information to third parties.
GDPR gives EU users meaningful control over their personal data, including the right to have it deleted entirely, which is a stronger protection than most US users receive by default.
This clause operationalizes statutory requirements under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) by explicitly acknowledging the specific rights California…
California's privacy laws provide some of the strongest consumer data rights in the United States, and Redfin is required to honor them; knowing these rights exist and how to exercise them is practic…
Geolocation data can reveal sensitive information about where you live, work, and spend time, and Redfin uses it both to personalize the service and for broader advertising and targeting purposes.
This means correcting your personal data in your account does not necessarily result in that original data being deleted from Redfin's systems, which may matter for users who have provided inaccurate…
This provision establishes a two-tiered age restriction: a hard prohibition on use by children under 13, consistent with COPPA requirements, and a general requirement of majority age or 18 years, whi…
Users who share personal details in forums or chat features expecting some level of privacy protection will find that Redfin explicitly excludes this content from its privacy framework.
This provision limits Replicate's liability exposure in the event of a data breach by framing security as 'reasonable' rather than absolute, which is standard industry language but does not define wh…
Data about you may be collected from sources beyond what you directly provide, potentially including professional profile databases or social media data aggregators, without a direct disclosure at th…
This provision places full liability for minors' use of the platform on parents rather than restricting minor access, which may not satisfy the intent of child protection laws like COPPA in the US or…
The retention period is not specified in concrete terms, meaning your data could be kept for an indefinite period under the broadly stated 'legitimate interests' justification, and residual backup co…
Material changes to how your data is collected or used could take effect without you receiving direct notification, placing the burden on you to monitor the policy periodically.
This designation has practical significance for California and other state residents because it asserts no opt-out rights for data sale or sharing are triggered, though the accuracy of the processor …
This provision discloses GDPR and UK GDPR rights for EEA and UK users, which are legally enforceable; the practical availability of these rights depends on whether Replit has established adequate dat…
This provision discloses specific enforceable rights for California residents, including the right to opt out of data sharing with advertising partners, which is a practically significant right given…
The policy authorizes sharing personal information with advertising and analytics partners, which under California's CPRA constitutes sharing of personal information and triggers opt-out rights for C…
This provision structures Replit's compliance with the Children's Online Privacy Protection Act (COPPA) by establishing age-based collection restrictions and a parental consent requirement for minors…
Given Replit's use as an educational coding platform, the adequacy of age verification and parental consent mechanisms is a material compliance consideration; the policy's reliance on self-reported a…
This provision authorizes Replit to use code, prompts, and other user-submitted content for AI model improvement, which may affect users who submit proprietary, sensitive, or commercially significant…
This provision establishes an age eligibility requirement aligned with the Children's Online Privacy Protection Act (COPPA), which restricts collection of data from children under 13 without parental…
The agreement restricts platform access for minors and places legal agreement responsibility on parents or guardians for users aged 13-17, which has implications for school and educational use of the…
This provision operationalizes legal obligations under CCPA and GDPR by establishing the specific mechanisms through which users can exercise statutory data subject rights. The clause clarifies that …
This provision operationalizes California Consumer Privacy Act (CCPA) requirements within Replit's privacy framework, establishing specific data subject rights that the company must accommodate upon …
Location and device data can reveal sensitive information about your daily habits, movements, and financial activity patterns, and this data is used in profiling and fraud detection processes.
Your immigration status can directly affect which Revolut features you can use. Users relying on Revolut for financial services should check whether their visa type qualifies for the features they ne…
Identity document data and biometric verification data are treated as special categories under UK GDPR, meaning stricter rules apply to how they are collected, stored, and used, and Revolut must have…
Understanding which legal entity controls your data matters because different entities are subject to different regulators and regulatory obligations, and your rights may vary depending on which Revo…
If you are a California resident, you have legally enforceable rights over your personal data held by Revolut, including the ability to request deletion and to opt out of sharing for advertising purp…
Credit checks and identity verification create data footprints with credit reference agencies that could affect your credit file and ability to access financial products elsewhere. The full scope of …
Minors are a protected class under multiple regulatory frameworks, and accounts for 16-17 year olds require specific terms that may limit services available. Parents and young people should review Sc…
Open Banking access gives Revolut visibility into your full financial picture across multiple institutions, which is more extensive than data collected solely from your Revolut account activity.
The clause establishes an operational framework for preference management, enabling users to control the scope of marketing communications directed to them without requiring service termination or ac…
Data about children is among the most sensitive and most strictly regulated categories of personal data, and parents should understand what information is collected about their children and how it is…
Your personal data may be processed in countries outside the UK with different levels of data protection, and the adequacy of the safeguards in place determines how well your data is protected intern…
The ability to delete your Ring account data, including stored videos, is a fundamental privacy right under laws like GDPR and CCPA, and Ring's stated commitment to user control implies these mechani…
End-to-end encryption provides substantially stronger privacy protection than default encryption because it prevents Ring, Amazon, and potentially law enforcement from accessing your video content wi…
Acceptance of updated privacy terms by continued use rather than explicit re-consent means that changes to data practices take effect without requiring your affirmative agreement, which is significan…
Data transferred internationally may be subject to different legal protections. The use of SCCs is a recognized GDPR transfer mechanism, but transfers to the US remain subject to ongoing legal scruti…
This provision is significant for parents because it establishes that a parent or guardian must agree to the terms for minors to use the services, and it triggers obligations under children's privacy…
Indefinite or open-ended retention tied to broad purposes like 'enforce our agreements' or 'resolve disputes' means data may be retained for longer than users might expect, and specific deletion time…
The provision operationalizes Riot Games' obligation to recognize and facilitate statutory data subject rights across multiple regulatory regimes, establishing the framework through which users may e…
Third-party tracking technologies enable external partners to collect data about your browsing behavior across sites, which is distinct from first-party data collection and may be harder to control i…
This provision operationalizes regulatory data subject rights under privacy regimes such as GDPR and CCPA by establishing a mechanism through which users can assert control over their personal data a…
The clause operationalizes statutory disclosure obligations under GLBA by explicitly notifying users of the scope of permissible third-party sharing and establishing the availability of opt-out mecha…
Collection of Social Security numbers and government-issued ID numbers alongside financial account numbers represents a concentration of data that, if improperly disclosed, could enable identity thef…
The provision establishes Robinhood's compliance obligation under GLBA to furnish transparent disclosure of information practices. It demarcates the scope of consumer control over data sharing by ref…
This clause acknowledges Robinhood's obligation to comply with California privacy statutes by recognizing resident rights to control personal information collection, use, disclosure, and deletion. Th…
These rights are enforceable under CCPA as amended by CPRA and give California residents meaningful control over a significant portion of the personal data Robinhood collects, though GLBA-covered fin…
The provision creates a procedural mechanism for Robinhood to satisfy California statutory privacy disclosure obligations by centralizing privacy-related documents in a designated disclosure library …
Collection of precise or approximate device location alongside browsing and search history enables behavioral profiling; under CPRA, geolocation data and certain device data may qualify as sensitive …
This provision implements Nevada's statutory privacy framework (NRS 603A.720) by creating a mechanism through which a defined user population can restrict a specific data practice. The operational si…
This provision limits the scope of CCPA rights available to California residents over a significant category of financial data Robinhood collects, including brokerage and account information covered …
The clause conditions the availability of state privacy rights on whether federal financial privacy laws govern the personal information at issue. This creates a jurisdictional framework in which Rob…
The Privacy Policy linked from this disclosure library governs what personal, financial, and behavioral data Robinhood collects from users across its platform, and the terms under which that data may…
The policy extends privacy rights disclosures beyond California to residents of six additional states, reflecting the expansion of state comprehensive privacy laws, though the specific rights and mec…
This clause establishes parental accountability as a condition of minor access to the platform. It extends the contractual obligations of the terms from the minor user to the parent or guardian, maki…
This provision implements compliance with children's privacy regulations by requiring parental authorization for underage users and creating an optional mechanism for parental oversight through accou…
The clause operationalizes Roblox's obligation to maintain data protection standards during cross-border transfers while specifying reliance on legal transfer mechanisms (such as Standard Contractual…
The policy asserts consent to cross-border data transfers as a basis for transferring data from jurisdictions such as the EU/EEA to the US; under GDPR, reliance on broad consent embedded in a terms o…
The policy authorizes the use of multiple tracking technologies including cookies, pixel tags, and local storage for both functional and advertising purposes; for EU/EEA and UK users, the use of non-…
The policy establishes a 45-day response window for deletion requests with an optional 45-day extension, which is relevant to both CCPA/CPRA (which sets a 45-day statutory response deadline) and GDPR…
The policy's combined privacy and cookie governance structure means that cookie consent mechanisms, opt-out rights, and tracking technology disclosures are addressed within a single document, which h…
The agreement incorporates the Privacy Policy by reference and states that use of the platform constitutes consent to data collection practices including device information, log data, usage data, and…
This provision establishes a two-year post-deletion retention period for persistent identifiers, which creates a materially longer data lifecycle than account deletion alone would suggest. Under GDPR…
The policy discloses a range of data subject rights applicable depending on user jurisdiction, including access, correction, deletion, portability, restriction, objection, and consent withdrawal; the…
The clause creates a reference mechanism that incorporates state-specific privacy obligations into Roblox's primary privacy policy, ensuring compliance with jurisdiction-specific requirements under s…
The clause establishes a contact-matching mechanism that links phone numbers to friend recommendations, requiring explicit user consent to activate but permitting continued use of the feature unless …
This provision establishes the limits of the data deletion right: even after requesting account deletion, certain data may be retained for legal or operational reasons, which users should be aware of…
The provision operationalizes jurisdictional privacy rights by establishing a formal mechanism for users to request data-related actions and specifying the channels through which Roblox will receive …
This provision consolidates the data rights available to users under GDPR, CCPA, and other applicable laws into a single framework and provides the mechanism for exercising them.
The appointment of Article 27 representatives and an Article 37 DPO reflects compliance with GDPR requirements for non-EU controllers processing EU personal data. The policy's multi-jurisdictional st…
This provision establishes a stated retention framework and specifies a two-year post-deletion retention window for persistent identifiers for safety and security purposes. The two-year post-deletion…
This provision authorizes collection of IP addresses and device identifiers from child users under the COPPA internal operations exception, which permits such collection without verifiable parental c…
Disclosure of practices for sharing information with authorities is relevant to government request transparency and user notice obligations under GDPR, which generally requires disclosure of lawful b…
This provision operationalizes COPPA's data minimization requirement for child users and establishes three specific remedial actions Roblox states it will take upon receiving excess personal informat…
This provision discloses that Roblox shares user information with law enforcement and government authorities, a practice with significant implications for user privacy and for compliance with legal p…
This provision establishes that payment and transaction data is collected and retained, and that virtual currency purchases are non-refundable by default, which has financial implications for users w…
This provision establishes that continued use of the platform after a policy update constitutes acceptance, which means users who do not actively review updates may be bound by new terms they have no…
This provision establishes a hard age threshold of 18 for personalized advertising participation, which the April 2026 update added clarifying language to address. This clause directly governs which …
CPRA grants California residents a statutory right to opt out of the sale and sharing of personal information for cross-context behavioral advertising; this provision establishes the mechanism by whi…
This provision establishes the procedural mechanism through which users may exercise deletion rights, which is a required operational disclosure under CCPA and CPRA for covered businesses, and create…
This provision operationalizes Rumble's CCPA and CPRA compliance obligations for California residents and establishes the procedural mechanism for exercising opt-out rights related to advertising dat…
This provision establishes Rumble's COPPA compliance posture through a prohibition and disclaimer structure rather than an affirmative age verification mechanism, placing responsibility for complianc…
These tracking technologies collect persistent identifiers linked to your device and browsing behavior, enabling both Rumble and its advertising partners to track your activity across sessions and we…
If you live in California, you have legally enforceable rights to access, correct, delete, and opt out of the sharing of your personal data, and Rumble is required to honor these requests within spec…
This provision establishes the foundational scope of data collection across Rumble's platform, covering both voluntarily provided data and behaviorally generated data such as viewing history and sear…
This provision establishes that all collected personal data is transferable to acquiring entities without requiring individual user consent beyond notification, which is a standard U.S. commercial pr…
Video platforms accessible to general audiences that collect data on users who may be under 13 without verifiable parental consent face significant regulatory exposure under COPPA, regardless of what…
This provision establishes Rumble's stated COPPA compliance posture; the adequacy of the platform's age verification or screening mechanisms to support this assertion is an operational compliance con…
Content you upload to Rumble, along with account details and payment information, is collected and retained by the company, potentially for uses beyond simply hosting your video.
The absence of a described technical age verification process means the platform relies primarily on self-attestation, which is the subject of ongoing regulatory scrutiny regarding COPPA compliance f…
This provision authorizes passive collection of IP addresses, browsing activity within the platform, and device identifiers, which are categories of personal data subject to GDPR and CCPA protections…
This provision creates enforceable CCPA obligations for California residents and requires RunPod to maintain operationally functional opt-out and deletion mechanisms, subject to enforcement by the Ca…
This provision establishes an open-ended, purpose-based retention standard without specifying retention schedules for individual data categories such as billing records, usage logs, or account identi…
This clause operationalizes RunPod's compliance obligations under EU data protection law by explicitly recognizing the statutory rights that apply to residents of these jurisdictions and establishing…
This provision establishes that RunPod asserts GDPR compliance obligations for EU/EEA users and commits to honoring the full range of GDPR data subject rights, which creates enforceable obligations u…
These third-party scripts can collect data about how you interact with the RunPod website and may share that data with Google and Intellimize, which are separate companies with their own data practic…
This provision permits transfer of user personal data to third parties as part of corporate transactions, including during the negotiation phase prior to transaction completion, which may occur witho…
The presence of region-specific consent scripts indicates that your cookie and tracking rights may differ depending on where you are located, with potentially stronger rights available to EU and Cali…
This provision establishes that personal data flows to multiple categories of third-party service providers, requiring RunPod to maintain data processing agreements with each and potentially triggeri…
This provision establishes Runway's COPPA compliance posture, relying on a 'not directed to children' standard. The policy does not describe any age verification mechanism, which is a common limitati…
The policy authorizes collection of the full scope of user-generated content including creative prompts and AI-generated outputs, along with associated metadata. For professional or enterprise users,…
The clause establishes the entity's recognition of multi-jurisdictional privacy law obligations and reserves users' statutory rights without modifying or limiting them through the agreement. This pro…
Employees using Runway with work email addresses may have their account information disclosed to their employer without a separate consent step, and enterprise account administrators are granted acce…
The agreement states users have no expectation of privacy regarding transmitted content, including chat and voice communications, which is relevant to how users assess what information they share thr…
Without access to the complete Children's Data section, the operational requirements regarding compliance with children's privacy regulations (such as COPPA in the United States) and any special hand…
The clause establishes a contractual precondition for service access and allocates responsibility for compliance verification to the user at the point of acceptance. It creates a parental consent req…
Legitimate interests is one of the broadest GDPR legal bases and is used here to cover analytics, service improvement, security, and fraud prevention. EU and UK users have the right to object to proc…
The clause establishes that Runway recognizes the applicability of multi-jurisdictional privacy regulations and commits to honoring rights conferred by those laws where they apply to users based on t…
For EU and UK users, international data transfers to the United States require a lawful transfer mechanism under GDPR Chapter V, such as Standard Contractual Clauses. The policy's reliance on user ac…
The clause operates as a contractual eligibility gate that conditions service access on age verification representations and parental consent for minors. This affects the entity's legal obligations r…
For EU, UK, and Swiss users, your data crossing borders to the US triggers specific legal protections. Salesforce's use of the DPF and SCCs is meant to provide those protections, but the legal landsc…
This provision serves a referential function within the terms of service, designating where users can access detailed privacy and data protection documentation. The operational significance lies in e…
The provision operationalizes Salesforce's compliance obligations under jurisdictional data protection frameworks by enumerating the mechanisms through which data subjects may exercise control over t…
Your personal data may follow you across the internet through advertising partnerships. The opt-out right is meaningful but requires you to actively submit a request.
The provision operationalizes user control over a specific category of data processing activity—advertising-related data sharing with non-Salesforce entities. It establishes that advertising data sha…
Consumers whose data is held in a company's Salesforce CRM cannot rely on this Privacy Statement for rights against Salesforce. They must look to the company that collected their data in the first pl…
This provision provides heightened protection for younger users, but the exact categories of disclosure requiring opt-in and the verification mechanism are not detailed in this summary document.
These rights are meaningful but are qualified by the phrase 'subject to local data protection laws,' meaning the rights you actually have depend on your jurisdiction. EU and California residents have…
Privacy documentation governs how Salesforce handles personal data belonging to customers, website visitors, and individuals whose data is processed through Salesforce products, which is directly rel…
This provision operationally constrains Salesforce's ability to render determinative decisions about users through automated systems alone. The restriction applies specifically to decisions with lega…
This provision signals that EU/EEA Salesforce customers have expanded data rights that Salesforce has acknowledged, and that the underlying customer agreements may have been updated to reflect these …
This clause establishes Salesforce's operational compliance framework with children's data protection requirements under regulations such as COPPA (Children's Online Privacy Protection Act). The prov…
The clause operationalizes EU Data Act compliance mechanisms, establishing procedural requirements for data access, portability, and customer control rights that affect how Salesforce manages and pro…
This provision establishes Samsung's COPPA compliance posture. The policy's statement that services are not directed to children under 13 does not address whether specific Samsung products, such as G…
Parents should be aware that Samsung's general services are not designed for children under 13, but Samsung devices are widely used by children and the policy does not describe specific technical con…
This provision addresses cross-border data transfers, which engage GDPR adequacy and standard contractual clause requirements for EU/EEA users and analogous frameworks in other jurisdictions. The pol…
Voice recordings collected in your home or on your device may be processed by Samsung or third-party service providers, creating a record of your spoken interactions that goes beyond typical text or …
Precise geolocation is classified as sensitive personal information under CCPA/CPRA and several other state privacy laws, triggering opt-in consent requirements in some jurisdictions and opt-out righ…
The breadth of data types collected across Samsung's device ecosystem means that users of multiple Samsung products may have significantly more personal data collected about them than users of a sing…
This provision describes the consumer rights framework applicable under CCPA/CPRA and analogous state laws. The non-discrimination right and the sensitive personal information limitation right are sp…
ACR technology creates a detailed record of your television viewing habits, including content from third-party services, which Samsung may use for advertising purposes and share with partners.
The provision establishes Samsung's operational obligation to provide consumers jurisdictional privacy rights and the procedural channels through which those rights are exercised. The availability of…
This provision establishes that EU/EEA visitors to twilio.com are covered by GDPR protections, and that Twilio asserts multiple legal bases for processing, including legitimate interests, which under…
This provision establishes that personal data collected on twilio.com is transmitted to multiple third-party vendors on page load via embedded scripts, creating data flows that require documented leg…
The consent management implementation creates an operational layer through which Segment's data processing practices are disclosed to users and user consent preferences are collected, stored, and ref…
This provision acknowledges specific statutory rights for California residents under state law, including opt-out rights for behavioral advertising data sharing, which are operationally distinct from…
This provision establishes that Segment is used to track page views, user interactions, and potentially identified user data on twilio.com, with cookies persisting for up to 90 days, and that the sco…
This provision establishes that California residents have specific statutory rights regarding personal data collected on twilio.com, and that Twilio discloses mechanisms for exercising those rights, …
This provision authorizes collection of behavioral and device-level data from all website visitors, including through third-party tools such as Google Tag Manager and Adobe Launch, which may transmit…
This provision acknowledges the applicability of GDPR and UK GDPR to EU and UK residents interacting with twilio.com, including the legal basis for processing and rights to object to certain uses of …
The OEST system establishes a persistent cross-session user identifier stored in both cookies and localStorage with a 400-day expiry, which is operationally relevant to how user identity is maintaine…
Privacy regulations including GDPR, CPRA, and FTC guidance require that privacy notices be presented in a clear, accessible format. A policy that is not readable or accessible to consumers may not sa…
Under CPRA regulations effective January 2023, businesses subject to California privacy law are required to treat a valid GPC signal as a consumer's opt-out of sale and sharing of personal informatio…
The deployment of seven or more advertising and analytics tracking integrations on the privacy notice page engages CCPA and CPRA definitions of sale and sharing of personal information with third par…
This provision indicates that Shein's consent management infrastructure is configured to recognize Global Privacy Control signals, which under the CPRA may constitute a valid opt-out of sale or shari…
The extended timeout period establishes the operational validity of cookie consent for one year before requiring reassessment, which affects how frequently users encounter consent renewal requests. T…
The clause establishes a technical mechanism for the platform to detect and respond to GPC browser signals, which function as standardized opt-out preferences for data sales and sharing. This configu…
This server-side synchronization of a browser identifier means Shein can associate your browsing activity with a server-side profile, potentially across sessions and devices, which is a form of persi…
Third-party tracking scripts can share your browsing behavior with advertising platforms without your explicit knowledge, and the timing of their activation relative to consent mechanisms is a key co…
GPC signal honoring is required for businesses covered by the California Privacy Rights Act, and whether detection translates to operational suppression of data sharing is a material compliance quest…
This persistent cross-session identifier enables Shein to link your browsing activity across multiple visits, which may constitute personal information under privacy laws and requires disclosure and,…
This provision operationalizes CCPA/CPRA disclosure and opt-out requirements by providing a documented pathway for users to exercise statutory rights to limit personal information processing. The dua…
This provision allocates data governance responsibilities by clarifying Shopify's role as a processor acting under merchant direction, establishing that merchants retain primary accountability for da…
The policy states that automated systems may be used to process personal data for fraud detection purposes, which involves algorithmic processing of transaction, behavioral, and identity data that ma…
The provision establishes Shopify's recognition of data subject rights across jurisdictions and creates a procedural framework through which users in regulated territories can exercise statutory priv…
This provision operationalizes CPRA statutory requirements within Shopify's privacy framework, establishing procedural rights that California residents may exercise to control personal information ha…
The clause operationalizes statutory privacy rights under CCPA/CPRA by explicitly acknowledging user entitlements to data access, correction, and deletion. This establishes the procedural framework t…
The provision operationalizes statutory data subject rights under applicable privacy regulations by establishing a documented process for individuals to retrieve, correct, or delete their personal in…
The policy states that Shopify collects purchase, identity, and behavioral data from buyers across all merchant storefronts on its platform, meaning a single consumer's data may be aggregated across …
The policy states that personal data may be transferred across borders to jurisdictions with different data protection standards, and identifies Standard Contractual Clauses as the primary transfer m…
The provision establishes Shopify's operational compliance framework with California privacy statutes by acknowledging specific statutory rights that California residents may exercise. This creates p…
The policy states that cookies and tracking technologies are used for preference retention, usage analytics, and advertising targeting, which involves persistent device-level data collection that may…
Even though Signal stores minimal data and cannot access message content, it can still be compelled to share the technical metadata it does hold (such as account registration information and technica…
The 13-year minimum aligns with US COPPA requirements, but the vague reference to higher minimums in other countries without specifying them or describing any verification mechanism may be insufficie…
Phone number registration ties your Signal identity to a real-world identifier, and contact discovery involves uploading hashed versions of your contacts' phone numbers to Signal's servers, which aff…
Geolocation data reveals your daily movements and home/away patterns, which combined with alarm system activity data creates a detailed behavioral profile tied to your physical residence.
The clause establishes SimpliSafe's compliance framework for California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) obligations, defining the operational scope of consumer pr…
Retention periods determine how long your home security footage, alarm history, and account data remain accessible to SimpliSafe and potentially to third parties including law enforcement, making thi…
As a home security company, SimpliSafe holds detailed records of who enters and exits your home, when alarms trigger, and potentially video footage of your residence, all of which could be subject to…
California law gives consumers meaningful control over their personal data, including the ability to delete it or stop it from being shared with advertisers, which is stronger than the rights availab…
Without the clause text, consumers and compliance teams cannot confirm what rights they hold, what data SimpliSafe may collect or share, or what dispute resolution mechanisms apply to their agreement.
This clause operationalizes regulatory obligations under data protection frameworks that require organizations to provide individuals with mechanisms to exercise statutory rights over their personal …
This provision establishes Skillshare's GDPR and UK GDPR compliance disclosure for EU and EEA and UK users, identifying the contact mechanism for exercising data subject rights; the phrase 'aims to t…
This provision establishes the platform's COPPA compliance framework, but parents or guardians who believe a child under 13 has used the platform should contact Skillshare directly to trigger deletio…
This provision establishes that personal data previously collected under Superpeer's privacy terms is now subject to Skillshare's policy, which may involve different data practices, sharing arrangeme…
This provision bundles consent to detailed behavioral surveillance into general policy acceptance rather than presenting it as a separate, specific choice, which limits users' ability to meaningfully…
This provision permits the transfer of your personal data to an entirely different company in a corporate transaction, with the only protection being a general consistency commitment rather than spec…
Legitimate interests is a flexible legal basis that does not require user consent, and its application to marketing and corporate transaction purposes may be subject to challenge under GDPR if the ba…
This provision operationalizes Skillshare's CCPA and CPRA compliance obligations for California residents, establishing the rights disclosure required by statute and indicating that an opt-out mechan…
Cross-border transfers of personal data to countries without equivalent data protection standards create potential risk that your data will be handled under a less protective legal framework than whe…
This practice means that Skillshare's data profile on you extends beyond what you directly provided or generated on the platform, incorporating external commercial data that you may not be aware of a…
Students may not expect that individual third-party teachers, who are independent creators rather than Skillshare employees, receive personally identifiable information including email addresses and …
The 18-year minimum age requirement, which is higher than the legal consent age for online services in many jurisdictions, affects a significant population of potential learners and creates complianc…
For EU, UK, and Swiss users, these transfer mechanisms are what legally permits your data to flow to Slack's U.S.-based infrastructure, and their validity is subject to ongoing legal developments at …
This provision establishes Slack's baseline data sharing practices under California privacy law and defines the scope of permitted third-party advertising partnerships. It specifies the technical mec…
The clause operationalizes compliance with statutory data subject rights frameworks by confirming Slack's recognition of these rights and establishing built-in mechanisms for users to manage their pe…
This provision operationalizes California statutory privacy rights within Slack's service terms by establishing a procedural mechanism for rights exercise. The clause ensures the agreement acknowledg…
The policy's authorization to use data for AI model training is relevant for users and enterprise customers who want to understand whether their interaction data or content contributes to AI developm…
These rights give users meaningful control over their personal data, but they are jurisdiction-dependent and subject to exceptions, meaning not every right applies to every user.
Cookies and tracking technologies enable Slack and third parties (potentially including advertising partners) to build behavioral profiles from your usage patterns, which affects your privacy beyond …
The CCPA opt-out right is a legally enforceable protection for California residents that limits how Slack can use personal data for commercial purposes beyond service delivery, including potential us…
This provision establishes the categories of personal data Smartsheet collects, which determines the scope of applicable data subject rights, retention obligations, and third-party sharing disclosure…
AI training on customer-submitted data is a growing area of regulatory scrutiny, and the scope of what data may be used and under what legal basis is not fully specified in the notice, creating ambig…
This provision establishes the categories of third parties with whom personal data may be shared, which is directly relevant to CCPA opt-out rights, GDPR legitimate interests assessments, and the sco…
Many employees who use Smartsheet at work assume they can ask Smartsheet to delete or access their data, but this clause means Smartsheet may redirect those requests to the employer, potentially limi…
This provision establishes the data subject rights framework applicable to EU, UK, and California users, determining the procedural mechanisms and timelines through which users may exercise rights un…
California's CCPA and CPRA provide among the strongest consumer data rights in the US, and Smartsheet's explicit acknowledgment of these rights means California residents have enforceable mechanisms …
Data transferred to the US is subject to US surveillance laws and may not receive the same legal protections as in the EU or UK, making the adequacy of transfer mechanisms a material compliance quest…
This provision governs the collection of device identifiers and browsing activity through cookies and tracking technologies, determining which data flows are subject to prior consent and which are ma…
The provision acknowledges Smartsheet's operational obligations to honor California residents' statutory privacy rights by establishing the scope of consumer requests the company must process and the…
These rights are enforceable under GDPR and UK GDPR, and Smartsheet's acknowledgment of them means EEA and UK users have formal legal mechanisms to challenge or limit data processing, including the r…
Open-ended retention criteria mean personal data may be kept for extended periods, and users cannot easily predict when their data will be deleted without submitting a specific deletion request.
The retention of account information after deletion and the indefinite retention of reported or legally required content means that deleting your account does not immediately or completely remove you…
The provision establishes operational mechanisms that enable users to exercise data management and account control functions, establishing Snapchat's procedural compliance with user data access and d…
The provision operationalizes GDPR and CCPA compliance by establishing the procedural mechanisms through which users can exercise statutory data rights and clarifies the responsible entity for data c…
The provision establishes age-based compliance obligations under children's privacy regulations and structures differential privacy controls based on user age classification. This framework governs w…
The scope of your privacy rights depends significantly on where you live, with EU and UK users having the strongest protections under GDPR and UK GDPR, followed by California residents under CCPA/CPR…
Age restrictions are central to Snapchat's compliance with COPPA in the US and similar children's privacy laws globally, and the adequacy of Snap's age verification mechanisms has been a subject of r…
Behavioral profiling using both first-party usage data and third-party advertising partner data can create inferences about sensitive attributes such as health, political views, or finances, even whe…
Contact syncing collects personal data about third parties who have not agreed to Snapchat's terms, raising privacy concerns for non-users whose information is uploaded without their knowledge.
The terms authorize Snowflake to collect behavioral and interaction data from all platform users for internal product development purposes, which is a permitted use that operates without requiring se…
The existence of regional document variants means that the specific terms governing a customer's relationship with Snowflake may differ based on their geographic location, and customers should confir…
The privacy policy accessible from this hub is the primary document disclosing Snowflake's data collection and processing practices; its specific terms determine what personal data is collected, how …
The existence of a referenced AI governance framework is relevant to customers using Snowflake's AI or machine learning features, as it may define how AI outputs, data used for model training, and re…
This provision establishes that data collection, use, and sharing practices are governed by a separately published Privacy Policy that is legally incorporated into the Terms of Use, meaning the full …
The clause establishes a technical architecture where access to privacy option controls is contingent upon session authentication state, which affects how the service delivers privacy management func…
As a financial services entity offering banking, lending, and investment products, the scope of data collection authorized across these product lines engages both GLBA nonpublic personal information …
The breadth of data collection spans both sensitive financial information regulated under GLBA and behavioral and device data used for advertising purposes, which carries distinct consumer rights and…
Because SoFi operates across banking, lending, and investment services, it collects a wide range of financial and personal data; the incorporation of a separate Privacy Policy by reference means user…
This provision documents the operational mechanism through which SoFi provides California residents and other users with the ability to opt out of sale and sharing of personal information, consistent…
This routing mechanism creates two distinct technical pathways for privacy preference management, which compliance teams should verify produce equivalent opt-out outcomes and that both pathways propa…
The policy provides California residents with a mechanism to opt out of the sharing of their personal information for cross-context behavioral advertising and to exercise other CCPA/CPRA data subject…
GLBA requires SoFi to give customers the right to opt out of sharing their nonpublic personal financial information with non-affiliated third parties for certain purposes, and joint marketing arrange…
The provision operationalizes Sony's legal obligations under California privacy law by defining the consent mechanisms for minor data sales (affirmative opt-in for ages 13-16, parental consent for un…
This provision establishes that parents or legal guardians bear contractual liability for child users' actions on PlayStation Services. The agreement also references Child Account functionality and p…
This tracking infrastructure supports targeted advertising, and under CPRA, sharing personal information with advertising partners for cross-context behavioral advertising constitutes 'sharing' that …
The scope of automatic collection is broad, covering behavioral and location data even when you are not connected online, and includes granular in-game actions, which goes beyond what many users expe…
Recording of voice communications may interact with state wiretapping and electronic communications consent laws, particularly in two-party consent states such as California, where all parties to a c…
This provision authorizes collection of detailed behavioral data tied to a persistent user identifier, which may allow reconstruction of individual usage patterns over time even if the identifier is …
This provision establishes the legal bases Sourcegraph relies on under GDPR, which determines what rights you have and under what circumstances you can object to or request deletion of your data.
This provision establishes that third-party LLM providers do not retain Customer Content, which is a material data protection commitment for enterprise users whose proprietary code is transmitted to …
This provision directly addresses a common concern with AI coding tools: whether proprietary code submitted to the service is used to improve models available to other users. The terms state this doe…
Non-enterprise Sourcegraph.com users are subject to broader data collection than enterprise users: their User Prompts, LLM Prompts, and Responses are collected for product improvement purposes, where…
This provision establishes that the consumer-facing privacy protections in this policy do not apply to data processed under enterprise agreements, meaning individual users in organizational deploymen…
This provision authorizes automated access to user files and connected codebases for advertising purposes, which is operationally distinct from standard developer tool privacy practices and may be re…
This provision authorizes Spotify and its named business partners to use device hardware resources, including processor, bandwidth, and storage, beyond what is strictly necessary to play audio, which…
The provision creates a tiered access structure based on age categories and establishes that Spotify does not knowingly collect personal data from children below the Age Limit outside of Managed Acco…
Tailored advertising is described as using information about your service use and activity on other websites and apps to serve interest-based ads; this is characterized as 'sharing' under cross-conte…
The exceptions to deletion requests mirror categories recognized under CCPA/CPRA but are stated broadly, particularly the 'overriding interest' and 'unresolved account issue' carve-outs, which could …
The collection of AI interaction prompts and transcripts means that the content of your conversations with Spotify's AI features is stored as personal data, which may be used for service improvement,…
The provision establishes the operational basis for cross-context behavioral advertising as a standard data practice. It defines the scope of information use and specifies the control mechanisms avai…
The provision creates a mechanism for users to communicate privacy preferences at the browser level rather than through account settings, while establishing that the effectiveness of such signals is …
The provision creates a contractual gatekeeping mechanism that conditions service access on age verification and, for minors, parental consent documentation. It establishes the primary account holder…
The terms permit users as young as 13 to access the service with parental consent, which engages COPPA obligations regarding data collection from users under 13 and creates parental responsibility fo…
The age-based restriction on the main service and the automatic transition to tailored advertising at an age threshold raise COPPA compliance considerations and require that Spotify's age verificatio…
The clause operationalizes data deletion rights by defining the boundaries of those rights through enumerated retention exceptions. This establishes the conditions under which Spotify's obligation to…
The breadth of Usage Data collected, including behavioral inferences, feeds both personalization and advertising functions and represents the primary data set shared with third-party advertising and …
Audio recordings of the voice may constitute biometric data under some state laws, and voice data collection is subject to heightened consent and retention requirements in Illinois and other states w…
The provision operationalizes age-based differential treatment of advertising data practices, implementing a transition mechanism from restricted to standard advertising targeting when users age into…
GDPR provides some of the strongest personal data protections in the world, and EU and UK users have enforceable rights against Square that go beyond what is available to users in most other jurisdic…
This clause operationalizes Square's compliance with mandatory data protection obligations under EU and UK law by documenting the statutory rights available to a defined user population and the mecha…
The provision operationalizes Square's legal obligations under California's consumer privacy statutes by explicitly acknowledging and describing the specific consumer rights that California residents…
This provision establishes Square's operational posture regarding minor user data collection and establishes a data deletion obligation upon discovery of underage user information. The clause reflect…
This provision establishes the operational framework through which California residents can exercise statutory privacy rights under the CCPA/CPRA. It defines the scope of individual rights available …
Automatic collection of behavioral data across third-party websites enables cross-site tracking and profiling, which is the foundation for targeted advertising and may engage stricter consent require…
These rights are backed by California law and are enforceable against Square; exercising them can materially limit how your personal information is used for advertising and profiling purposes.
Cross-site behavioral tracking for advertising purposes affects your online privacy beyond the Squarespace platform itself, and the opt-out mechanism may not fully prevent all tracking depending on t…
This provision implements California Consumer Privacy Act (CCPA) statutory rights and establishes the procedural mechanism through which California residents may initiate requests for access, deletio…
Automatic collection of IP address, browser, and behavioral data through third-party cookies enables cross-site tracking for advertising purposes, which may occur without active user awareness unless…
A change in ownership could result in your personal data being controlled by a different company with different privacy practices, and you may not have advance notice or a meaningful ability to preve…
This distinction determines who is legally responsible for protecting your data and who you can contact to exercise rights like deletion or access, which may not be obvious when visiting a Squarespac…
EU and UK users' personal data is subject to US legal frameworks once transferred, and the adequacy of standard contractual clauses as a transfer mechanism has been subject to legal challenge and reg…
The litigation hold carve-out means Squarespace may retain your data beyond the period you would expect or request deletion, and the retention periods are not specified with defined timeframes.
Cross-border data transfers from the EU or UK to countries without an adequacy decision require specific legal safeguards under GDPR and UK GDPR, and the policy's general disclosure does not specify …
The policy acknowledges jurisdiction-specific data rights for EU, UK, and California users, and provides a contact mechanism (privacy@stability.ai) for exercising these rights, which is an important …
This provision incorporates the Privacy Policy by reference, meaning users consent to data practices described in a separate document, which creates a compliance dependency on the Privacy Policy's co…
This provision operationalizes jurisdictional data protection requirements by establishing a request mechanism through which users can exercise legally-recognized data subject rights. The clause crea…
The clause creates a procedural framework for Stability AI to respond to annual disclosure requests from California residents, establishing the scope and frequency of information the entity must prov…
The retention standard is tied to broadly stated purposes rather than specific time periods, which means the duration of data retention may vary and is not fixed to a defined schedule visible to user…
The use of cookies and tracking for advertising purposes may require affirmative consent under GDPR and the UK PECR, and users should be aware that browsing activity, device identifiers, and IP addre…
Third-party tracking technologies place data in the hands of advertising partners who may use it independently of Starbucks, and the use of these tools for targeted advertising is one mechanism throu…
The explicit acknowledgment of profiling that infers psychological trends, predispositions, and aptitudes from retail purchase data is notably broad and represents one of the more expansive profiling…
The Rewards program creates a persistent, longitudinal record of your consumer behavior that is directly linked to your identity, making it one of the most data-rich components of the Starbucks custo…
Voice and audio data is a biometric-adjacent category of information that carries heightened sensitivity, and the notice's framing of implied consent through the act of calling may not satisfy explic…
Precise geolocation data is classified as sensitive personal information under California law and several other state statutes, meaning its collection and use carry heightened legal obligations and g…
The clause operationalizes California Consumer Privacy Act (CCPA) statutory obligations by designating specific submission channels and confirming Starbucks' requirement to honor data subject request…
This carve-out is broad: if Stash's anonymization process is incomplete or reversible, data that the company treats as outside the policy's protections could still be linked back to you, and you woul…
The provision operationalizes statutory data access rights by requiring the entity to respond to verified consumer requests for personal information disclosure in specified formats. This establishes …
Several US states have enacted or are implementing universal opt-out signal requirements that go beyond the legacy Do Not Track standard; Stash's policy of not responding to browser-level signals may…
Selfie photographs used for identity verification may involve facial recognition or biometric processing, which in states like Illinois is subject to specific legal requirements including consent and…
The GLBA Privacy Notice contains legally required disclosures about financial data sharing with nonaffiliated third parties and your right to opt out of certain sharing arrangements that are separate…
Geolocation data collected through a financial app can reveal sensitive patterns about your daily life, routine, and physical location, and its sharing with third-party analytics vendors may extend b…
These rights give California residents meaningful control over sensitive financial data held by Stash, including the ability to request deletion of Social Security numbers, bank credentials, and tran…
The scope of account deletion is narrower than consumers may expect: deleting your mobile app account does not erase your personal data from State Farm's systems, and the business purpose retention b…
Several state privacy laws now require businesses to honor browser-based opt-out signals such as the Global Privacy Control; State Farm's stated non-support for these signals may create compliance ex…
Precise location data is classified as sensitive personal information under several state privacy laws and may be used to influence insurance underwriting and pricing; the policy directs consumers to…
Tracking technologies extend beyond basic cookies to include ad tags and device identifiers, enabling cross-context behavioral tracking that may be used for marketing purposes in addition to operatio…
Parents and guardians should be aware that if a child under 13 creates an account without Valve's knowledge, Valve's terms do not authorize that account and any personal data collected may need to be…
This provision establishes the regulatory baseline for Valve's data handling practices across major privacy regimes. By stating compliance with CCPA, GDPR, and UK GDPR, the clause anchors the privacy…
Full credit card details are processed by Valve before transmission to payment service providers, meaning Valve is an intermediary in the payment data flow rather than relying solely on direct proces…
Game statistics and device identifiers are persistent data that build a detailed profile of your gaming behavior over time, and this data may be shared with third-party developers as described elsewh…
The clause operationalizes Steam's compliance obligation under GDPR and CCPA by explicitly identifying the specific data subject rights the entity recognizes. This establishes the legal framework gov…
Exercising your right to access or delete your data gives you visibility into and some control over the personal information Valve holds and shares about you across the platform.
Without specific retention periods defined for different data types, users cannot easily predict when their personal information, including sensitive data like government IDs, will be deleted.
While COPPA compliance is addressed for under-13 users, the policy's handling of teen users between 13 and 17 who may be buying or selling on the platform is less clearly specified, which matters giv…
This right is one of the most meaningful controls available to US consumers over how their personal data is used for advertising, and exercising it can significantly reduce cross-platform behavioral …
GDPR rights are among the strongest data protection entitlements in the world and EU/UK users who exercise them can obtain meaningful visibility into and control over their personal data held by Stoc…
This provision affects younger users who may be active in sneaker or collectibles markets, as the terms attempt to hold parents or guardians responsible for transactions conducted by minors on the pl…
These tracking technologies feed data into the advertising systems used by StockX and its partners, forming the technical foundation for behavioral profiling and targeted advertising across the web.
EU and UK users' data is processed in the United States, which is subject to US surveillance laws; Standard Contractual Clauses are the primary transfer mechanism but their adequacy has been conteste…
Depending on your state of residence, you may have specific legal rights to access, delete, correct, or limit the use of your personal data, including health data, that go beyond what Strava's genera…
This provision establishes the baseline visibility configuration for user-generated content, requiring users to affirmatively adjust privacy settings to restrict visibility beyond the default public …
This clause authorizes use of sensitive data categories including health metrics and precise location for AI development, which is a broad permission that goes beyond basic service delivery and may n…
Precise location data is among the most sensitive personal data categories because it can reveal your home address, workplace, daily patterns, and movements over time.
Personal information shared with advertising partners for interest-based advertising can include behavioral and demographic data, and once shared with third parties the data is subject to those partn…
Parents who allow children to use Strava are agreeing to be personally liable for any terms violations, including potential financial obligations, and Strava collects fitness and location data on tho…
Even aggregated or deidentified GPS data, particularly from users who regularly follow distinct routes, can in some cases be re-identified or used to infer sensitive location patterns; this feature h…
Ongoing access to your contact list means Strava collects and stores information about people who have never signed up for Strava and who have not consented to having their data processed by the serv…
This commitment offers meaningful protection for sensitive health metrics like heart rate and VO2max collected from wearables, but the carve-out for 'specific purposes described in this Policy' means…
The clause establishes the scope of Stripe's data collection and use rights across its service offerings. It establishes conditions for merchants handling customer personal data, requiring execution …
This provision establishes that Stripe processes personal data of individuals who interact with merchant websites powered by Stripe technology, even absent a direct account relationship, which create…
This provision permits Stripe to share personal and financial data across its broader merchant ecosystem for fraud prevention purposes, which implicates data minimization and purpose limitation requi…
This provision permits disclosure of behavioral and transactional data to third-party advertising and analytics services, which engages CCPA opt-out rights for sale or sharing of personal information…
Reliance on legitimate interests as a processing basis under GDPR requires a balancing test against data subject rights and interests; the policy directs users to the Privacy Center for specifics, me…
This provision establishes the framework within which Stripe's data processing practices operate, defining the scope of individual rights available under the terms. The specification of objection rig…
This clause operationalizes compliance with data subject rights frameworks in jurisdictions with privacy regulations (such as GDPR, CCPA, and similar regimes). It establishes Stripe's recognition of …
The policy's collection scope covers individuals who interact with Stripe only indirectly through merchant checkouts, meaning many consumers may not be aware that Stripe is collecting their device an…
Payment processors handling financial transaction data are commonly subject to law enforcement requests including subpoenas, court orders, and regulatory demands, and the policy's disclosure of gover…
The designation of Stripe's role as controller or processor determines the scope of Stripe's obligations and legal responsibilities under data protection regulations, particularly GDPR and similar fr…
This provision establishes the legal mechanisms Stripe relies upon for cross-border data transfers, which are subject to ongoing regulatory review and potential challenge; organizations processing EU…
International data transfers are subject to legal requirements in the EU, UK, and other jurisdictions, and the adequacy of Stripe's transfer mechanisms directly affects whether EU and UK user data is…
The policy confirms that consumers have rights to access, correct, delete, and object to processing of their personal data, with the mechanism for exercising those rights provided through Stripe's Pr…
The clause establishes the framework through which data subjects can exercise statutory rights under privacy regulations. It outlines Stripe's obligation to respond to requests for access, deletion, …
The clause conditions data subject rights on jurisdictional applicability, meaning the availability and scope of these rights depends on the user's location and governing legal framework. The operati…
This provision discloses data collection about non-Substack users through address book syncing, which may occur without the knowledge of the individuals whose contact information is collected. The po…
Even if you have never created a Substack account, your contact details could be collected and stored if someone who has your contact information syncs their phone or address book with Substack's app.
This provision establishes a data controller boundary that places responsibility for subscriber data governance on individual Creators when Substack acts as a processor on their behalf. The practical…
This provision establishes that direct message content is accessible to Substack personnel under defined operational circumstances and is subject to automated scanning, which is a material disclosure…
This provision establishes the legal mechanism Substack relies on for transferring personal data from the EU, UK, and Switzerland to the US. DPF certification is subject to FTC enforcement, and the p…
The 'as otherwise necessary to provide our services' language is a broad catch-all that extends staff access to direct message contents beyond specific safety or legal scenarios, which may not align …
The minimum age threshold of 16 is higher than COPPA's 13-year statutory minimum, which means Substack has adopted a stricter standard that also captures 13 to 15-year-olds who might otherwise legall…
This configuration determines whether advertising identifiers and behavioral analytics are collected from your device before you interact with any consent prompt, and the default-granted posture for …
If minors under 13 access the platform, COPPA requires parental consent for data collection; parents of teen users aged 13-17 should be aware that their children's creative prompts and activity data …
The provision's operational significance lies in establishing Suno's compliance framework for CCPA requirements, which mandate specific consumer access, deletion, and opt-out rights. This establishes…
Each of these third-party scripts transmits data about your visit to separate companies (Microsoft, ByteDance/TikTok, Meta, Twitter), not just to Suno, and this occurs under the default-granted conse…
California residents hold meaningful statutory rights over their personal data held by Suno, including the ability to request access to specific data categories collected and to seek deletion, which …
Chat-based prompts may reveal personal preferences, creative intent, or sensitive information, and this data is not only used to generate music but is also linked to your broader user profile and may…
EEA users can object to processing carried out under legitimate interests, including potentially Suno's use of their Content and prompts for AI model training, which gives these users more control ov…
This provision establishes a two-tier consent architecture that applies denied-by-default consent for regulated regions and granted-by-default consent for all other users. The presence of multiple th…
Third-party advertising cookies result in your browsing activity being shared with external providers like Google, which may use that data under their own privacy policies; this practice also engages…
These restrictions are legally required under U.S. federal law for platforms collecting data from children, and failing to comply could expose both minors and Suno to legal consequences.
The absence of visible age restriction disclosures in the provided document source creates a COPPA compliance consideration if users under 13 access the platform, given the presence of advertising tr…
The explicit inclusion of AI tool inputs and outputs as stored User Content means that any personal data you share with Supabase's AI assistant is retained by Supabase, which users may not fully anti…
This provision acknowledges that cross-border data transfers may involve jurisdictions with lower data protection standards, a disclosure that directly implicates GDPR Chapter V transfer requirements…
The provision establishes a procedural framework for California residents to exercise statutory disclosure rights under state privacy law while clarifying that Supabase employs tracking mechanisms fo…
This provision establishes an opt-out mechanism for advertising and tracking data uses for California residents, and discloses that tracking tools are used for personalized advertising purposes, a da…
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does no…
This provision establishes that Supabase maintains a separate GDPR-aligned disclosure framework for European users, including lawful bases documentation and data subject rights procedures, which are …
Tracking for personalized advertising means that your browsing behavior on and potentially off the Supabase site may be used to target you with ads, which is a broader use than many developer-focused…
This provision establishes that end users of applications built on Supabase are not covered by this privacy notice, placing the primary disclosure obligation on the Supabase customer (the application…
This provision establishes that AI support tool interaction data, including both user prompts and system-generated responses, is retained as part of the Service's data collection. This creates a data…
This provision authorizes data combination from multiple external sources including marketing partners, which may result in a more comprehensive profile of users than data collected directly from the…
Knowing how long Supabase retains your personal data and what security protections are in place is important for assessing your ongoing privacy exposure after you stop using the service.
The clause operationalizes compliance with data subject rights under data protection regulations by creating a defined submission channel (privacy@synthesia.io) and establishing response timelines th…
International data transfers are a key area of GDPR enforcement and EU users should be aware that their data may be processed in countries with different privacy standards, though Synthesia asserts i…
The specific obligations, data subject rights, sub-processor disclosures, and security measures that protect your personal data under GDPR are governed by the DPA, which is not reproduced in the main…
Knowing how to exercise your data rights is practically important, especially if you have uploaded personal likeness or voice data, since deletion of avatar data may require a specific request.
The distinction between controller and processor determines who is ultimately responsible for your data rights; if you are an employee or end user of a business that uses Synthesia, your data rights …
Open-ended retention language tied to business necessity can mean data is kept for extended periods; users who close their accounts should confirm deletion of sensitive data including avatar likeness…
Interest-based advertising cookies involve sharing your behavioral data with third-party advertising networks, which represents a form of data sharing that may constitute a sale or sharing under CCPA…
Data sharing with third-party service providers and in the context of corporate transactions means your personal data, including potentially avatar data, could be transferred to new entities with dif…
CPNI includes sensitive call detail records and location-adjacent usage data; without opting out, this data can be used to market additional services to you across T-Mobile's family of companies.
This provision operationalizes T-Mobile's obligations under privacy laws in jurisdictions that establish consumer data access, deletion, and correction rights. The clause establishes the procedural m…
T-Mobile offers family plans and devices that minors actively use, creating a practical tension between this policy commitment and the reality of minors accessing services through family accounts.
CPNI is a federally protected category of information that carriers are generally prohibited from sharing with outside companies without your consent; however, the policy asserts T-Mobile can use it …
The provision establishes procedural mechanisms for users to exercise data access and correction rights, while carving out exceptions for data T-Mobile determines necessary for operational, security,…
Open-ended retention language tied to 'business needs' and 'legal obligations' without specific retention periods means consumers have limited visibility into how long sensitive data such as location…
The inclusion of 'when we believe' disclosure is necessary to protect rights or safety, in addition to legally compelled disclosures, gives T-Mobile discretion to share data with government entities …
These rights are legally enforceable under California law and give California residents meaningful control over their data, including the ability to request deletion and stop data sharing for adverti…
The policy authorizes use of tracking technologies including pixel tags for advertising purposes, and states that consent will be obtained where required by law, meaning the default experience may in…
The policy acknowledges and provides a contact mechanism for exercising rights under GDPR, CCPA, CPRA, and related frameworks, which is directly actionable for users who wish to access or delete thei…
The policy states that data may be transferred internationally and that standard contractual clauses or equivalent mechanisms are used, but does not specify which mechanisms apply to which transfer r…
The absence of specific retention periods for categories such as code snippet data, telemetry, and account information means users and enterprise customers cannot determine from the policy alone when…
This provision establishes the legal transfer mechanism for cross-border data flows from the EU/EEA, which is a requirement under GDPR Chapter V. Enterprise customers should confirm that executed SCC…
This clause discloses that Tabnine collects telemetry data including code completion statistics and plugin interaction data, which may include metadata about code patterns and development activity; u…
The policy discloses collection of a broad range of identifiers and behavioral data in addition to account information, which is relevant for users assessing their data footprint with the service.
This provision establishes that telemetry data is collected by default from plugin users. For enterprise deployments, the scope of telemetry collection and the ability to disable it at an organizatio…
This provision describes the opt-out mechanism available to California residents under CCPA as amended by CPRA. The operational availability and functionality of the designated opt-out link is a comp…
This clause establishes Tabnine's obligation to honor California statutory privacy rights as codified in state law. The provision clarifies that CCPA/CPRA protections apply to the service agreement a…
The policy relies on legitimate interests as a lawful basis for product improvement, analytics, and marketing processing, which means consent is not sought for these activities; EU users retain the r…
Recognition of GPC signals as valid opt-out requests is required under CPRA regulations for businesses subject to CCPA/CPRA; this provision creates an operational obligation to implement technical GP…
The clause establishes Target's operational obligation to honor California statutory privacy rights and creates defined mechanisms through which California residents can exercise control over their p…
This provision confirms that consumers in covered states have a legally enforceable right to opt out of a significant portion of Target's data sharing for advertising purposes, and it provides a clea…
This provision operationalizes Target's compliance with the Children's Online Privacy Protection Act (COPPA), which establishes obligations for entities collecting information from minors under 13. T…
Incorporation by reference means users' data handling obligations and rights are governed not only by the standalone Terms and Conditions document but also by the terms stated in Target's Privacy Pol…
California's CCPA gives residents legally enforceable rights to access, delete, and opt out of the sale of their personal data; Target's platform infrastructure includes CCPA-specific API endpoints s…
The clause establishes that Target's terms incorporate CCPA compliance obligations and makes the Privacy Policy the operative document governing how California residents' data rights are defined and …
Precise geolocation is classified as sensitive personal information under CPRA and analogous state statutes, requiring that consumers be provided with the right to limit its use and disclosure; this …
This provision establishes Target's stated COPPA compliance posture, asserting that the platform does not knowingly collect data from children under 13 and will delete such data upon discovery. The o…
This provision establishes Target's stated COPPA compliance posture; the 'not knowingly' standard is the operative COPPA threshold, and the absence of a described age verification or parental consent…
Inferences drawn to create consumer profiles are a specifically enumerated category under CCPA/CPRA and analogous state statutes, subject to access rights, deletion rights, and in some contexts corre…
Open-ended retention language means Target does not commit to deleting your data after a fixed period, which has practical implications for the scope of data available for advertising, legal discover…
This provision establishes Target's stated compliance posture under CCPA/CPRA and analogous multi-state privacy frameworks; it creates operational obligations including response timelines, non-discri…
Loyalty program participation generates detailed transaction-level data about your purchasing behavior, which Target uses for advertising in addition to the stated benefits of personalized offers and…
The provision creates an opt-out framework rather than an opt-in requirement, meaning promotional communications are sent by default unless customers take action to decline them. The operational sign…
This provision establishes that the platform collects precise geographic coordinates in addition to approximate location data, which constitutes sensitive personal information under CCPA and may requ…
This acknowledgment confirms that advertising-related data flows may constitute a sale under CCPA, which gives California residents a legally enforceable right to stop that data sharing, and signals …
The clause establishes procedural mechanisms for data subject rights, enabling users to review, modify, and request removal of personal information from TaskRabbit's systems in accordance with data a…
This provision establishes the operational framework for data subject deletion requests under privacy regulations. The carve-out for legally-required retention clarifies that TaskRabbit's deletion ob…
Framing cross-border data transfer consent as implied by accepting the privacy policy rather than through a separate, affirmative consent mechanism may not meet the standard for meaningful consent re…
Identity verification requirements for data rights requests are standard but the policy does not specify what information is required or what standards apply, which could result in requests being den…
The retention provision does not specify defined retention periods for any category of personal information, relying instead on general necessity language, which may require evaluation against GDPR d…
This provision frames Canadian user consent to cross-border data transfer as implicit in accepting the privacy policy, which may require evaluation against Canadian privacy legislation governing cros…
This provision discloses that advertising data sharing may meet the CCPA definition of sale and establishes an operative opt-out right for California residents, while simultaneously asserting that th…
This provision establishes a broad discretionary disclosure basis that extends beyond law enforcement requests and legal obligations, authorizing disclosure based on the company's own assessment of i…
This provision establishes a basis for personal information disclosure to third-party advertising entities without identifying those entities by name, which may require evaluation against GDPR Articl…
Healthcare website visitors, including those seeking mental health or chronic condition care, may have their browsing behavior tracked by multiple third-party platforms, which raises data sensitivity…
This provision establishes a jurisdiction-specific age gating requirement for EU, UK, and Australian users that goes beyond many platform age minimums, which are typically set at 13 or 16, and engage…
This provision establishes that cloud chat content is retained by Telegram in a form that Telegram controls, meaning it is technically accessible to Telegram and potentially subject to compelled lega…
IP address and device history can be used to identify and locate users; a 12-month retention window means this data may be available for disclosure to law enforcement or in legal proceedings for a si…
This provision establishes that user personal data is shared across Telegram's corporate group, including entities in jurisdictions without an EU adequacy decision, relying on Standard Contractual Cl…
This provision establishes the categories and maximum retention period for security-related metadata. The retention of IP addresses for up to 12 months is the data category disclosed as subject to po…
This provision defines the scope of data Telegram commits to disclosing under law enforcement orders as limited to IP address and phone number, and conditions disclosure on both a valid judicial orde…
This provision defines the conditions under which Telegram will identify users to authorities, which is directly relevant to users' expectations of anonymity on the platform.
Relying on legitimate interests rather than consent means Telegram does not need to ask your permission to collect and process data, though you have the right to object to such processing under GDPR.
This provision discloses that message content and audio data are transmitted to Google LLC and Microsoft Corporation for user-requested features. The policy asserts contractual restrictions on second…
International data transfers are a key compliance area under GDPR; the sufficiency of transfer mechanisms depends on whether Thomson Reuters has conducted Transfer Impact Assessments, particularly fo…
The availability and enforceability of these rights varies significantly by jurisdiction, meaning not all users have the same level of protection or ability to control their data.
The clause operationalizes regulatory data subject rights by creating a defined submission mechanism, establishing Thomson Reuters' obligation to receive and process such requests according to applic…
Tracking technologies collect behavioural data that may be used for targeted advertising, analytics, and product development; managing these settings is one of the most direct controls available to u…
Open-ended retention periods mean personal data may be held for extended periods, particularly where legal or regulatory requirements create long retention obligations, reducing individuals' practica…
The policy authorizes collection of both explicit content, such as posts and profile data, and behavioral data, such as viewing patterns, interaction history, and usage duration, which together can b…
The minimum age requirement and parental consent obligation for minors are directly relevant to COPPA compliance in the United States and equivalent child protection frameworks in other jurisdictions.
This provision reflects compliance obligations under children's privacy regulations, particularly the Children's Online Privacy Protection Act (COPPA), which requires parental consent before collecti…
The policy discloses user data rights including access, rectification, portability, erasure, and objection to processing, which align with GDPR and CCPA statutory rights. Users can exercise these rig…
This provision establishes that Meta collects a broad set of device-level and network-level identifiers and signals from Threads users across all devices, and combines this data across devices. Cross…
The policy establishes a minimum age of 12 for Threads access and requires parental consent for minors aged 12 to 17, which is relevant for COPPA compliance and parental oversight of minors' social m…
This provision establishes the minimum age threshold for Threads consistent with COPPA requirements in the US, and creates an obligation on Meta not to knowingly collect data from users below this ag…
The structural linkage between Threads and Instagram means that data from both platforms is associated and that users cannot create a Threads presence that is separate from their Instagram identity.
This provision establishes that location data, including precise GPS location where device permissions allow, is collected and available for use in advertising targeting, personalization, and other p…
This provision establishes that data retention timelines are determined by Meta based on operational and legal necessity criteria rather than fixed periods disclosed to users, which has implications …
This provision establishes that the availability of data subject rights is conditional on applicable law and user location, which means the scope of exercisable rights varies by jurisdiction. The con…
Ticket sellers face a significantly higher level of identity verification and data collection than buyers, including government ID and tax information, because Ticketmaster's payment processing oblig…
Users who opt out of personalization may reasonably expect all profiling to stop, but the policy clearly states that profiling continues for operational purposes such as fraud prevention, which means…
Health and disability information is among the most sensitive categories of personal data under GDPR and similar laws; its collection, storage, and potential sharing with event venues creates heighte…
This clause establishes the organizational framework for jurisdiction-specific privacy compliance. It signals that Ticketmaster's privacy obligations and user rights are determined by the applicable …
The policy reserves the right to share attendee health and safety data, which may include names, contact details, seat locations, and entry and exit times, with government authorities, which represen…
This clause signals that Ticketmaster does not have COPPA-compliant parental consent mechanisms in place, and relies on users self-certifying their age, which may not adequately protect minors who ac…
The combination of first-party and third-party tracking technologies means your activity on Ticketmaster's platforms is monitored in detail, and third-party trackers embedded in the site operate unde…
AI interaction inputs may contain highly personal, sensitive, or proprietary information; the policy states this data is also used to train and improve machine learning models and algorithms, and to …
This provision establishes the procedural mechanisms through which users exercise data subject rights recognized under privacy frameworks. The authorization of both direct in-app controls and formal …
Approximate location is collected by default from IP address and device settings, while precise location collection requires enabling location services; the policy states location services can be dis…
The provision defines TikTok's technical and operational framework for implementing cookie consent requirements under applicable privacy regulations. It establishes the procedural mechanisms through …
Keystroke pattern collection can be used for behavioral profiling or identity inference beyond standard usage analytics; clipboard access may expose text or images copied from other apps that users d…
The explicit reference to Executive Order 14352 as a legal constraint on data sharing with TT Commerce and Global Services is operationally significant given ongoing US government national security s…
Sensitive personal information categories under CCPA and analogous state laws carry heightened processing restrictions and consumer rights; the policy places responsibility on users for whether they …
The policy authorizes TikTok to build inferred profiles about demographic attributes and personal interests from collected data, which may then inform ad targeting and content personalization beyond …
The agreement states that TikTok customizes ads users see on and off the platform based on activity, interests, device settings, and engagement data, and that some controls are available through plat…
This provision states that user data may be transferred to a new or acquiring entity even during negotiation stages, before any transaction is completed, and without individual user notice or consent…
The clause creates a dual-access structure where underage users operate under different terms and data practices than the standard platform, while establishing ongoing age verification and enforcemen…
Collection of message content, not just metadata, means private communications on TikTok's platform are stored and processed by TikTok, which is a materially different privacy posture than end-to-end…
Using personal data to train AI models is an emerging area of regulatory scrutiny; data used in model training may be retained and influence system behavior in ways that are difficult to audit or rev…
The enforcement logic directly determines whether and how cookie preferences translate into operational restrictions on data collection, cross-device tracking, and behavioral targeting within the adv…
This provision means TikTok collects personal data about people who are not TikTok users and have not consented to any TikTok data collection, raising third-party privacy concerns.
The TikTok pixel collects behavioral and event data from the advertising portal; the terms governing what data is collected, how long it is retained, and how it is used for ad targeting or optimizati…
Each third-party tracker deployed on this portal independently collects data about advertisers' browsing activity and may share that data with its respective platform, creating multiple parallel data…
Inferred profiling can result in a detailed personal profile being built from behavioral signals, which may be used for ad targeting and content personalization without your explicit knowledge of the…
The availability and scope of these rights depends on where you live, meaning users in some jurisdictions have significantly more control over their data than others, and knowing your rights is the f…
Private messages and intimate photos shared on a dating app are processed by the platform, which may create privacy concerns if that content is used beyond the immediate purpose of facilitating conne…
Age verification on online platforms remains technically challenging, and the policy relies on a 'knowingly' standard, meaning the practical protection for minors depends on the effectiveness of age …
Users who delete their accounts expecting their data to be erased may be surprised to learn that Tinder retains personal information, potentially including sensitive data, for up to five years, which…
On a dating app where users share sensitive information about their identity, location, and relationships, the circumstances under which this data may be disclosed to government authorities are parti…
The platform relies on user self-representation for age verification, which creates risk for both minors who access the platform and for Tinder's compliance with laws protecting children online.
Federal credit reporting law overrides your general privacy rights for credit report data, meaning your right to delete information from your TransUnion credit file is more limited than your right to…
This provision implements the disclosure and access requirements of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), establishing TransUnion's operational obligati…
This opt-out right, required by California law and voluntarily extended to some other state residents, gives you practical control over whether your behavioral data is used to target you with adverti…
There is no fixed maximum retention period for most personal data at TransUnion, and anonymized data derived from your information may be kept and used forever, even if you later request deletion of …
Tracking technologies create a behavioral profile of your online activity that is shared with advertising and social media platforms, potentially linking your credit bureau profile with your browsing…
These rights give consumers in California and several other states meaningful tools to understand and control how their personal data is used, though the actual scope of each right varies by state an…
The absence of specific retention periods for sensitive financial data like SSNs and tax returns means your data may remain in Intuit's systems for extended periods, increasing the window of exposure…
This is an exceptionally sensitive data category, and the breadth of collection creates significant obligations for Intuit around security, retention, and lawful use, as well as heightened risk for c…
The provision establishes TurboTax's procedural obligation under federal privacy regulation to deliver transparent disclosures about information handling practices. It frames the legal limits on cons…
The use of sensitive tax data for product development and research means your financial profile contributes to Intuit's AI and analytics capabilities, which may extend the use of your data in ways no…
This provision operationalizes statutory rights under California's CCPA/CPRA by establishing the mechanism through which consumers can request access, deletion, correction, and opt-out actions regard…
The provision creates operational procedures for California residents to exercise statutory privacy rights under California law by designating specific submission mechanisms through which data subjec…
The cookie consent mechanism operationalizes Twilio's compliance with privacy regulations requiring affirmative user authorization before deploying certain tracking technologies. This structure creat…
The multi-jurisdictional privacy framework establishes Twilio's privacy policies and data handling practices across different legal regimes, with localized language versions supporting compliance doc…
The clause establishes Twilio's acknowledgment of California statutory consumer privacy rights and operationally commits the entity to providing mechanisms through which California residents may exer…
The notice authorizes disclosure of personal information to an undefined number of third-party service providers across functional categories including advertising and analytics, as well as to corpor…
This provision establishes Segment as an active data processor on twilio.com with a 90-day cookie window and domain-wide scope. The 'alwaysLoadSegment: true' parameter in the consent wrapper configur…
Google Tag Manager operates as a tag management system that can load and fire additional third-party scripts and pixels beyond those disclosed individually in the page source. The container GTM-5JLZ6…
The provision operationalizes Twilio's compliance obligations under EU and UK data protection law by establishing procedures through which individuals can exercise statutory rights over personal data…
The notice acknowledges that sharing data with advertising partners may qualify as a sale or sharing under CCPA/CPRA, which triggers a legally mandated right for California residents to opt out of th…
The notice asserts legitimate interests as one lawful basis for processing, which is subject to data subject objection rights under GDPR; EU and UK residents can formally object to certain types of p…
This provision operationalizes Twilio's compliance obligations under EU and UK data protection regulations by explicitly recognizing and enumerating the statutory rights that apply to users in those …
This provision establishes the operational mechanism through which Twilio captures and records visitor consent for cookie-based tracking, which is the foundational compliance control for GDPR and ePr…
The provision establishes the operational basis for Twilio's use of device recognition and tracking technologies across its digital properties. It acknowledges that these tracking practices may trigg…
The provision operationalizes state-mandated privacy rights into Twilio's data handling procedures, establishing specific mechanisms through which California residents can exercise statutory privacy …
The notice authorizes collection of both directly provided contact information and passively gathered behavioral data, which together can build a detailed profile of a visitor's interests and identit…
The provision operationalizes compliance with data protection regulations by establishing procedural mechanisms through which Twilio acknowledges and facilitates individual rights requests regarding …
Parents whose children use Twitch are contractually agreeing to the Terms of Service on behalf of their minor child, making them potentially responsible for the child's conduct and any resulting liab…
International data transfers can mean your personal information is processed in countries with different levels of legal privacy protection than your home country, which is particularly significant f…
This automatic data collection happens passively without any active input from you, and it is used to build a behavioral profile that informs advertising targeting, which is a core revenue mechanism …
Once your data is transferred to an exhibitor, Twitch's privacy protections no longer apply; you are subject to the exhibitor's own data practices, which you may not have reviewed or consented to in …
This provision significantly extends Twitch's data collection reach beyond its own platform to encompass your behavior on other gaming and social media services, which many users may not anticipate.
Children's online privacy is subject to specific legal protections under COPPA in the U.S. and similar frameworks internationally; the adequacy of Twitch's age verification and data handling for mino…
The breadth of data categories listed, spanning biometric-adjacent data like voice and image to financial data like credit card numbers, means that your Twitch account contains sensitive personal inf…
As an Amazon subsidiary, Twitch's data collection exists within a large corporate ecosystem; the relationship means data sharing within the Amazon affiliate group may occur and users should understan…
This provision authorizes disclosure of user data, including location history, trip records, communications, and payment information, to law enforcement and government authorities in response to form…
This clause establishes that driver data including location history, trip records, and identity information may be disclosed to law enforcement and government agencies, potentially including intellig…
This provision authorizes the sharing of trip-level location data with employers when rides are taken on a business account, which may not be immediately apparent to employees and raises workplace pr…
This provision authorizes the sharing of identifiable user data including name, email, phone number, and behavioral data with a wide range of advertising technology companies, enabling cross-platform…
Financial account data and tax information are sensitive categories of personal data whose exposure creates direct financial risk; the notice authorizes Uber to retain and use this data for both paym…
This provision authorizes sharing of sensitive location and behavioral data with insurance partners, which may affect insurance rating, claims outcomes, and coverage eligibility, and creates third-pa…
This provision establishes the operational mechanisms through which users may exercise data subject rights under applicable privacy regulations. It specifies the channels and processes Uber has desig…
This provision identifies the rights available to users under GDPR and CCPA and provides mechanisms to exercise them, including opt-out of advertising data sharing for California residents and data d…
This provision authorizes Uber to disclose personal data including trip records, location history, and account information to law enforcement or government agencies without requiring a court order in…
This provision authorizes disclosure of driver data including background check results, location history, communications, and financial data to government authorities, which is operationally signific…
Cross-border data transfers of EU/EEA driver data to the US and other third countries require valid transfer mechanisms under GDPR Chapter V, and the adequacy and supplementary safeguards supporting …
The collection and use of background check data for platform eligibility decisions implicates the Fair Credit Reporting Act (FCRA) requirements for adverse action notices and permissible purpose, and…
This provision establishes a continuous location data collection mechanism that operates even when the app is not actively in use, creating an ongoing data stream associated with each user's device. …
The breadth of third-party sharing, which includes analytics and advertising partners in addition to operationally necessary recipients like insurers, means driver data may be used for purposes beyon…
This provision establishes the operational mechanisms through which users can exercise data subject access and deletion rights, establishing Uber's procedural obligations to facilitate these requests…
Precise location data reveals detailed information about a user's movements, routines, home address, workplace, and frequented locations. The policy authorizes collection both during active trips and…
This provision establishes the framework through which drivers can exercise data rights, and the non-discrimination commitment is a specific CCPA/CPRA requirement; the operational effectiveness of th…
This provision establishes the operational mechanisms through which users may exercise data subject rights under applicable privacy regulations. The jurisdiction-specific application of these rights …
This provision establishes that Uber retains discretion to determine the duration and scope of data retention and to decline deletion requests based on broadly stated exceptions including safety and …
The notice provides access and deletion rights but includes a broad retention carve-out for legal, safety, and business purposes, which may significantly limit the practical scope of deletion rights …
Government-issued identification numbers constitute sensitive personal information under CPRA and personal data subject to heightened protection under GDPR, and their collection and retention creates…
This clause operationalizes statutory data protection obligations by establishing a procedural mechanism for rights exercise. The provision's scope and applicability depend on the user's location and…
This provision establishes that automated data collection about driving behavior is used to make determinations that affect drivers' platform standing and earnings eligibility, which may engage autom…
This provision establishes that communications between riders and drivers facilitated through the Uber platform are subject to collection and retention by Uber, including content of messages, which c…
This provision establishes a cross-context behavioral advertising framework that involves both outbound data sharing with advertising partners and inbound receipt of third-party marketing data, creat…
This provision governs the technical mechanisms through which behavioral and device data is collected on the platform, including data flows to third-party advertising and analytics partners via track…
This provision establishes the temporal scope of Udemy's data processing activities and determines how long personal data including learning activity, payment records, and communications content rema…
This provision establishes the distinct data governance framework applicable to enterprise and institutional customers, where the allocation of controller and processor responsibilities affects compl…
The legal mechanism used for cross-border data transfers determines what protections EU and UK users retain when their data is processed in the U.S.; the Data Privacy Framework has been adopted as an…
This provision establishes the legal framework under which EU and EEA users interact with Udemy's data processing activities, including the lawful bases asserted for processing and the mechanisms thr…
The age threshold of 16 (rather than 13, which COPPA requires) creates a more protective standard for minors in the U.S. and aligns with GDPR Article 8 requirements in the EU, but parents or guardian…
This provision establishes the operational mechanisms through which California residents can exercise statutory privacy rights, including the specific request submission process and any applicable re…
This provision establishes the categories of personal data subject to Udemy's processing activities and defines the informational scope of downstream data uses including advertising, analytics, and s…
Although blockchain wallet addresses are pseudonymous, combining them with your IP address and device information creates a data set that could identify you personally, undermining the privacy expect…
This clause clarifies that privacy protections in the policy do not extend to on-chain data, which is permanently and publicly visible by anyone including data brokers, analytics firms, and regulator…
The clause establishes Uniswap's acknowledgment of GDPR-mandated rights as applicable to EU users. These rights create procedural mechanisms through which data subjects can exercise control over thei…
The provision operationalizes GDPR compliance by explicitly stating the legal bases for data collection and processing activities. This framing establishes which regulatory framework applies to each …
This provision establishes that Support Chatbot interactions are retained and processed for purposes beyond immediate support, including product development, and that users consent to this processing…
This clause establishes Uniswap's operational obligation to provide California residents with data access, portability, and deletion mechanisms as mandated by state law, creating procedural requireme…
In a crypto context, disclosure of wallet address combined with IP address to law enforcement could expose your transaction history on the blockchain to investigation without a specific court order b…
The use of Google Analytics means your browsing and usage data from Uniswap Labs products is also transmitted to Google, and your contact information may be used for promotional communications from U…
The provision establishes Uniswap's operational position regarding CCPA compliance by declaring non-participation in personal information sales under the statute's definition. This clarification affe…
These rights give EU and UK users meaningful legal tools to control their data held by Unity, including the ability to object to profiling for advertising purposes, which can stop Unity from building…
Under California's CPRA, the right to opt out of sharing data for cross-context behavioral advertising applies even when no money changes hands, giving California residents meaningful control over ho…
The absence of specific, published retention periods for key data types such as advertising identifiers and behavioral data makes it difficult for users to know when their information will be deleted…
The provision operationalizes data subject rights that vary by jurisdiction, creating a procedural mechanism for users to exercise legally-mandated privacy controls. It establishes Unity's obligation…
This provision establishes Unity's COPPA compliance posture, but relies on users self-certifying their age rather than active age verification, which is a common limitation in developer-tool contexts.
International data transfers carry risk because data protection laws in destination countries, particularly the US, may offer weaker protections than GDPR; standard contractual clauses help but requi…
This provision reflects the data retention obligations introduced by the FTC's 2024 amendments to the COPPA rule, which require operators to establish and maintain a retention schedule and delete chi…
This provision establishes the categories of third parties that receive children's personal information under COPPA's disclosure framework. The inclusion of app publishers on the Epic Games Store as …
This provision authorizes collection of personal and financial information from creators and developers in connection with monetization programs, which is operationally significant for participants w…
This broad automatic collection covers a wide range of behavioral and technical data linked to your identity or device, and underpins Epic's ability to run analytics, personalize experiences, and ser…
This provision establishes a procedural mechanism for parental access and account deletion rights, defining how parents can exercise data subject rights regarding children's accounts and setting fort…
This provision discloses that personally identifying user inputs are processed by AI-powered features, but the policy as excerpted does not address whether those inputs are used for model training, r…
The provision creates operational pathways for data subject rights requests and preference management, establishing the procedures through which individuals can exercise control over their informatio…
Voice recordings are sensitive personal data, and storing them on other participants' devices without the user's direct control raises questions about who has access to those recordings and how long …
This provision establishes that audio recordings of voice chat sessions are stored on all participants' devices when voice reporting is active, and may be transmitted to Epic upon any participant's v…
Users who send messages through Upwork's messaging system should be aware that those communications are not private and may be reviewed by Upwork for a broad range of purposes beyond just safety and …
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of …
This clause operationalizes statutory data subject rights under CCPA and GDPR by establishing Upwork's procedural obligation to receive, evaluate, and act upon user requests according to the applicab…
Users who close their Upwork accounts may assume their data is deleted, but the policy reserves the right to retain personal data for unspecified periods for broad business purposes, which can frustr…
These rights are legally enforceable in the EU, UK, and California, meaning Upwork is obligated to respond to valid requests within statutory timeframes and cannot simply ignore them.
The breadth of data collected, including financial and payment data alongside identity and communications information, means Upwork holds sensitive personal information that could cause harm if impro…
Behavioral tracking technologies can build detailed profiles of your online activity, and the data collected may be shared with advertising partners. Users in the EU have a legal right to consent to …
The agreement establishes that Venmo is not authorized for use by minors, and that users represent their own eligibility; Venmo does not assume responsibility for verifying user age at registration b…
The policy authorizes collection of both precise device geolocation and IP-derived approximate location, creating a location history associated with the user's financial activity and identity.
The policy authorizes use of device identifiers, browsing activity data, and interaction tracking for advertising purposes, which under CCPA may constitute 'sharing' of personal information for cross…
The policy asserts COPPA compliance through a reactive deletion mechanism but does not describe proactive age-gating or verification procedures, which creates potential exposure if minors access the …
The policy explicitly grants California residents a set of enforceable privacy rights under CCPA/CPRA, including the right to opt out of data sale or sharing for behavioral advertising, which is dire…
The GLBA notice defines the scope of your federal opt-out rights regarding financial data sharing; it also discloses that several categories of sharing, including sharing for joint marketing and ever…
The policy does not specify fixed retention periods for most data categories, and asserts the right to retain information after account closure for unspecified legitimate business purposes, which may…
The policy's standard security disclaimer limits Venmo's stated security assurance to 'reasonable measures' while disclaiming liability for breaches that may occur despite those measures.
For businesses and developers who deploy applications handling personal data, the quality and scope of these data protection commitments directly affects GDPR and CCPA compliance obligations and the …
Cookie and tracking data can build a detailed profile of your behavior on Vercel's platform, and this data may be shared with advertising and analytics partners as described elsewhere in the policy.
The provision operationalizes jurisdiction-specific data protection requirements by establishing a procedural mechanism for users to request access to, modification of, or removal of their personal d…
For EU and UK users, transferring data to the US requires specific legal safeguards under GDPR and UK GDPR, and asserting broad consent as the transfer mechanism may not meet the required legal stand…
The opt-out of sale or sharing right is particularly significant because Vercel acknowledges sharing user data with advertising partners, and California residents can specifically prevent this by sub…
Open-ended retention periods tied to broadly defined purposes such as 'legal obligations' and 'enforcing agreements' may result in personal data being retained for extended periods without a clear ma…
CPNI is a legally protected category of telecommunications data; how Verizon uses it for marketing purposes is subject to FCC rules that impose specific consent and opt-out standards distinct from ge…
These rights give California residents meaningful control over their personal data, including the ability to stop Verizon from sharing their data with third parties for advertising purposes.
This provision authorizes cross-site and cross-app tracking by third-party advertising companies using persistent identifiers, which is subject to Digital Advertising Alliance and Network Advertising…
GPC recognition provides a technical mechanism for California residents to opt out of data sharing for advertising without navigating the privacy choices portal, but the policy limits this recognitio…
CPNI use authorization establishes the operational scope of how telecommunications carriers may leverage call detail records, service usage patterns, and related metadata for commercial purposes with…
This provision reflects Verizon's legal obligations under COPPA, which requires verifiable parental consent before collecting personal information from children under 13, and provides a baseline prot…
This provision implements statutory requirements under the California Consumer Privacy Act and California Privacy Rights Act, establishing specific data subject rights that Verizon must honor upon va…
This provision discloses collection of sensitive data categories including financial account numbers and health information. Health information collected in the context of wellness apps or services m…
These rights give California residents meaningful control over how their personal data is used commercially, including a direct mechanism to stop Verizon from sharing their data for behavioral advert…
This provision identifies Verizon's obligations as a telecommunications carrier under FCC CPNI rules, which impose sector-specific consent and use restrictions on call detail and network usage data b…
This clause establishes an automated mechanism for opt-out requests, allowing users to communicate privacy preferences through standardized browser signals rather than requiring manual opt-out submis…
This provision establishes Verizon's stated approach to automated opt-out signals, which is a compliance requirement under CPRA for California residents and under similar statutes in other states. Th…
This provision operates to preserve the applicability of state and federal privacy regimes without waiving or limiting them through the agreement. It establishes that the policy does not supersede or…
Your data collection and sharing preferences, including whether Verizon can share your information with third parties for marketing, may depend on the settings in this consent tool and the linked pri…
This provision discloses CPRA rights applicable to California residents, including the right to limit use of sensitive personal information such as precise geolocation and browsing data, and the righ…
This provision establishes the operational framework for California statutory privacy rights, including the right to opt out of sale or sharing of personal information for advertising purposes, which…
This provision establishes the stated compliance posture under the Children's Online Privacy Protection Act for online data collection from minors. The 'knowingly' qualifier is standard COPPA framing…
This provision operationalizes Visa's compliance obligations under applicable privacy regulations by explicitly acknowledging jurisdiction-specific consumer privacy rights and establishing a procedur…
The opt-out right for marketing communications is meaningful, but targeted advertising may involve sharing data with third-party advertising platforms that persists independently of opting out of dir…
This clause operationalizes Visa's obligations under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) by establishing specific consumer rights and defining the mech…
These rights are legally enforceable under GDPR and EU national implementing laws, meaning Visa must respond to valid requests within defined timeframes and cannot simply decline without a lawful bas…
This is a legally enforceable right under California's CPRA that allows California residents to limit how their data is used for commercial advertising targeting across the internet.
Visa's network position means this data covers spending behavior across a very wide range of merchants and contexts, creating a detailed financial profile that goes beyond what any single retailer wo…
The provision establishes a mechanism for individuals to exercise legally recognized data processing objections and opt-out rights according to applicable jurisdiction-specific privacy regulations. T…
Receiving data from external sources like data brokers means Visa's profile of you may go beyond what you directly provided, incorporating inferred demographics and interests from third parties you m…
Fraud prevention is a legitimate and important use of payment data, but the authorization to share information with government authorities 'as permitted by law' is broader than strict legal compulsio…
The provision ensures compliance with children's privacy regulations such as COPPA and similar statutory frameworks across jurisdictions. It establishes procedural requirements for Visa's handling of…
Loyalty program participation generates a persistent, linked dataset combining retail purchase history, prescription information, and behavioral data, which the policy authorizes for use in personali…
The assertion of unlimited use rights for de-identified data depends on whether the de-identification meets applicable legal standards, and re-identification risk from health and pharmacy data is a r…
The absence of specific retention periods for individual personal information categories, particularly health and pharmacy data, creates compliance considerations under CCPA/CPRA's data minimization …
This provision operationalizes Walgreens' compliance obligations under California privacy statutes by explicitly acknowledging specific consumer rights that the entity must honor upon request, establ…
A corporate transaction could result in your sensitive health and pharmacy data being controlled by a different company with different privacy practices, and the policy does not commit to providing a…
This provision operationalizes CCPA/CPRA statutory rights for California residents and establishes the non-discrimination obligation. The scope and effectiveness of these rights in practice depends o…
The absence of specific retention timelines in the general notice means consumers cannot easily determine how long their purchase history, location data, or biometric identifiers will be retained, wh…
Precise geolocation data is classified as sensitive personal information under CPRA and similar state laws, meaning its collection and use for marketing purposes requires specific disclosure and a me…
This provision establishes Walmart's stated COPPA compliance posture but does not describe a verified age-gating mechanism; the agreement relies on users self-certifying their age rather than a techn…
This provision identifies the specific consumer rights available under state privacy laws and establishes Walmart's commitment to processing these requests, which is directly relevant to consumers wh…
Children's data provisions operationalize compliance with applicable legal requirements governing child data protection. These restrictions define the conditions under which the service may collect a…
These rights are enforceable under CPRA and analogous state statutes, and the mechanism through which Walmart enables consumers to exercise them determines whether Walmart meets its statutory complia…
This provision operationalizes Walmart's legal obligations under state privacy statutes by recognizing consumer rights that may be enforceable under law. It establishes the framework through which Wa…
COPPA prohibits collection of personal information from children under 13 without verifiable parental consent, and CPRA prohibits the sale or sharing of personal information of consumers aged 13 to 1…
This provision establishes Walmart's stated approach to COPPA compliance, but the policy's in-store and loyalty program data collection practices may create scenarios where data about minors is colle…
This provision operationalizes state-level privacy rights by establishing a defined mechanism for individual data access, modification, and portability requests. The clause creates an administrative …
The provision creates a procedural framework for state-specific privacy rights exercise, establishing designated request mechanisms that Walmart commits to process. This operational structure enables…
This provision asserts a broad carve-out from the policy's privacy protections for aggregated or de-identified data, and does not specify a standard for what constitutes adequate de-identification or…
Incorporation by reference creates a single unified agreement covering both service usage terms and data handling practices. This operational structure means users must review both documents to under…
This provision establishes California-specific statutory rights under CCPA and CPRA, including the right to opt out of the sale or sharing of personal information for cross-context behavioral adverti…
The provision establishes minimum age thresholds consistent with COPPA (US) and GDPR Article 8 (EU), but relies on user self-representation rather than active age verification, which may be insuffici…
This clause operationalizes Waze's compliance obligations under GDPR and UK data protection law by explicitly confirming the availability of statutory data subject rights and establishing that the pr…
This provision formally acknowledges the GDPR and UK GDPR rights framework for European and UK users, establishing an avenue for data subjects to exercise statutory rights directly against Waze.
This provision establishes minimum age thresholds that vary by jurisdiction and commits Waze to a deletion process if underage data is identified, but does not describe any age verification mechanism…
This clause operationalizes Waze's obligation to recognize and facilitate statutory data subject rights under GDPR and UK data protection frameworks. The provision establishes the procedural foundati…
This provision authorizes access to contact lists and collection of communications content as a condition of using the Carpooling feature, extending data collection beyond navigation use to include t…
Home lending clients are subject to a wider data sharing network than standard investment clients, and consent to this sharing is embedded in the agreement to begin a loan application, not a separate…
The clause implements statutory rights under the California Consumer Privacy Act and creates an operational obligation for Wealthfront to process and respond to disclosure and deletion requests withi…
This provision directly limits a right that many consumers expect to exercise, particularly California residents under CCPA, and means that becoming a full Client rather than a free User significantl…
Biometric data carries heightened legal protection in several states, and the 90-day vendor destruction timeline is a contractual commitment rather than a statutory minimum, meaning enforcement depen…
This authorization is broad and ongoing: it grants Wealthfront and its subprocessors (Yodlee or Plaid) continuous access to your external financial accounts, including transaction history and balance…
A corporate transaction could result in your detailed financial profile, including account history, investment data, and Social Security number, being transferred to a new entity whose privacy practi…
This type of cross-device tracking creates a detailed behavioral profile that goes beyond account activity and may be used to infer patterns about your financial behavior, location, and interests.
Material changes to how your data is collected or shared may take effect without proactive individual notice, placing the responsibility on users to monitor the policy for updates.
For users outside the United States, particularly in the EU and UK, this means your personal and financial data may be subject to U.S. legal process and privacy standards that may differ from those t…
Open-ended retention language means your sensitive financial and identity data may be held indefinitely, as the policy does not commit to defined deletion timelines for most data categories.
The collection of Social Security numbers, government IDs, and financial account details creates significant privacy and security exposure if that data is mishandled, breached, or shared beyond neces…
This provision establishes a regulatory disclosure mechanism that requires Webull to respond to consumer requests for data inventory and usage information within the timeframes and procedures mandate…
Automated collection of device identifiers and detailed behavioral data creates a persistent profile of how you use the platform, which the policy permits to be used for analytics and potentially sha…
The provision establishes Webull's acknowledgment of California-specific privacy obligations that operate as statutory requirements independent of the agreement. These rights are established by Calif…
Understanding what categories of personal data CoreWeave collects is the foundation for assessing your privacy exposure as a user or enterprise customer.
The provision creates transparency regarding data handling mechanisms across CoreWeave's service ecosystem. It establishes the procedural basis for understanding what personal information CoreWeave p…
EU users interacting with CoreWeave's cloud platform need to know whether their data is processed lawfully and whether adequate safeguards exist for any transfers of their data outside the EU/EEA.
Retention periods determine how long your personal data exists in CoreWeave's systems, affecting both your privacy and the company's obligation to delete data upon request.
Third-party disclosure provisions determine which external entities receive user personal information and under what conditions, a material consideration for enterprise customers whose employees or e…
User rights provisions establish the procedural mechanisms through which individuals may access, correct, delete, or port their personal information; these mechanisms are operationally significant fo…
California's privacy framework provides some of the strongest consumer data rights in the US, and CoreWeave's compliance with these provisions directly affects the rights available to California-base…
This provision establishes the foundational scope of CoreWeave's data processing activities; without the full text, the specific data types, collection mechanisms, and stated purposes that users and …
This provision establishes the foundational data practices governance for the entity, setting out the scope of data handling activities that subsequent privacy terms and user rights provisions refere…
Tracking technologies enable Whatnot and third parties to monitor your behavior across sessions and potentially across other websites, which feeds into the advertising and profiling practices describ…
This provision requires Whatnot to maintain a functional opt-out mechanism for California residents and to accurately disclose which categories of personal information are sold or shared with adverti…
This provision is legally significant because it directly implicates COPPA, which requires parental consent for data collection from users under 13, and because minors who use the platform may not be…
This provision authorizes cross-site behavioral tracking via third-party advertising and analytics partners, which may constitute a 'sale' or 'sharing' of personal information under California law an…
This provision asserts COPPA compliance by excluding users under 13 from the platform and committing to deletion of inadvertently collected data from that age group; the operational adequacy of age v…
This provision addresses cross-border data transfers, which for EU and UK users require specific transfer mechanisms under GDPR and UK GDPR; the policy's reference to 'appropriate safeguards' without…
Collection of audiovisual content from livestreams constitutes collection of biometric-adjacent data in some jurisdictions and may engage state biometric privacy statutes; session and interaction met…
This provision establishes the mechanism and scope of data subject rights available under CCPA, CPRA, GDPR, and UK GDPR, and the operational availability of these rights depends on Whatnot's implemen…
Your purchases, messages, viewing history, and other activity may be used to build and refine AI systems, and the policy does not specify limitations on how long or for what purposes this training da…
This provision is required under COPPA, and its effectiveness depends on how robustly Whatnot verifies user ages at sign-up, which the policy does not detail.
This provision establishes COPPA-relevant age restrictions and requires parental consent for minor users aged 13 to 18, which creates compliance obligations regarding age verification and parental co…
These rights, enforceable under GDPR, give EU and UK users meaningful control over their personal data held by WhatsApp, including the ability to object to data processing for purposes beyond core se…
CCPA provides California residents with legally enforceable rights to know about and delete their personal data, and the policy states WhatsApp will not discriminate against users who exercise these …
The absence of fixed retention periods and the use of discretionary, case-by-case determinations means users cannot know with certainty how long specific categories of their personal data will be ret…
This provision establishes the minimum age threshold and places responsibility on parents or guardians to agree to the terms on behalf of underage users, which has implications for COPPA compliance i…
The collection of unique identifiers associated with other Facebook Company products on the same device creates a technical linkage between your WhatsApp usage and your activity on other Meta platfor…
This provision involves the processing of personal data belonging to third parties (your contacts) who have not agreed to WhatsApp's terms and may be unaware their phone number and name have been upl…
This provision establishes the technical framework governing message confidentiality. The encryption mechanism defines the scope of data WhatsApp can access and disclose regarding message content.
End-to-end encryption is a significant privacy protection for message content, but the policy makes clear this applies to message content in transit and does not necessarily protect metadata (such as…
The policy authorizes disclosure of user information in response to government requests and legal process, including on a good-faith basis, which means data may be shared without a court order in som…
The minimum age of 13 aligns with US COPPA requirements but is lower than the GDPR default age of 16 for digital consent (or the age set by EU member states, which can range from 13 to 16); this mean…
The provision creates distinct contractual relationships based on user location, which may affect applicable regulatory frameworks, liability structures, and data processing obligations since differe…
This provision establishes that user-submitted Prompts and AI-generated Outputs are collected and retained, and that they may constitute personal information, which has implications for data subject …
The policy authorizes cross-service tracking by third-party analytics partners, including Google Analytics, meaning user activity may be observed across websites and services beyond windsurf.com unde…
The ZDR option provides Pro users with a meaningful data minimization mechanism, but the agreement identifies specific features and model types that override ZDR protections, meaning the protection i…
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identif…
Unlike Chat data training, opting out of Autocomplete data training does not result in loss of service access, providing users a meaningful choice. The agreement also explicitly commits to not using …
This provision establishes the data deletion and retention framework that governs how long and under what conditions user data including code snippets is retained or purged. The opt-in structure for …
The document states that code snippet logs for users without zero-data retention enabled may be accessible to internal communications platforms and analytics tools used by Windsurf staff, meaning dat…
The agreement sets a minimum age of 13, aligning with the U.S. Children's Online Privacy Protection Act (COPPA) threshold, but does not state additional protections for users between 13 and 17 or add…
This provision establishes a materially different default data protection posture for individual users compared to organizational plan users, requiring individual users to take an affirmative opt-in …
The policy states that voice audio is discarded after processing, but the text transcriptions derived from voice input are retained as Log and Usage Information, which is subject to AI training and o…
The document explicitly states that no zero-data retention agreement exists with Bing, meaning data derived from user code and conversation history sent via web search queries may be retained by Micr…
The policy acknowledges regional data rights but exercises them through a contact-us mechanism rather than a self-service portal, meaning the process for exercising rights depends on company response…
The document states that data transmission occurs continuously in the background without requiring a user action, meaning code and context data is sent to Windsurf servers as a baseline operational b…
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond…
The provision establishes that Windsurf's data handling practices are subject to varying regional regulatory frameworks, including GDPR and state privacy statutes. This creates operational requiremen…
Healthcare organizations using Windsurf should be aware that a BAA is described as available for 'significant implementations' rather than as a standard offering, meaning smaller healthcare customers…
The document states that data may be routed to third-party AI inference providers regardless of which model the user has explicitly chosen, which means users may not have full visibility into which p…
Your financial transaction data and personal information will be shared with multiple third-party entities, and the full scope of that sharing is defined by Wise's Privacy Policy rather than this agr…
Wise's identity verification process involves sharing your personal data with third-party verification services, and providing inaccurate information can result in account suspension or closure.
This provision operationalizes statutory data protection obligations under GDPR and UK data protection law by establishing a procedural mechanism for data subjects to exercise legally-mandated rights…
Cookies enable Wix and its third-party partners to track your behavior across sessions and, potentially, across other sites, which is relevant to understanding what data is collected about you and ho…
Most people are unaware that visiting a website built on Wix means a third party (Wix) is also collecting their data, separate from whatever the website owner collects.
International data transfers mean your personal information may be subject to legal frameworks offering different levels of protection than your home country, particularly relevant for EU users whose…
Understanding what categories of personal information Workday collects directly from website visitors and prospective customers is important for individuals who have provided contact details, attende…
If you are an employee using Workday at work, your employer, not Workday, is typically the controller of your HR data, which means you may need to direct privacy requests to your employer rather than…
Enterprise customers and individuals whose data is held by Workday need to understand which third parties may receive their personal information, whether as sub-processors in the platform context or …
This clause operationalizes Workday's legal obligations under various privacy regimes by specifying the mechanisms through which data subjects can exercise statutory privacy rights. The jurisdiction-…
Knowing how to exercise your data rights with Workday, and whether your request should go to Workday directly or to your employer, is essential for anyone whose personal information is held within th…
This provision discloses cross-border data transfers to the United States but does not specify which transfer mechanism (such as standard contractual clauses or the EU-U.S. Data Privacy Framework) ap…
This provision authorizes use of user data for AI model training, which is operationally significant for enterprise customers concerned about proprietary content submitted to the platform potentially…
The breadth of data collected, particularly User Content (what you write and submit) and usage data, means Writer has access to potentially sensitive business information beyond basic account details.
This provision establishes the specific statutory rights Writer recognizes for California residents and the exercise mechanism, which compliance and legal teams should verify is operationally impleme…
This provision establishes the categories of personal information Writer collects directly, which forms the basis for applicable GDPR, CCPA, and CPRA data subject rights obligations and data mapping …
This provision operationalizes Writer's compliance obligations under CCPA by explicitly recognizing the enumerated consumer rights that California law grants. The clause establishes the framework und…
HubSpot tracking on this page may involve collection of visitor identifiers, IP addresses, and behavioral data transmitted to HubSpot as a third-party processor. For an enterprise AI platform's Trust…
Google Tag Manager deployment on a public-facing web page enables loading of additional tracking, analytics, and advertising tags, which may involve collection of visitor identifiers, browsing behavi…
The clause confirms the applicability of statutory data protection rights in these jurisdictions and establishes Writer's obligation to honor GDPR-mandated individual rights mechanisms, which functio…
This provision establishes that individual end users accessing Writer through an employer or enterprise account may operate under a separate contractual data governance regime, meaning the rights and…
This provision authorizes third-party tracking deployments that may require affirmative consent under EU ePrivacy Directive requirements and applicable member state implementations, and may trigger C…
This is one of the most practically significant protections in the policy for enterprise users, directly addressing a common concern about AI platforms using business content to improve their models …
This provision establishes the categories of third parties with whom Writer shares personal information, which is relevant to GDPR sub-processor obligations, CCPA/CPRA sale or sharing determinations,…
This provision establishes the minimum age policy and signals COPPA compliance intent, but does not describe any active age verification mechanism for account creation.
The clause establishes user-controlled data management capabilities within the service platform, allowing individuals to maintain accuracy of personal information and obtain portable copies of their …
The terms acknowledge that X conducts research and experiments involving platform activity, which may include A/B testing of features, algorithmic experiments, or behavioral research that affects how…
This provision states that account deactivation does not result in immediate data deletion, and that certain personal data may be retained beyond the 30-day period for legal compliance or legitimate …
This provision identifies the legal entity responsible for your personal data based on your location and states the privacy rights available to you, which determines who you contact to exercise right…
The existence of formal law enforcement guidelines means X has documented procedures for disclosing user data to government authorities, which is relevant to any user's understanding of when their ac…
The 13-year minimum age aligns with COPPA's threshold in the US but the document does not specify what verification mechanisms are in place; the provision also contemplates adult authorization of min…
This provision operationalizes regulatory compliance frameworks by creating structured pathways for users to contest content removal and account suspension decisions. The clause establishes that X re…
The clause creates an eligibility threshold and establishes a mechanism for parental or guardian authorization of minor accounts, placing the burden of legal authorization on the accepting party rath…
This provision establishes eligibility criteria for service access and defines the legal basis for data processing consent. It allocates responsibility for consent between users and parents/guardians…
This provision discloses the specific legal rights available to California residents under CCPA and CPRA, including the right to opt out of sale or sharing of personal information for behavioral adve…
The policy states that posts and engagements are publicly accessible beyond the X platform itself, which means content shared on X may be indexed by search engines, accessed through third-party appli…
Parents are responsible for establishing and managing accounts for younger children, and Microsoft's platform relies on parental consent mechanisms to comply with COPPA and equivalent international l…
Given that Xfinity provides household internet, cable, and home security services that are routinely used by all members of a household including children, the 'not directed to children under 13' sta…
The number of states with active privacy rights covered by this policy is significant and growing; consumers in these states have concrete legal rights to control their data that go beyond what the g…
Open-ended retention standards without specific time limits for sensitive data categories like browsing history, viewing data, or biometrics may not satisfy state laws that require defined retention …
This provision anchors the policy within federal statutory authority, establishing that the collection of personally identifiable information operates under Section 631 of the Cable Act rather than s…
The provision operationalizes compliance obligations in jurisdictions with distinct privacy law regimes, establishing separate notice terms and data subject rights applicable to those geographic regi…
The geographic designation signals that Comcast has structured its privacy obligations to account for regional regulatory frameworks in these jurisdictions, including GDPR and equivalent data protect…
This clause means your publicly posted reviews and photos, as well as private AI chat inputs and outputs, can be used to improve Yelp's commercial AI products without additional compensation or separ…
COPPA requires specific protections for children under 13, and Yelp's compliance depends on the effectiveness of its age verification and detection practices; parents have a right to request deletion…
Precise geolocation is a sensitive data category under several US state privacy laws and GDPR, and its use for advertising purposes beyond core service functionality is a meaningful data practice tha…
Account closure does not result in immediate deletion of personal data; Yelp retains data indefinitely for broadly stated legal and business purposes, which means personal information persists even a…
This provision operationalizes Yelp's compliance obligations under GDPR by establishing specific data subject rights that European residents may invoke. The clause establishes procedural pathways thr…
The age restriction reflects Yelp's compliance posture under the Children's Online Privacy Protection Act (COPPA), which restricts data collection from children under 13 without verifiable parental c…
The provision establishes Yelp's baseline data sale practice and creates a procedural requirement to notify users and provide opt-out mechanisms if the company's data sale practices change. It also r…
The clause operationalizes statutory obligations under state privacy laws (CCPA/CPRA) by establishing specific procedural channels through which consumers can exercise opt-out rights. The non-discrim…
Sensitive personal data categories such as health information, sexual orientation, and religious affiliation receive heightened legal protections under GDPR, CCPA/CPRA, and several US state privacy l…
Sharing behavioral data including search queries and business page views with advertising networks means your Yelp activity profile can be combined with data from other platforms by third parties, po…
Collection of voice and audio data may implicate state wiretapping statutes, biometric privacy laws, and GDPR requirements for processing audio recordings; this provision is relevant for compliance t…
The provision establishes the operational procedures by which users can exercise deletion rights within Google's account management infrastructure. The availability of granular deletion options (by s…
This provision authorizes collection of granular location data through multiple signal types simultaneously, which is material for advertising targeting, product personalization, and data profiling; …
Parents who enable their children to use YouTube are accepting the full terms of service on their behalf, including the indemnification clause and content license grants, which is a significant legal…
The policy states Google uses automated estimation to determine a user's likely age for the purpose of restricting adult advertising content, but the reliability and scope of this estimation mechanis…
This provision establishes Google's COPPA compliance posture for general Google services; YouTube operates a separate YouTube Kids product with additional protections, and the FTC has previously take…
This provision establishes the legal and operational basis for Google combining personal data across Search, YouTube, Gmail, Maps, and advertising networks into unified user profiles, which underpins…
This provision makes parents or legal guardians who enable a child's access to the Service contractually bound by and responsible under these Terms for their child's activity, including content uploa…
Device identifiers and phone numbers are persistent identifiers that can be used to track users across services and sessions even when cookies are cleared, making them a foundational element of cross…
Location data is among the most sensitive categories of personal information because it can reveal where you live, work, worship, receive medical care, and more — and the policy authorizes its use fo…
Interest-based ad targeting means your online behavior — including sensitive content you watch or search for — may be used to categorize you and determine which ads you receive.
This cross-service data combination means the ads you see on YouTube are informed by activity far beyond YouTube itself, including your location history, search behavior, and app activity across your…
Collection of payment card numbers and financial transaction data by Google is operationally significant for compliance teams assessing PCI DSS obligations, data security requirements, and financial …
The clause creates operational mechanisms for data subject rights compliance, establishing that users retain control over their stored personal data and can retrieve it in portable format independent…
This provision establishes the operational basis for YouTube Ads personalization, grounding ad targeting in inferred interest categories and activity data; it is directly relevant to advertisers, pub…
Watch history and search terms are used to recommend content and serve contextual ads, meaning the app builds a behavioral profile of your child's viewing habits even without collecting their name.
The prohibition on interest-based advertising and remarketing is a meaningful child privacy protection, but the use of unique identifiers for contextual advertising means some form of identifier-link…
This provision means your browsing activity on zelle.com, including pages you visit and interactions you have, can follow you to other websites in the form of targeted advertisements.
These retention periods determine how long your personal information, including fraud reports you submitted, remains in Zelle's systems and available for potential disclosure to third parties or law …
Because continued use of the website constitutes consent to the current policy including future updates, changes to the privacy notice can expand data collection or sharing practices without requirin…
This provision establishes the procedural mechanism through which data subjects can exercise GDPR, UK GDPR, CCPA/CPRA, and equivalent regional privacy rights against Zendesk as a controller, and spec…
This provision establishes the legal basis Zendesk asserts for international personal data transfers, engaging GDPR Chapter V requirements and equivalent national frameworks, and is material for EU, …
This provision documents the scope of personal data categories Zendesk collects as a controller, including inferred profile data, which engages CCPA/CPRA disclosure requirements and GDPR Article 13 t…
The adequacy of international transfer mechanisms is a live regulatory issue; if Zendesk's reliance on the Data Privacy Framework or SCCs is found insufficient, EU and UK users' data could be transfe…
Cookie-based tracking can feed data to advertising networks and analytics platforms, and the notice acknowledges that some service functionality depends on cookie acceptance, which creates a practica…
Millions of consumers interact with businesses through Zendesk-powered support tools without knowing it; this clause determines that those consumers must pursue their privacy rights through the busin…
This provision operationalizes Zendesk's compliance obligations under California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) by establishing the specific data subject rights …
The clause operationalizes GDPR and equivalent regional regulatory requirements by explicitly recognizing data subject rights that create enforceable obligations on Zendesk to respond to individual r…
This provision establishes the allocation of data protection obligations between Zendesk and its business customers, determining which party bears controller responsibilities under GDPR, UK GDPR, and…
This provision establishes the specific privacy rights framework Zendesk applies to California residents under CCPA and CPRA, including the opt-out of sale or sharing right applicable to advertising …
These rights are legally enforceable under GDPR and UK GDPR, and Zendesk is bound to respond within statutory timeframes; failure to honor them can be reported to the Irish DPC (for EU) or the ICO (f…
California residents have among the strongest consumer privacy rights in the US, and this provision confirms those rights apply to Zendesk's data processing, giving consumers concrete tools to limit …
This sharing with advertising networks means your data may be used beyond Zendesk's own purposes and shared with third parties whose own privacy practices are separate from Zendesk's notice, potentia…
Precise geolocation is classified as sensitive personal information under CPRA and several other state privacy frameworks, triggering heightened use limitation and opt-out rights beyond those applica…
This provision establishes Zillow's compliance with CCPA/CPRA opt-out obligations and operationalizes the consumer right to halt advertising-related data transfers classified as sales or sharing unde…
The provision establishes a procedural mechanism for users to restrict specific data practices and creates an operational obligation for the company to honor such requests without applying discrimina…
Precise location data is among the most sensitive personal data categories and can reveal daily routines, home address, and patterns of movement; its sharing with third-party providers extends its ex…
Without specific retention periods, users cannot know how long their home search history, financial data, or contact information will be held, and broader retention windows increase the risk of data …
This provision establishes the scope of Zillow's data collection across its platforms and is foundational to evaluating the company's obligations under CCPA/CPRA, which requires disclosure of collect…
The provision creates operational obligations for ZipRecruiter to respond to consumer data requests and honor opt-out directives under California law. It establishes the institutional processes throu…
If you include sensitive information in your resume, it may be shared with employers and stored in ZipRecruiter's systems even though the company advises against it, as ZipRecruiter does not filter o…
AI-driven matching means automated processing of your career data influences which jobs or candidates you are shown, with limited transparency about how those decisions are made.
If your personal data is processed by ZipRecruiter on behalf of an employer, your rights requests go to the employer, not ZipRecruiter, which may create delays or barriers to exercising your data rig…
EU, UK, and Swiss users' personal data is transferred to the United States under the DPF; if the DPF is ever invalidated by courts (as prior mechanisms were), alternative transfer protections would n…
Connecting a social account to ZipRecruiter grants the platform access to information well beyond your basic profile, including your social connections and activity feeds, which may exceed what you i…
People who have never interacted with ZipRecruiter may have their professional contact information held and used by the platform without their knowledge or direct consent.
This provision operationalizes California's statutory consumer privacy framework (CCPA/CPRA) within Zoom's service terms, establishing the procedural mechanisms through which California residents may…
This provision establishes age-gating as an operational control within Zoom's user acquisition and data collection practices. It creates a representation that users accessing the Services affirm they…
This provision establishes that Zoom's data collection scope includes the substantive content of communications, not only metadata or usage signals. For enterprise accounts processing confidential bu…
This provision establishes Zoom's stated policy on data collection from minors, which is relevant for parents, schools, and organizations that use Zoom in educational contexts. It sets a minimum age …
This provision discloses the specific legal rights available to California residents under CCPA and CPRA, including the right to opt out of the sale or sharing of personal information with third part…
This provision establishes that Zoom's data collection extends to the substantive content of your meetings, not just metadata. Audio, video, transcripts, and in-meeting messages are all within the sc…
The absence of specific retention period commitments for most data categories in the statement means users and enterprises cannot determine from this document alone how long meeting recordings, trans…
This provision establishes that Zoom may share user data including meeting content with law enforcement in response to legal process or in Zoom's assessment of necessity for safety purposes. The scop…
This provision establishes that enabling third-party integrations creates a separate data relationship governed outside Zoom's privacy framework. For enterprise accounts, administrators enabling Mark…
This provision establishes that Zoom's web and product surfaces involve third-party tracking infrastructure for advertising purposes. California residents have CCPA and CPRA rights to opt out of the …
The agreement prohibits use by persons under 16, but does not describe affirmative age verification mechanisms, which may create compliance exposure under COPPA for users under 13 and under applicabl…
This provision governs how EU, UK, and Swiss users' personal data is legally protected when transferred to Zoom's servers or operations outside those regions. Standard Contractual Clauses are a stand…
This provision establishes that Zoom does not commit to a fixed retention period for most personal data, instead tying retention to service needs and legal requirements. The carve-out for legitimate …
This provision establishes a stated restriction on using meeting content for AI model training, which is directly relevant to enterprise and institutional customers with confidentiality or data use o…
This provision establishes Zoom's compliance framework for Children's Online Privacy Protection Act (COPPA) obligations and similar age-based data protection regulations. It creates a notice mechanis…
This provision establishes Zoom's stated age threshold at 16, which is above the 13-year threshold established by COPPA in the United States but aligns with GDPR's default age of digital consent in s…
This provision establishes that individual users on organizational accounts have limited direct privacy controls, and that accountability for many data practices rests with the account administrator.…
This provision operationalizes Zoom's compliance with California Consumer Privacy Act requirements by establishing a specific procedural pathway for California residents to exercise statutory opt-out…
Users may not realize that messages sent through eBay's messaging system are subject to automated review, which has implications for the expectation of confidentiality in buyer-seller communications.
Cross-border data transfers mean your personal information may leave your home country and be processed under different legal standards, which is particularly significant for EU users given GDPR's st…
The inclusion of a dedicated AI section in eBay's privacy notice indicates that user data may be used to train, test, or inform AI systems, which has implications for automated decision-making and pr…
Behavioral tracking across eBay's platform creates a detailed picture of your interests, purchasing patterns, and preferences that is used for advertising targeting, including sharing with advertisin…
The clause establishes a contractual gate for service access based on age and creates a parental consent requirement for the 13-17 user category, establishing xAI's operational framework for minor us…
The optional X login integration permits xAI to access an extensive profile including post history from all accounts you can view on X (both public and protected), date of birth, and location informa…
Given the sensitivity of genetic and health data held in 23andMe accounts, the policy states that two-factor authentication is applied as a baseline security control, which reduces the risk of unauth…
The layered supplement structure means that the applicable privacy terms for any given user depend on their jurisdiction, and the global policy alone does not constitute a complete disclosure of righ…
Without specific retention periods stated in the policy, users cannot easily determine how long their prompt data, account information, or behavioral data will be stored, which limits their ability t…
The age threshold of 16 is higher than the 13-year COPPA threshold used by many US services, which may reflect GDPR Article 8 compliance for EU users, but the policy does not describe what age verifi…
In a corporate transaction, your personal information becomes a transferable asset, and the new entity may have different privacy practices, potentially affecting how your data is used even if you di…
The provision establishes the operational framework for AWS marketing outreach and specifies the procedural method users must follow to cease receipt of such communications. The availability of an op…
This provision establishes a purpose-based and legally required retention framework without specifying concrete retention periods for any category of personal data. The absence of defined retention t…
The opt-out mechanism is practically important because failure to use it means AWS may continue to send promotional communications to your contact details, and understanding how to unsubscribe preven…
The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum rete…
The authorization to use personal information for promotional communications and personalization, in the context of a financial services platform, engages both GLBA's marketing restrictions and CCPA'…
Age and eligibility requirements determine who can legally access Acorns' financial services and are tied to regulatory compliance for brokerage and banking products.
This provision establishes the operational framework for Acorns' marketing communications practices and defines the scope of user control over promotional outreach. The distinction between promotiona…
This clause implements statutory data subject rights obligations, establishing the procedural mechanism through which individuals may exercise control over their personal data held by Adyen. The avai…
These rights give California residents meaningful control over their financial and behavioral data at Affirm, including the ability to stop data sharing for marketing purposes.
An open-ended retention standard without specific timelines means your financial and behavioral data may be retained indefinitely unless you affirmatively request deletion.
If your personal and financial data is transferred to or stored in other countries, it may be subject to different legal protections than those in your home jurisdiction, and applicable local law may…
Knowing how long Afterpay retains your financial transaction history, account data, and behavioral information matters because longer retention periods mean your data remains available for use, shari…
Buy-now-pay-later services require users to be of legal age to enter financial agreements, and this section addresses what protections apply and what happens if a minor's data is inadvertently collec…
The clause establishes the operational framework for marketing communications and specifies the procedures by which users may decline receipt of promotional materials. This clarifies both the service…
The age restriction is set at 18 globally, which is higher than the COPPA threshold of 13 in the US, but the policy relies on a reactive rather than proactive age verification approach.
Without specific retention periods, users cannot know how long their data is kept after they stop using the service, and the 'legitimate business interests' basis could support extended retention.
The opt-out mechanism is accessible and clearly described, but the policy does not specify how quickly opt-outs will be processed or whether all marketing channels are covered.
The retention period is not specified with precision, meaning data could be held for extended periods without a defined endpoint tied to your specific relationship with Amplitude.
This provision establishes the technical mechanisms through which Amplitude collects behavioral and device data from website visitors and authorizes their use for advertising and personalization, whi…
The policy sets 13 as the minimum age and commits to deleting data from younger users, but does not describe verification mechanisms, which is relevant for platforms that may be accessed by minors.
This provision establishes Amplitude's sub-processor and vendor data sharing framework and the contractual limitation imposed on third-party service providers. The inclusion of data enrichment servic…
This provision establishes Amplitude's data retention framework but does not specify retention periods for particular categories of data, which may be relevant to GDPR Article 5(1)(e)'s storage limit…
GDPR provides the strongest set of consumer data rights of any applicable framework in this policy. EU and UK users have enforceable rights including the right to erasure and data portability, backed…
Family history and DNA services may appeal to younger users or be used with family involvement. Understanding the age restriction and parental consent requirements is important for families using the…
This clause operationalizes compliance with statutory definitions of data sales under privacy regulations such as CCPA. It establishes the baseline practice while creating a mechanism for users to re…
A change in corporate ownership could result in your personal data, including your Claude conversation history, being controlled by a new entity with potentially different privacy practices.
The policy asserts that Anthropic does not sell personal data, which is a specific legal standard under CCPA and similar laws. However, the policy simultaneously discloses collection of advertising i…
While the no-sale claim is a consumer protection, users should note that targeted advertising data sharing is distinct from selling and may still occur unless you affirmatively opt out, including by …
This provision establishes Anthropic's data handling framework by defining what constitutes a prohibited sale under privacy regulations and creating an opt-out mechanism for targeted advertising. The…
A single feedback action such as clicking thumbs up or down on any message triggers retention and storage of the full conversation, which may include personal data shared throughout the session beyon…
Users who delete conversations expecting immediate removal should know that the data may remain in Anthropic's systems for up to 30 days, during which it could potentially be subject to the uses desc…
The policy provides a single email contact for exercising all privacy rights and commits to non-discrimination for rights exercises, which is required under CCPA and consistent with GDPR obligations;…
The policy authorizes disclosure of all categories of personal data described in the document in the event of a merger, acquisition, or bankruptcy, without specifying user notification obligations or…
The policy states that deleted conversations remain on Anthropic's back-end systems for up to 30 days after user-initiated deletion, meaning personal data in those conversations is not immediately el…
The policy sets the minimum age at 18, which is higher than the COPPA threshold of 13 in the United States, and commits to deletion of data from users found to be under 18. The policy does not descri…
This provision establishes that material changes to Anyscale's data processing disclosures may take effect upon posting without a guaranteed direct notification mechanism. Under GDPR, material change…
This provision permits the transfer of personal information to acquirers or transaction counterparties in the context of a corporate transaction. Under CCPA and GDPR, such transfers may require notif…
The clause operationalizes GDPR compliance as an integrated component of Anyscale's data handling framework for affected jurisdictions, establishing that EU/UK users have access to statutory data sub…
Because Anyscale reserves the right to change its data practices without explicit prior consent and with only a website posting as mandatory notice, users may not realize their data rights have chang…
The 16-year age threshold exceeds COPPA's 13-year minimum, aligning with GDPR's default age of digital consent provisions in several EU member states, but the policy relies on a 'knowingly' standard …
The absence of specific retention periods for most data categories means your personal information may be retained indefinitely for broadly stated business purposes, which may be difficult to challen…
This disclaimer means Anyscale takes no responsibility for data practices on linked third-party sites, so users should review those sites' privacy policies separately before sharing any personal info…
This provision operationalizes data subject rights by explicitly authorizing users to initiate requests for data access and modification, while establishing a procedural protection against service de…
Apple operates its own advertising network primarily within the App Store and Apple News, meaning behavioral data collected across Apple services may influence which ads you see, though Apple's state…
This clause operationalizes data subject rights under privacy regulations by establishing the procedural mechanism through which individuals can exercise statutory rights and outlining the verificati…
Financial transaction data is highly sensitive and its collection by Apple through Apple Pay raises questions about retention, security, and potential use, though Apple's stated policy of not linking…
The clause operationalizes Apple's compliance with regional privacy regulations (such as GDPR and similar frameworks) by documenting the specific data subject rights Apple recognizes and the mechanis…
This provision directly addresses the risk of targeted surveillance or profiling of individual users through the AI cloud infrastructure, which is a specific privacy protection relevant to both consu…
This provision creates a publicly auditable, cryptographically signed record of the software running on PCC nodes, which is the primary mechanism by which the other privacy guarantees in this documen…
The hardware root of trust is the foundational technical mechanism that makes the other privacy guarantees enforceable, because it prevents unauthorized or modified software from running on PCC nodes…
The Virtual Research Environment is the primary mechanism by which the privacy and security claims in this guide can be independently verified, and the existence of a formal research pathway and bug …
Security certifications provide some assurance that Asana's data protection practices meet recognized standards, but they do not guarantee that no breaches will occur and do not expand individual leg…
Knowing the specific contact mechanism for exercising privacy rights is practically important. Without a clear process, consumers may not be able to act on their rights under GDPR or CCPA.
This provision establishes the age eligibility framework for Atlassian's services and defines the conditions under which personal information collection from minors is permitted. It operationalizes c…
The policy discloses specific rights and a contact mechanism, which is relevant because the practical scope of these rights may differ depending on whether the user is a direct consumer or accessing …
This provision establishes an open-ended retention standard tied to service purposes and legal requirements rather than fixed timeframes. Under GDPR, the absence of specific retention periods for eac…
This provision reserves the right to transfer personal data to a successor entity in a business transaction without requiring individual user consent, which is a standard commercial clause but has im…
CPRA significantly expanded California privacy rights including the right to correct inaccurate data and limit use of sensitive personal information, and Okta's acknowledgment of these rights means C…
This provision establishes the operational scope of marketing communications the entity may conduct and specifies the procedural mechanism by which users can control receipt of such communications. T…
The policy sets a minimum age of 16 rather than the COPPA threshold of 13 for US users, aligning more closely with GDPR Article 8 standards, but does not describe how under-16 users are actively iden…
Having a named DPO contact and a specific email address provides EU, UK, and Swiss residents with a clear channel to exercise meaningful data rights that are legally enforceable, including the right …
The absence of specific retention periods for most data categories means users cannot easily determine how long their information is kept or plan deletion requests around a known timeline.
The clause operationalizes compliance with federal privacy disclosure obligations, establishing the bank's legal duty to provide transparent accounting of data practices and to communicate statutory …
The policy states that Baseten does not store payment card data directly, which limits Baseten's liability for payment card data breaches, but also means users must review the payment processor's sep…
The policy explicitly states that the service does not respond to Do Not Track signals, which is a disclosure required by CalOPPA; this means users relying on browser-level DNT settings will not rece…
These rights establish enforceable mechanisms through which users can exercise control over personal data processing practices. The provision operationalizes statutory obligations under EU and Califo…
The policy does not specify fixed retention periods for individual data categories, instead relying on a purpose-based standard, which may make it difficult for consumers to know how long their data …
The absence of specific retention periods for most data categories means Betterment retains broad discretion over how long it holds your sensitive financial information, including after you close you…
This provision establishes the minimum age restriction for Betterment's services and confirms that any inadvertently collected data from minors will be deleted.
These rights are meaningful tools for users to manage their personal data, but they are qualified by the phrase 'depending on what laws apply,' meaning the rights available to you depend on your juri…
The provision defines the operational scope of Bluesky's algorithmic curation responsibilities and user control mechanisms. It delineates the boundary between Bluesky's algorithmic recommendations an…
Users who rely on Do Not Track as a privacy control should be aware it has no effect on Bluesky's data collection, and should use alternative methods such as cookie blocking or privacy-focused browse…
Using financial behavior and usage data for marketing and analytics purposes means your transaction patterns and platform activity may influence commercial communications you receive from Brex and po…
The clause establishes the operational parameters for Brex's promotional outreach practices and specifies the mechanism by which users can control receipt of marketing communications while preserving…
Open-ended retention tied to legal and regulatory obligations is common in financial services, but it means your data may be held for extended periods beyond your active use of Brex products.
This retention framework engages GDPR storage limitation principles and CCPA/CPRA deletion right obligations, and the reference to regulatory and accounting requirements reflects Brex's financial ser…
The clause operationalizes statutory protections under EU Digital Services Act requirements by explicitly recognizing and confirming user access to multiple dispute resolution pathways and regulatory…
Privacy policy updates can expand data collection or sharing practices, and while Bumble commits to notifying users of material changes, the definition of what constitutes a material change is not sp…
These provisions operationalize data subject access rights, establishing procedural mechanisms through which users can exercise control over personal information retention and format. The specificati…
These rights are enforceable under California law and give California residents meaningful control over their personal data held by Calendly, including the ability to stop data sharing with advertisi…
This clause establishes the operational framework for Calm's incentive-based data collection practices, specifying that personal information gathered through such programs is valued in proportion to …
Employees using an employer-sponsored Calm subscription should be aware that their employer may receive confirmation that they have enrolled, which could have workplace implications depending on cont…
This provision confirms that privacy rights are not limited to EU or California residents; any user can request access to, correction of, or deletion of their personal data by contacting Calm.
Under California privacy law, entities offering financial incentives must disclose the collection practices, provide opt-in and opt-out mechanisms, and establish that the value exchange is reasonably…
California's CPRA requires companies to disclose when they offer financial incentives in exchange for personal data and to explain the value of that data; this notice fulfills that requirement and gi…
This clause operationalizes statutory obligations under GDPR and equivalent data protection frameworks by identifying the rights holders are entitled to invoke and establishing the procedural mechani…
The policy does not specify defined retention periods for particular data categories, which is relevant to GDPR's data minimization and storage limitation principles and may be a point of inquiry for…
This provision operationalizes Canva's compliance framework with children's privacy regulations, including the Children's Online Privacy Protection Act (COPPA) in the U.S. and equivalent statutory re…
Your contact and usage data collected by Cerebras may be used to target you with promotional communications and to profile your behavior for product development, and you have a right to opt out of di…
This clause means your personal data could end up with a completely different company under different privacy practices, and unlike some other disclosures, this transfer may occur without your specif…
This provision establishes that a minor user can initiate disconnection of parental oversight access, subject to parent confirmation via email. The confirmation requirement means a parent receives no…
While Chase describes security safeguards at a high level, the policy does not commit to specific technical standards or breach notification timelines, which are common in more detailed security disc…
This provision establishes that Chase's digital platforms are not designed for children and signals COPPA compliance intent, which is a baseline regulatory requirement for U.S. online services.
Chase's marketing communications may draw on the combined data profile described elsewhere in the policy, and the opt-out mechanism requires affirmative action by the consumer to stop receiving such …
These rights are the primary mechanism by which individuals can control their personal data held by Checkout.com, and knowing the contact point and applicable rights is essential to exercising them e…
Retention periods for financial and identity data are often long due to regulatory requirements in the payments sector, and understanding how long data is held affects the practical utility of deleti…
Cookies may be used to collect behavioral and technical data about website visitors, which can be used for analytics and marketing purposes, and the choice to block them involves a trade-off with web…
This is a standard COPPA compliance statement; parents should be aware that Chime does not have mechanisms designed for minors and any account opened by someone under 13 would be subject to deletion.
Having a clear and specific contact channel for privacy rights requests is a practical requirement for exercising your CCPA rights or other data access and deletion rights; this provision gives you t…
A deletion request may not result in complete removal of your data if Chime determines it has legal or business reasons to retain certain records, which is a standard but important limitation on the …
These are legally enforceable rights that ClickUp must respond to within statutory timeframes, giving EU and UK users significantly stronger protections than users in many other regions.
If a child under 13 creates a ClickUp account, the company commits to deleting that data, but enforcement depends on ClickUp detecting the underage user, which may not always occur in practice.
Cookie and tracking data collection is subject to consent requirements in the EU under the ePrivacy Directive and GDPR, and the policy states that a cookie consent tool is available, which is relevan…
The absence of specific retention periods means personal data including submitted inputs, account data, and usage data may be retained indefinitely as long as the account is active or legal obligatio…
Security certifications provide independent third-party validation that a vendor's data security practices meet defined standards. For enterprise customers, particularly in regulated industries, veri…
This provision establishes the procedural mechanism through which users may invoke jurisdiction-specific privacy rights and establishes Cohere's obligation to process such requests according to appli…
This establishes Copy.ai's COPPA compliance posture for the US, though the notice does not describe age verification mechanisms used to prevent under-13 access, which is relevant for regulators asses…
Users should be aware that their personal data, including learning activity and communications, may be disclosed to law enforcement or government authorities in response to legal process.
This provision discloses Coursera's security posture using a standard industry disclaimer that appropriate measures are in place but absolute security cannot be guaranteed. The document does not spec…
This provision establishes Coursera's COPPA compliance posture by prohibiting under-13 user registration and committing to data removal upon discovery. The policy does not describe specific age-verif…
This provision gives minors a mechanism to retract publicly posted content, which is required under California law, but the caveat that removal is not comprehensive means third-party copies or cached…
This commitment directly limits one of the most common ways consumer data is monetized; users can rely on the stated promise, though enforcement depends on Craigslist's internal practices and applica…
Users who rely on their browser's Do Not Track setting as a privacy control should be aware that Craigslist explicitly disregards this signal, though Craigslist separately states it does not use trac…
This provides California residents with specific, actionable rights over their personal data, backed by California law, with a direct submission mechanism provided in the policy.
This disclosure addresses data sovereignty concerns relevant to users and enterprises subject to regulations or policies restricting data flows to or processing by entities in certain jurisdictions; …
This provision describes a temporary server-side file caching mechanism with a client-generated encryption model, and conditionally states that cached content is not used as training data, but only w…
The SOC 2 Type II attestation provides independent third-party validation of Cursor's security controls, which is a material input for enterprise vendor risk assessments and procurement decisions.
The document states account deletion is available at any time without restriction; this is relevant to users exercising data deletion rights under GDPR, CCPA, or similar frameworks, though the docume…
This provision addresses CCPA and US state privacy law opt-out rights directly; by stating it does not engage in these practices, Anysphere asserts that no opt-out mechanism is required for these spe…
These access control disclosures are relevant to enterprise vendor risk assessments and are commonly evaluated in SOC 2 audits; they indicate the organizational controls in place to limit unauthorize…
The subprocessor list and annual review commitment are operationally significant for enterprise customers who need to track third-party data flows for GDPR Article 28 compliance or internal vendor ri…
The provision describes the operational infrastructure for file handling and establishes limitations on data retention and use. By specifying temporary caching with client-controlled encryption and e…
The 16-year age threshold is consistent with CPRA requirements and several state privacy laws, though the US federal COPPA standard applies to children under 13 for certain online services.
These rights are legally enforceable in jurisdictions like California, Colorado, and the EU, meaning Databricks is required to respond to valid requests within specific timeframes and cannot penalize…
Material changes to how your data is processed may take effect without active notification, meaning you should periodically check the notice for updates rather than relying on proactive notification.
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar framew…
The policy sets a minimum age of 16 rather than the COPPA threshold of 13, which means it applies a stricter age threshold for consent purposes; this is operationally relevant for GDPR compliance, wh…
The policy reserves the right to update its terms at any time with minimal mandatory direct notice, relying primarily on a date change; under GDPR, material changes to processing purposes may require…
This clause establishes the mechanism and timeline for privacy policy modifications, defining how the entity will communicate changes to users and setting expectations for user awareness of evolving …
The policy expressly disclaims any guarantee of security, which is a standard industry disclaimer; users should understand that no absolute protection against data breaches is promised.
The policy does not specify fixed retention periods for individual data categories, instead relying on purpose-based retention criteria; this approach is consistent with GDPR storage limitation princ…
The provision establishes Datadog's recognition of statutory data subject rights applicable to EU and UK residents under GDPR and UK GDPR frameworks. This acknowledgment creates operational obligatio…
These rights give users meaningful control over their personal data held by DeepL, including the ability to request deletion of account information and any retained translation inputs.
This provision is a key differentiator between free and paid tiers and is materially important for users and organizations handling confidential, legally privileged, or regulated content.
This provision discloses that payment card data is handled by external payment processors operating under PCI DSS compliance standards, rather than being stored directly by DeepL. The specific paymen…
This provision directly addresses AI training data practices for paid subscribers, establishing that submitted content is excluded from model training use. This distinction is operationally significa…
Payment information is sensitive financial data, and understanding how it is collected and stored (including whether it is passed to third-party payment processors) is important for financial securit…
When your data is shared with subprocessors, the security and privacy practices of those third parties become relevant to how well your data is protected, even if they are contractually bound.
This provision enumerates the data subject rights DeepL recognizes and the mechanism through which users may exercise them. The right to lodge a supervisory authority complaint provides a direct regu…
Retention periods determine how long your personal information remains in Delta's systems and available for use or potential disclosure; the lack of specific timeframes in the main policy and relianc…
The policy does not specify fixed retention periods for most data categories, meaning data could be retained for extended periods based on broadly defined business needs, which affects the practical …
This provision reflects DocuSign's stated policy to restrict service access to adults, which establishes an age-based eligibility requirement and defines the company's position on minor data collecti…
Marketing communications from DocuSign's partners extend the reach of your contact data beyond DocuSign itself, and understanding the opt-out mechanism helps you control how your information is used …
The clause operationalizes data subject rights required under privacy regulation, establishing the mechanism through which users exercise control over personal information accuracy and portability. I…
The provision operationalizes the exercise of statutory privacy rights by designating specific submission channels and establishing an identity verification requirement as a procedural prerequisite t…
The policy authorizes disclosure of personal information to law enforcement and government authorities in response to valid legal process and for investigation of alleged illegal activity, and also p…
The agreement asserts that users must be at least 18 years old, which means use of the Services by minors is prohibited; this also affects the enforceability of the agreement against underage users.
These rights are legally enforceable under California law and provide California residents with more control over their data than users in most other US states, including the right to stop Dropbox fr…
A corporate transaction could result in your data moving to a company with different privacy practices, values, or business models, and the notification commitment, while present, does not give you a…
If someone else accesses your account because your password was compromised, you remain responsible for any activity that occurs unless and until you report the unauthorized access to Dropbox.
These rights are enforceable under GDPR and UK GDPR and provide EU, UK, and Swiss users with meaningful legal recourse if Dropbox does not respond adequately to data requests, including the ability t…
The explicit acknowledgment of the right to complain to a data protection supervisory authority is a legally required disclosure under GDPR and reflects standard practice in jurisdictions with active…
This provision establishes that the company's privacy practices operate under third-party audited standards for information security and privacy management. The certification structure creates an ext…
ISO 27701 certification is a recognized international benchmark for privacy information management, providing external validation that D&B's privacy controls meet a defined standard, though certifica…
The age threshold is set at 16 rather than 13, which is more protective than the US federal minimum under COPPA, and aligns with GDPR Article 8 requirements for children's data in EU member states th…
Third-party tracking on the Duo website means your browsing behavior may be shared with advertising and analytics partners outside of Cisco, and you may be tracked across websites if third-party cook…
The policy does not specify fixed retention periods for different categories of data, which under GDPR requires that retention periods or criteria be communicated to users; the absence of specific ti…
The policy states that third-party login integrations provide Duolingo with access to data held by platforms such as Google, Facebook, and Apple, which may include data beyond what a user would provi…
The policy commits to advance notification of material changes by email or website notice, but does not specify the notice period before changes become effective, and continued use of the service aft…
This provision establishes the operational framework through which Duolingo acknowledges and implements statutory data subject rights mandated by GDPR and UK data protection law, creating documented …
The certification establishes the legal basis for EA to process and transfer EU residents' personal data to U.S. servers and systems. This framework provision determines the regulatory compliance str…
These rights are legally enforceable in the EU/UK and Switzerland, and Egnyte is required to respond to requests and provide data portability in machine-readable formats within regulatory timeframes.
Open-ended retention language based on business necessity rather than fixed timeframes can mean personal data is held for extended periods, which affects deletion rights and security exposure.
This provision establishes the procedural mechanism through which EU, UK, and Swiss users may exercise their statutory data rights under GDPR and equivalent frameworks. The enforceability and respons…
The policy states material changes will be communicated by email or website notice, but does not specify a minimum advance notice period, which means users may have limited time to review changes bef…
This provision establishes a COPPA-aligned age restriction and deletion commitment for under-13 user data, which is a standard compliance baseline; however, the policy does not describe age verificat…
This provision establishes ElevenLabs' COPPA compliance posture for U.S. users. The absence of a higher age threshold (such as 16 for GDPR purposes) may be relevant for EU/EEA compliance where member…
This provision establishes that ElevenLabs will disclose user data to authorities when legally required or permitted, which is relevant to users' understanding of the privacy expectations associated …
COPPA requires verifiable parental consent before collecting personal information from children under 13. However, given that Equifax holds credit and financial data about minors in certain contexts …
The 18-and-over restriction means Eventbrite's terms do not contemplate or protect minors as users, and parents or guardians should be aware their children should not be creating accounts or purchasi…
The absence of specific retention periods for most data categories means users cannot easily determine how long their personal information is held, limiting their ability to make informed decisions a…
Personal data can transfer to a third party whose privacy practices may differ from Fastly's without you receiving prior individual notice or having a right to object, which is a common but material …
These rights give EU and UK residents significant control over their personal data and create corresponding legal obligations for Fastly to respond within statutory timeframes. They can be exercised …
In the event of a corporate acquisition or merger, your Figma account data, design files, and personal information could be transferred to a new company whose privacy practices may differ from Figma'…
The retention standard of 'as long as necessary' is broad and gives Figma significant discretion over how long your data, including design file content, is kept after you stop using the service.
This commitment is significant for developers who need to ensure that sensitive API interactions are not retained on Fireworks infrastructure, which is relevant for legal, security, and confidentiali…
For developers and businesses, this is a core assurance that proprietary prompts and API inputs remain confidential and are not leveraged to improve models that could benefit competitors or expose se…
Users who rely on browser-level privacy controls to limit tracking across the web should know that Fireworks AI does not respond to those signals, meaning tracking technologies such as cookies and an…
A business transfer could result in your personal data being controlled by a different company with different privacy practices, without requiring your affirmative consent to the transfer.
These rights give users meaningful control over their personal data, but exercising them requires knowing they exist and actively contacting Fly.io to invoke them.
This provision establishes Ford's COPPA compliance posture by disclaiming intentional collection of personal information from children under 13 and committing to deletion if such data is inadvertentl…
This establishes a baseline compliance posture under COPPA; however, Ford's connected vehicle data collection may indirectly capture information related to minors who are passengers or secondary driv…
When you click links to dealer websites, financing partners, or connected app integrations from Ford's platforms, your data practices are governed by those third parties' policies rather than Ford's.
Open-ended retention tied to account activity means your health and location data may be held indefinitely if you remain a Garmin user, and some data may persist even after account deletion due to le…
Because the Privacy Policy is incorporated by reference rather than reproduced, users must consult a separate document to understand what data GEICO collects, how it is used, and what rights they hav…
This provision establishes an age minimum and signals that Gemini does not intend to collect data from minors, which is consistent with COPPA requirements for online services directed at children or …
The provision operationalizes Gemini's authority to conduct direct marketing outreach while establishing procedural pathways for users to restrict receipt of such communications through opt-out mecha…
The access-restricted nature of bridge letters and detailed audit reports means enterprise customers must submit a formal access request before reviewing documents that may be critical to their compl…
CSA STAR Level 2 certification provides cloud-specific security assurance that is frequently referenced in enterprise cloud procurement policies and may satisfy cloud security requirements in data pr…
ISO 27001 certification is a commonly referenced baseline for information security vendor assessments and may be required by enterprise procurement policies or contractual obligations with customers …
The under-13 prohibition reflects COPPA compliance obligations. Account termination without prior notice applies to underage accounts, which means any content, repositories, or project history associ…
These provisions establish operational procedures for GitHub to respond to user requests regarding personal data management and portability. The clause creates enforceable mechanisms for data access,…
This provision establishes a tiered age requirement: 16 as the minimum with parental consent, and 18 for the Google Pay app. The clause acknowledges that the minimum legal age may be higher in certai…
This clause governs the disposition of advertiser personal data at the end of the service relationship, implementing the GDPR Article 28(3)(g) requirement. Advertisers should understand the procedure…
This clause satisfies the GDPR Article 28(3)(h) requirement that processor agreements include an audit right. The practical scope and logistics of exercising this right against a large cloud and adve…
This provision discloses jurisdiction-specific data subject rights and routes their exercise through Google's privacy tools, establishing the procedural framework for rights requests under GDPR, UK G…
Parents and guardians should be aware that Groq has no age verification mechanism described in this policy, relying instead on a reactive approach to removing children's data if notified.
Consumers engaging with Groq's support team should be aware that their conversations, which may include sensitive account or billing information, may be recorded and retained.
Federal law under COPPA prohibits collecting data from children under 13 without verifiable parental consent; if a minor accesses the platform, the policy's reliance on a 'knowingly' standard means a…
Tracking technologies on a payroll and HR platform may capture behavioral data alongside sensitive employment information, and users may not be aware of the extent of this tracking.
Without specific retention periods disclosed for sensitive data categories like SSNs and bank account information, users cannot easily assess how long their most sensitive data remains in Gusto's sys…
The Children's Online Privacy Protection Act (COPPA) imposes strict requirements on the collection of personal information from children under 13, and a company's compliance with these standards dire…
Without specific retention periods stated, it is difficult for individuals to know how long their data will be held or to anticipate when deletion might occur without a formal request.
This provision authorizes use of personal information for third-party promotional communications, which engages CAN-SPAM Act requirements in the US and GDPR consent or legitimate interests analysis f…
This provision reserves the right to modify privacy practices with notification that may consist solely of a webpage update, without guaranteeing direct individual notice for material changes, which …
DNT signal compliance provisions establish the operational procedures governing whether and how a service honors browser-based privacy preferences. This determines the scope of tracking and data coll…
This disclosure is operationally relevant to users and regulators because it describes the absence of algorithmic content ranking or behavioral profiling in content display, which is a notable charac…
This provision is a relatively specific disclosure of Do Not Track compliance and a restriction on third-party advertising data collection without separate consent, which provides a degree of user pr…
This provision discloses a California-specific right to request information about third-party direct marketing data disclosures, exercisable once per year by email, which is a limited but actionable …
This provision establishes a clear data handling boundary that limits the commercial uses to which personal data may be put. It defines a specific restriction on monetization practices involving pers…
The absence of specific retention periods means your data may be held indefinitely under broadly defined business or legal purposes, which is a common but notable practice that limits your practical …
The absence of specific retention periods makes it difficult for users to know how long their prompts, images, and account data are stored, and creates compliance ambiguity under GDPR's data minimiza…
The policy relies on a reactive rather than proactive age verification approach, meaning children's data may be collected before the company becomes aware of a violation, which is a common but operat…
These are legally enforceable rights under GDPR and equivalent laws, and knowing how to exercise them is important for users who want to control their personal data held by Ideogram.
The policy reserves broad rights to update terms with relatively limited advance notice obligations, and does not specify how much advance notice will be provided before material changes take effect.
The opt-out mechanism for marketing emails is standard, but users should be aware that opting out of marketing does not affect other data processing practices described in the policy.
When Instacart links to retailer websites, partner sites, or other external platforms, the privacy practices of those sites are governed by their own policies rather than by Instacart's, meaning data…
The provision establishes that Instacart's privacy policy incorporates a framework of consumer choice mechanisms and opt-out procedures. This structure creates an operational requirement for the enti…
This provision establishes the age threshold Jasper applies for child data restrictions at 16 rather than the COPPA threshold of 13, which creates a broader stated restriction aligned with GDPR's Art…
This provision establishes a minimum age threshold for account creation that applies globally, with a jurisdiction-specific alternative referencing local age of majority, which affects eligibility an…
California residents have legally enforceable data rights under CCPA that go beyond what users in other US states may have, including the right to know exactly which categories of personal data are c…
This is a meaningful protection for child users that goes beyond minimum COPPA requirements; it confirms that the free educational platform does not monetize children's data through behavioral advert…
Your personal data flows to merchants when you use Klarna at checkout; the merchant's own privacy practices then govern how that data is used, which may be different from Klarna's own policy.
These provisions implement statutory data subject rights under regulations like GDPR and similar privacy frameworks, establishing formal mechanisms through which individuals can exercise control over…
Knowing and exercising these rights lets you check what data Klarna holds about you, correct errors that might affect your credit assessment, and delete data you no longer want the company to retain.
EU and UK users have enforceable rights under GDPR and UK GDPR including data access, erasure, portability, and the right to object to processing, and the policy provides a contact mechanism and ackn…
The policy reserves the right to make changes that will apply to previously collected data and relies on email notification or website posting as the primary mechanism for informing users of material…
California residents can exercise rights under CCPA including data access, deletion, and opt-out of sale, and the policy provides a direct contact mechanism at privacy@langchain.dev for submitting th…
Children's data provisions are operationally significant because they establish compliance frameworks with children's privacy regulations (such as COPPA in the United States) and define the procedura…
Analytics and advertising cookies collect behavioral data that may be shared with third-party platforms; the effectiveness of this control depends on whether the consent mechanism is properly configu…
Purchases by minors may be considered legally invalid, and Ledger does not appear to employ active age verification at checkout beyond this self-declaration.
This provision establishes a purpose-based retention framework without specifying fixed retention periods for different data categories, which may affect compliance with GDPR storage limitation requi…
This provision establishes the tracking technology framework, including the categories of technical and behavioral data collected, and references a cookie consent tool as the primary mechanism for us…
Knowing your data rights is essential for controlling how your personal information is used, and the existence of regional-specific rights means the protections available to you depend significantly …
While Lime states it does not store full credit card numbers, billing addresses and payment metadata are retained, and your payment data is processed by third-party processors whose security standard…
This provision establishes a technical security requirement for advertiser landing pages, extending LinkedIn's policy obligations to the external sites linked from ads. Compliance requires advertiser…
These rights allow members to review what data LinkedIn holds, correct inaccuracies, request deletion, or limit certain uses; the availability and scope of these rights varies by jurisdiction, with E…
These rights give you a concrete way to find out what data Loom holds about you, ask for it to be deleted, or stop certain types of processing, but the practical availability of these rights depends …
The policy does not specify concrete retention periods for different categories of data, meaning users cannot easily determine how long their uploaded content, conversations, or account data will be …
EEA and UK users have legally backed rights to control their personal data held by Luma, including the right to request deletion and to lodge a regulatory complaint if those rights are not respected.
A standard COPPA disclaimer, this provision establishes that Lyft does not have specific mechanisms to verify user age beyond a policy assertion, and the 'knowingly collect' standard is the minimum r…
The age restriction protects minors from being bound by these terms and from using the service; however, the agreement relies on user self-representation rather than verified age checks, which may cr…
Under GDPR and similar frameworks, companies must identify a specific legal basis for each type of data processing; the Legal Bases Charts are the primary disclosure mechanism WBD uses to fulfill thi…
A detailed transaction history tied to your identity enables McDonald's and its partners to build a behavioral profile over time that can be used for targeted marketing and potentially shared with th…
The opt-out mechanism described here relies on industry self-regulatory tools operated by the Digital Advertising Alliance and Network Advertising Initiative, which are voluntary frameworks and may n…
Linking a third-party account to Medium means that data flows from that platform to Medium, potentially expanding the scope of personal information Medium holds about you beyond what you provided dir…
The absence of defined retention periods for specific data categories may present a compliance consideration under GDPR's storage limitation principle, which requires that personal data be kept no lo…
This provision establishes Medium's COPPA compliance posture, but the policy does not describe the verification mechanisms used to prevent collection of under-13 data, which is an operational detail …
This provision establishes that material changes to data practices may be implemented with only a date revision as mandatory notice, which may be insufficient to satisfy GDPR requirements for transpa…
Your financial data is involved in this transaction, and understanding that it flows through a third-party processor helps you assess the security and privacy risks associated with paying on the plat…
Inferred data creates profiles beyond what you directly provide, meaning Mercury may hold conclusions about your business or personal characteristics that are derived from behavioral signals rather t…
These are legally enforceable rights under California law, meaning Mercury is required to honor them within defined response timelines, giving California-based business owners meaningful control over…
There is no fixed maximum retention period stated in the policy, meaning some categories of financial and personal data could be held for extended periods tied to legal and regulatory timelines.
Without the actual policy language, parents and compliance professionals cannot assess what rights are granted, what data is collected about children, or what obligations Meta assumes under the Messe…
While the no-sale commitment addresses one category of concern, the policy still permits broad sharing with affiliates and service providers, meaning data can flow to third parties through channels o…
This is the primary practical privacy control available to MetaMask users; exercising it can materially reduce the amount of identity-linked financial data collected by Consensys, but it requires tec…
The statement does not commit to specific retention periods across all data types or products, meaning that some categories of personal data may be retained for extended periods depending on the serv…
Transparency and explainability commitments describe what information Microsoft states it will provide about AI system behavior, which is relevant to consumers and enterprises seeking to understand o…
The statement commits to notifying users of material changes before they take effect, either by posting a prominent notice or sending a direct notification, which is relevant to users who want to tra…
The provision establishes Microsoft's authorization to provide monitoring and control capabilities as part of the service offering, enabling family account administrators to exercise supervisory func…
This principle describes Microsoft's stated commitment to privacy protection in AI systems, which is relevant to consumers whose personal data may be processed by Microsoft AI products.
Non-material changes to the privacy policy can take effect with only a date change and no direct notification, meaning users who do not regularly review the policy may miss changes that affect their …
Because retention periods vary significantly by data type and product and are not fixed, users cannot determine with certainty how long specific categories of their personal data will be held by Micr…
The commitment to notify users of law enforcement data requests, where legally permitted, is a materially distinct disclosure practice that may provide users with an opportunity to seek legal counsel…
The policy explicitly enumerates GDPR and UK GDPR data subject rights and provides a mechanism for exercising them through account settings, giving EEA and UK users enforceable controls over their pe…
The clause operationalizes statutory CCPA obligations by designating a contact mechanism and specifying the four core rights California residents may exercise under state law, establishing the proced…
The policy establishes age 13 as the minimum age threshold and commits to deleting data collected from underage users without parental consent, consistent with COPPA requirements in the United States.
The policy reserves the right to modify its terms and relies on email or website notice for material changes, meaning users who do not monitor their email or the website may miss updates that affect …
This provision places affirmative obligations on users regarding third-party personal data, which aligns with broader privacy law obligations and creates a conduct basis for account enforcement if vi…
This clause establishes Midjourney's obligation to recognize and facilitate statutory data subject rights mandated by EU and UK data protection regulations. The provision operationalizes compliance w…
The policy states that data subject rights are exercised through Microsoft's central privacy dashboard rather than through Minecraft-specific channels, which affects how users locate and exercise the…
If you provide Miro with your email address, you may receive marketing messages. The opt-out mechanism should be accessible and promptly honored, and Miro's ability to send marketing to business cont…
Cookies and tracking tools collect behavioral and usage data that Miro may use for analytics, advertising, and product improvement. Users have varying levels of control over this tracking depending o…
This provision establishes the procedural mechanism for data subject rights requests, which is a direct compliance obligation under GDPR, UK GDPR, and CCPA/CPRA, and determines the operational workfl…
The use of a separate Cookies Policy means that tracking technology practices are documented outside the main privacy policy, requiring users to review both documents to understand the full scope of …
You have formal rights over your personal data held by Mistral AI, and the company has designated a DPO as a named point of contact, which is a meaningful accountability mechanism under GDPR.
Developers and researchers who download Mistral AI models from Hugging Face should be aware that doing so triggers personal data collection by Mistral AI, even if they have not created a direct Mistr…
Shareable conversation links can spread beyond your intended recipient without any access control, which means sensitive or personal information in a shared conversation could be viewed by unintended…
The clause operationalizes location-based service personalization as a standard practice while creating a procedural pathway for users to decline this specific data processing activity without servic…
Your IP address, which can reveal your approximate geographic location, is used to modify the content of AI responses you receive, creating a form of location-based profiling that you may not expect …
This provision operationalizes Mistral AI's GDPR compliance framework by explicitly defining the types of personal data subject to rights requests and establishing a procedural mechanism for users to…
A corporate acquisition could result in your personal data being transferred to a new company with different privacy practices, and the notice commitment, while helpful, may not provide a meaningful …
The policy establishes an age-based restriction on data collection consistent with COPPA in the US; the restriction applies to services not directed at children, but does not address the full range o…
The policy does not specify defined retention periods for most categories of personal data, instead relying on a purpose-based standard; this approach may require evaluation under GDPR's storage limi…
The provision establishes a bifurcated communication framework in which marketing communications are subject to user opt-out, while transactional and service-related messages continue independently o…
Without the full policy text, consumers and compliance teams cannot assess what specific data practices, rights, or obligations Databricks has disclosed.
This clause creates a procedural mechanism for exercising data subject rights under privacy regulations. By designating a specific contact and email address, the provision establishes the operational…
Nintendo is not required under this policy to directly notify users of changes via email or in-app alert, which means material changes to data practices could take effect without users being actively…
Nintendo's qualified security assurance means that in the event of a data breach, the company's contractual exposure may be limited by this disclaimer, and users should understand that no absolute se…
For EU and UK users, transferring health data to the US requires specific legal safeguards, and the adequacy of those safeguards is a live area of regulatory scrutiny.
Without specific retention periods, users cannot know how long their sensitive health data will be held, making it harder to assess long-term privacy exposure.
The ability to change data practices with notice but without requiring affirmative consent means Noom's practices for handling your health data could evolve over time.
Given the health-focused and potentially sensitive nature of Noom's data collection, clear age restrictions and COPPA compliance are important protections for minors.
These rights give California residents meaningful control over their health and personal data held by Noom, including the ability to demand deletion or stop data sharing with advertisers.
GDPR provides some of the strongest personal data protections globally; EU and UK users of Noom can exercise these rights to control how their sensitive health data is processed.
The retention provision uses open-ended language ('as long as we reasonably need it') without specifying retention periods for different data categories, which creates uncertainty about how long spec…
This provision authorizes transfer of user personal data to a successor entity in a corporate transaction without requiring individual user consent at the time of the transaction, which is a standard…
The policy establishes a minimum age of 13 for use of Notion's services and commits to deleting data from under-13 users upon discovery, engaging COPPA obligations for US-based operators.
The absence of specific, published retention periods for different data categories may make it harder for individuals to understand how long their data is held and may create compliance questions und…
These rights give EU, UK, and Swiss residents meaningful control over their personal data held by Okta in its capacity as controller, including the ability to request deletion of marketing profiles o…
The clause establishes Okta's authorization to conduct direct marketing outreach while establishing an opt-out mechanism. It distinguishes between marketing and transactional communications, permitti…
Because policy changes are effective upon posting, users who do not actively monitor the policy may be subject to new data practices without realizing it, even if direct notification is not sent.
Tracking technologies collect behavioral and device data that can be used for analytics and targeted marketing, and users should review the Cookie Notice and adjust their preferences to limit trackin…
The clause operationalizes data subject rights under privacy regulations by designating a contact point (privacy@oneidentity.com) and establishing a compliance timeline tied to statutory requirements…
The policy does not specify fixed retention periods for individual data categories, which means the duration for which conversation content, uploaded files, and account data may be retained is not pr…
This provision implements a standard GDPR Article 28(3)(b) requirement and provides operators with a contractual assurance that internal access to their data is subject to confidentiality controls. I…
This provision establishes the operator's right to data deletion or return at contract end, which is a standard GDPR Article 28(3)(g) requirement. Operators should confirm what process applies and wh…
Voluntary government commitments of this type may influence how regulators evaluate OpenAI's practices and could become reference points in future enforcement or regulatory proceedings, though they a…
This provision discloses the security assurance framework applicable to enterprise data, which is a standard due diligence reference point for vendor security assessments and regulatory compliance pr…
SOC 2 Type 2 certification provides enterprise customers with third-party verification that OpenAI's security controls have been tested over a defined period, which is commonly required in vendor sec…
This provision grants operators an audit right, which is required under GDPR Article 28(3)(h). The practical value of this right depends on what 'reasonable notice' means and whether OpenAI's standar…
The availability of these rights is conditional on the user's location, meaning not all users globally have the same set of enforceable rights under this policy.
This provision authorizes transfer of user personal data, including conversation content, to unknown third-party entities in the event of a corporate transaction, potentially under different privacy …
The policy authorizes unrestricted use and sharing of aggregated or de-identified data; the practical privacy implications depend on the robustness of the de-identification process, which the policy …
Data portability provisions establish operational procedures for users to obtain copies of their information and transfer it to other services. This mechanism affects how OpenAI manages user data req…
The policy authorizes unrestricted use and sharing of data described as de-identified or aggregated; the practical scope of this permission depends on whether the de-identification process meets tech…
SOC 2 Type 2 certification is a commonly required vendor security assurance standard in enterprise procurement and is relevant to due diligence under GDPR Article 32 (appropriate technical and organi…
This provision establishes age-based eligibility conditions for service access. The minimum age of 13 engages COPPA obligations for users under 13, while the requirement for parental consent for user…
The policy disclaims absolute security guarantees for personal data, which is standard industry language, but means users should not rely on this policy as a contractual security commitment in the ev…
This provision establishes the framework under which OpenSea holds user data after account closure or inactivity, with retention periods tied to legal obligations and business purposes rather than fi…
This provision establishes the age restriction applicable to the platform and the policy's scope with respect to minors, engaging COPPA obligations for users under 13 in the United States and analogo…
This is a user-protective commitment that goes beyond what most privacy policies assert, though its practical enforceability depends on the jurisdiction and the nature of the legal order received.
This provision establishes the operational mechanism through which users may exercise GDPR, UK GDPR, and CCPA/CPRA data subject rights, centralizing all requests through a single email address. Compl…
These rights are legally enforceable under GDPR and UK GDPR, and Palantir is required to respond within specific timeframes — typically 30 days — or provide a reasoned refusal.
The use of 'legitimate interests' rather than consent as the sole basis for marketing emails is an area of active regulatory debate in the EU, where some supervisory authorities consider direct marke…
Indefinite or lengthy data retention means that detailed records of your viewing habits, payment history, and account activity may be stored by Paramount+ for years after you stop using the service.
Without the rendered policy text, neither consumers nor compliance professionals can confirm what data practices, user rights, or legal obligations Patreon's privacy policy actually contains.
This provision conditions advance notice of privacy policy changes on whether applicable law requires it, meaning that in jurisdictions or for changes where no legal notice obligation applies, the up…
This provision operationalizes Peloton's compliance framework with varying data subject rights under different privacy regimes (including GDPR, CCPA, and other state/national laws). The jurisdiction-…
Setting the age threshold at 16 rather than 13 exceeds the minimum COPPA requirement and aligns with GDPR's default age of digital consent, which provides broader protection but also means Peloton sh…
Without a requirement for direct notification (such as email), users may not be aware that their data is now being collected or used in new ways unless they proactively revisit the policy page.
Automatic collection of IP address and location data means Perplexity builds a profile of your usage patterns even if you never create an account or actively provide personal information.
This clause implements the GDPR Article 28(3)(b) personnel confidentiality requirement and is relevant to customers assessing insider risk controls within Perplexity's workforce.
The policy states marketing communications are sent and that an opt-out mechanism is available, which is relevant to users who do not wish to receive promotional emails from Pinecone.
Plaid's provision of a dedicated data portal is a notable consumer protection that allows you to see and delete the financial data Plaid holds, which is particularly important given how broadly Plaid…
The provision operationalizes data subject rights commonly required under privacy regulations such as GDPR and CCPA by establishing a framework through which users can exercise control over their per…
Users who rely on browser-level Do Not Track settings as a privacy control should be aware that this signal has no effect on PlanetScale's data collection practices.
Parents should be aware that minors are not permitted to use Poshmark, and any account opened by a minor violates the terms and may be terminated.
Providing your email address to get a quote or manage your policy may also result in promotional emails unless you opt out, which is relevant if you want to limit unsolicited marketing contact.
Your sensitive financial and identity data held by a broker-dealer is accessible to law enforcement through subpoenas, court orders, and national security processes, and the policy does not commit to…
The inclusion of partner company promotions means your contact information may be used to market products beyond Public's own services, and you need to actively opt out if you do not want to receive …
Users may not notice policy changes if they do not regularly check the policy page, yet the updated terms may apply to data already collected or to future data collection practices.
The absence of specific retention periods makes it difficult for users to know how long their data is held, and GDPR requires organizations to define and communicate retention periods with greater sp…
The explicit exclusion of users under 13 engages COPPA compliance obligations, and the age-of-majority requirement may vary by state or province, creating variable access thresholds across jurisdicti…
The under-16 threshold is higher than COPPA's 13-year minimum in the U.S. but the policy relies on a reactive deletion process rather than any age verification mechanism.
The absence of specific retention periods for different data categories means users cannot readily assess how long their code, prompts, usage data, or account information will be retained, which is r…
Cookies and tracking technologies may be used to collect behavioral and device data that is shared with advertising and analytics partners; browser-level cookie blocking is disclosed as a control mec…
This provision authorizes transfer of personal information to a new entity in the event of a business transaction; the notice requirement provides some procedural protection, but the practical abilit…
As a regulated financial services company, Revolut is subject to legal obligations including anti-money laundering, sanctions screening, and regulatory reporting requirements that may require disclos…
Knowing your rights and the practical steps to exercise them means you can actively control what Revolut knows about you and how it uses that information.
The clause operationalizes Revolut's obligations under data protection regulations by establishing procedural mechanisms through which users can assert control over personal data processing. The prov…
While end-to-end encryption protects your message privacy, it also means Revolut cannot assist you if you need to retrieve messages for a dispute or legal purpose, and your messages will be permanent…
This is a meaningful consumer protection commitment that goes beyond a legal minimum, particularly relevant for users aware of data broker practices in the financial technology industry.
Revolut uses your transaction and behavioural data to identify and send you product offers, which means your financial behaviour directly influences the commercial communications you receive.
A commitment not to sell personal data is meaningful for consumers concerned about their financial and identity data being monetized by third-party data brokers, though the policy separately permits …
If a minor uses Ring services without proper parental consent, the parent or guardian may nonetheless be bound by the terms and held responsible for the minor's use, including any data collected from…
Default encryption means your video footage has a baseline level of protection against unauthorized interception during transmission and unauthorized access in cloud storage, without requiring techni…
This provision establishes that Ring offers user-facing controls over video and data access, which is relevant to both privacy protection and the exercise of data subject rights under laws like GDPR …
Knowing how to exercise your data rights is practically important, and Riot's provision of a dedicated portal is a meaningful consumer-facing mechanism for submitting requests.
The retention period is defined broadly by reference to legal obligations and dispute resolution rather than a fixed timeframe, meaning sensitive financial and identity data may be retained for exten…
This provision establishes a specific 24-hour data minimization practice for parental email addresses that are not acted upon, which reflects a COPPA-aligned data minimization commitment and reduces …
The provision creates a procedural framework for regulatory compliance in jurisdictions requiring organizations to designate representatives for data subject inquiries and supervisory authority commu…
This provision establishes Rumble's stated security posture and its limitation of representations regarding data security outcomes; the 'reasonable measures' standard is the operative benchmark for F…
How long your data is kept and where it is stored affects your ability to exercise deletion rights and the risk that your information could be exposed in a data breach.
This provision defines the baseline categories of personal data that RunPod collects and processes, which establishes the scope of data subject rights requests and the perimeter of any applicable dat…
This provision permits policy changes to take effect upon posting without requiring direct outbound notification to users, which may create a practical gap in user awareness of material changes to da…
Having a clear contact point for privacy inquiries is a baseline requirement under GDPR and a good practice under CCPA; users should know this channel exists if they need to exercise data rights.
Referral programs can involve sharing of personal identifiers between users or with third-party referral tracking systems, which may not be obvious to participants.
A consent-first default configuration is a positive privacy practice that means tracking should not activate until you explicitly agree, particularly for EU users subject to GDPR and the ePrivacy Dir…
This provision authorizes marketing communications that may include partner offerings, extending the use of personal data beyond RunPod's own services, and provides a stated opt-out mechanism that us…
This provision establishes Salesforce's legal framework for cross-border data transfers from European jurisdictions to the United States, creating accountability mechanisms through DPF certification …
The provision operationalizes Salesforce's compliance framework with varying regional privacy regimes by conditioning data subject rights on local legal requirements. This establishes the procedural …
The inclusion of 'to prospect sales leads' as an explicit processing purpose means Salesforce may use personal data collected from website visits or other interactions to target individuals as potent…
Transparency reports give users and enterprise customers visibility into how frequently Salesforce receives and complies with government demands for data, which is directly relevant to assessing the …
These rights are legally enforceable under California law and give California residents meaningful control over their personal data, including the ability to stop Samsung from sharing their informati…
Without defined retention periods for specific data types, personal data including browsing history, location, and health metrics may be retained for extended and undefined periods, which limits cons…
Under California's CPRA, businesses that sell or share personal information are required to honor GPC browser signals as a valid opt-out of data sale and sharing. If implemented correctly, this would…
This provision establishes the technical scope of the consent management layer governing which storage mechanisms are subject to clearing and interception upon consent withdrawal or modification. The…
The policy reserves the right to transfer all collected personal data to an acquirer in the event of a merger, acquisition, or insolvency proceeding, without requiring individual user consent or prov…
The policy grants access, correction, deletion, objection, and restriction rights to eligible users, with the applicable rights varying by jurisdiction, and directs users to a dedicated portal to sub…
The policy does not specify fixed retention periods for different categories of personal data, stating instead that retention continues as long as necessary for service provision or legal compliance,…
This provision defines the scope of Shopify's authority to use personal information for marketing purposes and establishes the procedural mechanism through which users may exercise control over recei…
Merchants using Shopify's email marketing or customer communication tools must comply with anti-spam laws in all applicable jurisdictions, and violations can result in both regulatory enforcement and…
This is the core privacy protection Signal offers: unlike most messaging services, even Signal itself cannot access your communications, significantly reducing the risk of your messages being read by…
This is a direct, unqualified commitment that distinguishes Signal from ad-supported platforms and provides a clear baseline expectation for users concerned about commercial data use.
Using home security event data for product improvement means that information about when alarms are triggered, which sensors activate, and how you interact with your system may be analyzed beyond the…
The absence of specific retention periods means your data could be retained indefinitely as long as any of the broadly stated purposes apply, including enforcing agreements, which provides limited cl…
This provision establishes Skillshare's stated COPPA-aligned posture for users under 18; as an online learning platform, Skillshare may attract users near the age threshold, and the operational relia…
The stated minimum age of 18 places Skillshare outside the direct scope of COPPA, which applies to children under 13, but creates a contractual representation that users must be legal adults. This pr…
The retention clause does not specify fixed retention periods for any category of personal data, which may engage GDPR's storage limitation principle requiring that data not be kept longer than neces…
This provision establishes Slack's stated compliance posture under COPPA and equivalent regulations, and provides a reporting mechanism if a child's data is believed to have been collected.
This provision establishes that the main notice is not a self-contained disclosure; the operational scope of data collection, use, and sharing obligations for specific products or user groups is dist…
The 16-year age threshold is stricter than COPPA's 13-year requirement in the US, but parents or guardians whose children may have accessed Smartsheet should know the service is not intended for mino…
Because the substantive legal terms are distributed across linked documents rather than consolidated here, users and compliance teams must access each linked document separately to understand the ful…
The hub-and-spoke policy structure means that the applicable privacy terms for any given user depend on which SoFi products they use, and users of multiple products are subject to multiple overlappin…
This provision documents that SoFi's implementation recognizes the GPC signal as an opt-out instruction for unauthenticated users on public-facing pages, which is consistent with California Attorney …
The mechanism creates a conditional user flow for privacy preference management based on authentication status, allowing SoFi to direct authenticated and unauthenticated users to potentially differen…
This framework defines the minimum consent configuration thresholds required for SoFi to process user data under its privacy notice terms. The conditional logic establishes that certain single or pai…
The clause implements automated response logic to browser-based privacy signals, determining the default consent posture for data collection and tracking technologies without requiring explicit user …
Reliance on the EU-US Data Privacy Framework as a transfer mechanism requires SoFi to maintain active certification, comply with framework principles including data minimization and onward transfer o…
The absence of specific data retention periods in the main policy text means users may not know how long their behavioral, communications, or account data is retained, which is relevant to both priva…
This provision establishes a policy-level commitment not to collect sensitive data categories, but the qualifier 'intentionally' means that if such data is inadvertently submitted through code reposi…
This provision authorizes collection of repository names and data accessed as part of audit logging, meaning records of which code repositories you interact with may be retained and shared with custo…
This provision discloses that browser-based privacy signals intended to limit tracking are not acted upon by Sourcegraph, which is relevant for users relying on browser settings as a privacy control.
International data transfers from U.S. users to Spotify group companies and subcontractors in other countries engage cross-border data transfer frameworks and may affect what legal protections apply …
This provision operationalizes legal non-discrimination requirements by explicitly binding Spotify to neutral treatment of users exercising privacy rights. It establishes that access to services or p…
The clause establishes uniform privacy rights administration across the user base rather than limiting rights applicability to specific states. This operational approach simplifies compliance by appl…
By extending state privacy rights to all U.S. residents, the policy makes data access, deletion, correction, portability, and opt-out of tailored advertising available to users in states that do not …
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
This provision establishes Squarespace's compliance posture under COPPA and limits the platform's legal exposure for collecting children's data, though enforcement depends on Squarespace's ability to…
These rights are among the strongest data protection rights globally and are legally enforceable, meaning Squarespace is obligated to respond to valid requests within specific regulatory timeframes.
Because Squarespace is not required to proactively notify all users of every change, material updates to data practices could take effect without users actively realizing the policy has changed.
These rights are legally enforceable under California law and include a non-discrimination guarantee, meaning Squarespace cannot penalize you for exercising them, which is a meaningful consumer prote…
The clause conditions the availability of these data subject rights on the user's jurisdiction, meaning the scope of exercisable rights depends on whether the user is located in or covered by the des…
This provision gives California residents a specific legal right to find out whether and how their personal data has been shared for marketing purposes, which can help them understand the scope of da…
The absence of specific retention periods for most data categories means consumers have limited visibility into how long their purchase history, location data, and behavioral profiles are kept, which…
These rights are legally enforceable under the CPRA and Washington state law, meaning Starbucks is obligated to respond to qualifying requests, and consumers who exercise these rights cannot be penal…
This provision establishes the operational framework for marketing communications and specifies the procedure by which users can manage their communication preferences within the platform's email sys…
Understanding how and when Stash will notify you of privacy policy changes is important because continued use of the platform after a change typically constitutes acceptance of the new terms.
This is a meaningful consumer protection commitment, though its practical scope depends on how 'sell' is defined relative to the de-identified data sharing and joint marketing practices described els…
EU, UK, and Swiss users' data transferred to the U.S. is covered by the DPF certification, and the Principles supersede this policy in cases of conflict, providing a meaningful legal backstop for cro…
The policy does not specify fixed retention periods for most data categories, meaning your data may be retained for extended periods based on Valve's internal assessments of operational and legal nec…
Marketing emails are sent on a legitimate interest or consent basis depending on jurisdiction, and opting out is an available but non-automatic protection that requires affirmative action from the us…
The clause establishes the foundational scope and transparency structure of Stripe's privacy practices, including disclosure of data handling procedures and affirmation of data subject rights availab…
The clause establishes the operational framework for Stripe's direct marketing practices and specifies the procedures by which users can control receipt of marketing communications. This defines both…
The provision establishes procedural obligations for Substack's handling of privacy rights requests and creates a documented timeline mechanism for request fulfillment. It operationalizes user object…
The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements …
For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured…
This provision establishes a minimum age of 16 for platform use, which is above the COPPA threshold of 13, and commits Substack to deleting data collected from under-16 users upon discovery. The prov…
This provision establishes the procedural framework for user privacy rights requests, with a one-month response commitment added in the May 2026 update. The provision conditions the availability and …
Automated profiling based on your creative behavior could influence what content and suggestions are surfaced to you, and the ability to edit or disable this profile gives users some meaningful contr…
Using third-party login passes some of your profile data from those platforms to Suno, meaning your data footprint on Suno begins before you manually enter any information.
Your payment card or billing information is handled by a third-party processor whose own privacy and security practices govern that data, so reviewing the processor's terms separately is advisable.
This provision preserves Supabase's operational flexibility to adapt privacy practices in response to regulatory changes, business operations, or service modifications. It establishes that privacy po…
This provision is consumer-protective in that it confirms Supabase does not retain raw payment credentials, but it also means a portion of your financial data is governed by a third-party policy (Str…
This provision permits personal information to transfer to successor entities in a corporate transaction, which may result in users' data being governed by a different entity's privacy practices foll…
This provision establishes the data categories obtained through GitHub SSO authentication and the basis on which Supabase accesses third-party identity data. The scope of data received is determined …
This provision establishes that Supabase's services are not intended for minors and that the company does not knowingly collect data from children, which is the standard COPPA-compliant disclosure fr…
This provision confirms Supabase's stated position that it does not sell personal data under Nevada's definition, which is reassuring for Nevada residents but does not address broader data sharing pr…
SSO authentication means Supabase receives profile data from your third-party accounts (such as GitHub) as part of login, and users should be aware of what data is shared during that authentication f…
A clear restriction on children's use is required under COPPA for US-based services and equivalent laws in the EU (GDPR) and UK (Children's Code), and its presence indicates Supabase has considered a…
The provision establishes Supabase's position that its data practices fall outside the scope of Nevada's sale-of-information statute, while maintaining a designated channel for residents to exercise …
This provision establishes that Supabase's data handling obligations for payment information are limited to transactional data, with credit card and financial credential data handled exclusively by S…
California residents have stronger privacy protections than most other US states, including enforceable rights to access and delete personal data that do not depend on T-Mobile's agreement — these ar…
This provision describes the procedural mechanism through which EU/EEA users may exercise statutory data rights. Organizations deploying Tabnine for EU-based employees should confirm that Tabnine's r…
The policy sets the minimum age at 16 rather than 13, which is more protective than the baseline US COPPA threshold and aligns with the GDPR's default age of consent for information society services …
The policy reserves the right to modify its terms with notification of material changes by email or website notice, but does not specify a minimum advance notice period or require affirmative consent…
COPPA requires verifiable parental consent before collecting personal information from children under 13; a retailer's general audience claim does not eliminate compliance obligations if children are…
This provision establishes a stated commitment that user data is not analyzed or mined for advertising purposes, which is operationally distinct from advertising-supported platforms that use behavior…
This provision describes the data subject rights framework Telegram asserts it supports, including portability and the right to lodge complaints with national authorities. The qualification of rights…
This is a meaningful departure from the advertising-based business models of many competing platforms; however, users should note this is a policy commitment rather than a technical guarantee enforce…
These rights are legally enforceable under GDPR for EEA users and equivalent frameworks elsewhere, giving users meaningful control over their data held by Telegram.
Changes to the privacy policy may expand the ways your personal data is used, and the primary notification method (updating the effective date) may not provide adequate notice to users who do not reg…
The provision operationalizes a consent-based marketing communication system with an affirmative opt-out structure. The carve-out for non-marketing communications preserves Thomson Reuters' ability t…
Understanding what data rights you have and how to exercise them is essential for managing your privacy, and Ticketmaster commits to providing access mechanisms, though the specific scope of rights v…
Clipboard content can include sensitive information such as passwords, bank account numbers, personal notes, or other data copied from other apps that is incidentally accessible during a TikTok actio…
This provision establishes the operational framework under which Tinder responds to user data subject access requests and related rights. The availability of these mechanisms is contingent on applica…
Linking third-party accounts creates a data flow from those platforms to Tinder that users may not fully anticipate, potentially importing more information than users intend to share with a dating ap…
A security freeze is one of the most effective tools to prevent identity theft using your credit data, and placing one is free and can be done online.
This standard COPPA-aligned disclosure confirms TransUnion's services are adult-oriented, but the 'knowingly' qualifier means collection could occur if a minor misrepresents their age during account …
International data transfers of sensitive financial data are subject to ongoing regulatory scrutiny in the EU, and the adequacy and implementation of transfer mechanisms is a live compliance area fol…
California's CCPA and CPRA provide some of the strongest consumer data rights in the US, and TurboTax users in California can meaningfully restrict how their sensitive tax data is used beyond the cor…
The clause establishes a consent-based framework for marketing communications, with opt-out mechanisms that allow users to control receipt of promotional messages. The provision distinguishes between…
The availability of region-specific privacy notice versions indicates Twilio has structured its privacy disclosures to address jurisdictional variation, which is relevant for assessing the adequacy o…
This provision establishes VWO as an active behavioral tracking and experimentation tool on twilio.com. The consent handler reads a specific TrustArc consent key from localStorage and maps it to VWO …
The clause distinguishes between marketing communications, from which users may opt out, and transactional or account-related communications, which may continue regardless of opt-out status. This est…
The notice does not state specific retention periods for most categories of personal data, meaning data collected from website visits and marketing interactions may be retained for extended periods a…
Without specific retention periods disclosed, users cannot know how long their data, including sensitive information like billing details and chat history, is held by Twitch.
If Twitch is acquired or merged, your personal data becomes an asset transferred to the new entity, which may operate under different privacy practices than those you originally agreed to.
Do Not Track is a browser setting that signals a user's preference not to be tracked across websites; how platforms respond to this signal affects whether users' tracking preferences are actually hon…
Communications submitted to customer support, including descriptions of incidents and personal information shared in that context, are collected and retained by Uber and may be used beyond the immedi…
This provision identifies the operational data-sharing structure under which personal data including home or work addresses, order preferences, and identity information passes from Uber to independen…
The absence of specific retention timelines for most data categories, including location history and trip records, means personal data may be retained for extended periods beyond the active service r…
This provision authorizes real-time location and identifying information to be made visible to members of the public (riders and recipients), which creates personal safety considerations for drivers …
This provision establishes the operational mechanism through which users in GDPR, CCPA, CPRA, and other privacy law jurisdictions can exercise statutory data subject rights, with the scope of rights …
These rights, backed by California law, give California residents meaningful control over their personal data at Udemy and cannot be waived by the privacy policy terms.
This provision establishes Udemy's stated age restriction and shifts responsibility to users and parents to ensure minors do not access the platform, but the terms do not describe active age verifica…
Learners may not anticipate that their quiz performance and course participation are visible to the individual instructor, not just Udemy as a platform operator.
The scope of this permission depends entirely on whether de-identification actually meets legal standards, since improperly de-identified data can still be linked back to individuals, particularly in…
This provision establishes the entity's operational position regarding COPPA compliance and establishes an age-appropriate audience classification for the service. It clarifies the service's complian…
These rights give users meaningful control over the personal data Uniswap Labs holds about them, including the wallet address and IP address combination, though the practical scope of deletion rights…
Changes to the policy may affect how your wallet address, transaction data, and IP address are used, and the minimum notification standard is only a date change on the webpage rather than a direct no…
This new commitment directly responds to the FTC's 2024 amended COPPA rule, which introduced data retention limits for children's data, and creates a concrete operational obligation for Epic to imple…
The policy's use of a group-level data controller definition, with the specific responsible entity identified only in Section 12, is operationally significant under GDPR, which requires clear identif…
This provision establishes that personal information about users may be received from third-party sources, which is operationally significant for data mapping, GDPR Article 14 transparency obligation…
This provision establishes that Upwork relies on user self-certification of age rather than active age verification, which may leave a compliance gap under COPPA for younger teenagers if minors acces…
Without specific retention timeframes, it is difficult to know how long your data will be held, and the open-ended criteria could mean data is retained for extended periods beyond what users might re…
These are enforceable legal rights under GDPR, not just policy commitments, meaning you can compel Vercel to comply with these requests and escalate to your national data protection authority if they…
The notification mechanism for material changes is important because a significant change in data practices, such as new advertising partners or expanded data sharing, would be covered by this provis…
While standard for most platforms, developers using Vercel to build consumer applications that may reach children should be aware that Vercel's own child data protections apply only to platform accou…
The clause establishes dual pathways for marketing communication—affirmative opt-in and legitimate interest—with a unilateral opt-out mechanism. This structure governs the conditions under which prom…
The provision operationalizes compliance with GPC signal standards, establishing a technical mechanism through which users can exercise privacy preferences without separate account configuration. Thi…
This provision operationalizes Visa's compliance framework under the Children's Online Privacy Protection Act (COPPA) and establishes the company's procedural obligations regarding inadvertent collec…
The absence of specific retention periods makes it difficult for consumers to know how long their data is held and may conflict with GDPR's data minimization and storage limitation principles.
Device identifiers combined with location data and transaction records can enable precise behavioral tracking and are increasingly subject to regulation in privacy-sensitive jurisdictions.
This provision establishes a COPPA-compliant framework for the primary digital services, but the pharmacy and health context presents a specific operational consideration: minors may be represented i…
Open-ended retention language keyed to business purpose rather than fixed time limits provides limited consumer visibility into how long specific data categories are retained, which is relevant to co…
This provision asserts a purpose-based retention standard without specifying concrete retention periods for particular data types such as location history or driving behavior records, which limits us…
This provision establishes that user-contributed map data and incident reports are treated as community data that may be publicly visible and commercially used, meaning contributions are not private …
This provision establishes Waze's compliance framework with the Children's Online Privacy Protection Act (COPPA) and similar child protection regulations by defining the service's intended user popul…
Minors are expressly prohibited from using the service, and Wealthfront places the responsibility for age verification on the user through a self-certification mechanism.
This provision establishes an age-based eligibility restriction for the service and creates a data collection boundary that aligns Wealthfront's practices with regulations governing the collection of…
This provision delineates the company's authority to conduct marketing outreach and specifies the procedural boundaries of user control over that outreach. The carve-out for administrative communicat…
While Wealthfront states it does not collect cross-site personal information, the non-response to DNT signals means consumers cannot use standard browser tools to control data collection, and must re…
This is a strong, unqualified consumer-facing commitment that, if accurate, means Wealthfront's data sharing model is limited to operational service providers and affiliates rather than commercial da…
The use of 'reasonable measures' without specifying technical standards means the policy does not commit to any particular security framework, which is relevant given the sensitivity of financial and…
These rights are legally enforceable under California law and give California-based investors meaningful control over their financial and personal data held by Webull.
The clause creates a procedural mechanism for users to exercise data subject rights recognized under privacy regulations, with no specified response timeline, fee structure, or approval conditions st…
Publication of a privacy policy within a technical documentation platform, rather than a dedicated legal or privacy portal, may affect discoverability and user notice adequacy under applicable regula…
Without adequate notice of policy changes, users may be bound by new data practices they were never aware of.
The stated cross-platform scope of this policy determines which CoreWeave products and services, including GPU cloud computing, Kubernetes infrastructure, and storage services, are subject to its per…
These rights give California users meaningful control over how Whatnot uses their personal data, including the ability to stop data sharing for advertising purposes and to have their data deleted.
The absence of specific retention periods means your personal data, including purchase history and financial information, may be held indefinitely under broad business or legal justifications.
This provision establishes a prior notice commitment for policy changes, which is meaningful because continued use of WhatsApp after notice constitutes acceptance of updated terms; the policy does no…
This provision establishes a minimum age requirement of 18 for service access, which is operationally significant given that the service collects continuous physiological data; the restriction also d…
The policy sets the minimum age at 18 rather than 13, which is the threshold under COPPA for many US online services; this higher threshold affects the scope of the company's obligations and represen…
This provision establishes that data transmission to Windsurf servers occurs continuously during IDE use, not only in response to explicit user actions. Compliance teams assessing network traffic, da…
This provision establishes the eligibility conditions for account access, and use of the service constitutes a warranty by the user that they meet both the age and residency requirements.
Open-ended retention language means your data could be held for extended periods, and the absence of specific retention periods makes it harder to predict when your information will be deleted.
If a minor uses Wix without parental knowledge, any data collected may be subject to enhanced deletion obligations, but the burden of identifying and reporting the account falls largely on the parent…
While de-identification reduces privacy risk, the practical robustness of de-identification methods varies, and regulators in some jurisdictions apply scrutiny to whether data is truly irreversible.
These rights give users meaningful control over their personal data, but they require users to actively exercise them and understand which rights apply in their jurisdiction.
This declaration may signal that Workday applies a higher baseline of privacy protections to all users rather than limiting enhanced rights only to EU or California residents, though the practical im…
Marketing claims about security and compliance do not carry the same legal weight as contractual commitments in a privacy policy or data processing agreement. Businesses and consumers should verify t…
Marketing and analytics cookies may involve sharing your browsing and usage data with third-party advertising and analytics platforms, depending on your cookie settings.
The policy does not specify exact retention periods for each data category, meaning users cannot easily determine how long their content and account data will be held.
Google Tag Manager can be used to deploy a range of tracking scripts, including advertising and analytics tags. Whether and how visitor data is disclosed in Writer's privacy policy cannot be assessed…
Disclosure of the legal entity name and contact information is relevant for consumers and businesses who need to direct privacy requests, complaints, or legal notices to the correct organization.
These rights are legally enforceable for EU, UK, and California residents, meaning Writer is obligated under applicable law to respond to valid requests within specified timeframes.
HubSpot tracking may collect visitor identifiers, page interaction data, and session information. This introduces HubSpot as an additional third-party data recipient whose practices govern what happe…
Website notice alone may not ensure that active users are aware of material changes to their data rights before those changes take effect; users should monitor Yelp's policy page or enable notificati…
European Residents have more extensive statutory data rights than most other users, including the right to object to processing for legitimate interests purposes and the right to data portability, wh…
These are legally enforceable rights under California law that give California residents meaningful control over their personal data held by Yelp, including the ability to stop their data from being …
This clause establishes a data portability mechanism that allows account holders to retrieve and transfer their stored content independent of Google's services. The authorization applies to the full …
This provision establishes the operational mechanisms for data portability and erasure rights, which are required under GDPR and CCPA/CPRA; the availability of Google Takeout for data export and acco…
Data retention periods affect how long your behavioral profile persists in Google's systems, which matters both for privacy and for how long historical data can inform ad targeting or be subject to l…
This provision defines the operational boundaries of external data sharing, including sharing with domain administrators (relevant to Google Workspace users) and partners engaged for processing; the …
Having the ability to delete or limit data collection is an important consumer right; understanding that these controls exist and how to use them is practically significant for managing your advertis…
The provision establishes parental oversight mechanisms within the YouTube Kids platform by granting account administrators control over history visibility and collection. This operational architectu…
These controls give parents meaningful tools to limit data-driven recommendations, but the notice makes clear that profile-linked history persists even after reinstalling the app unless specifically …
Clicking links from the Zelle website to third-party sites means you leave the protection of this privacy notice, and those sites may have different, potentially less protective data practices.
The clause establishes Zelle's procedural framework for honoring user opt-out choices regarding certain online tracking practices. By accepting GPC signals and maintaining a Cookie Preference Center,…
This provision provides California-specific rights for business contacts, reflecting the CPRA's extension of certain rights to B2B personal information, and establishes a manual email-based process f…
This provision establishes Zelle's COPPA compliance posture, but the 'do not knowingly' standard means that if a child under 13 visits the site, data may still be collected unless the site has active…
The clause establishes the procedural requirements and contact pathway for managing marketing communication preferences, defining how users exercise control over marketing outreach from Zelle.
This clause establishes the mechanism and timeline by which privacy practices may be modified. It establishes that users are responsible for reviewing the Privacy Notice periodically to remain curren…
This provision establishes Zendesk's age threshold at 16 for data collection purposes, engaging COPPA requirements in the US for children under 13 and GDPR Article 8 requirements for children under 1…
This provision establishes the marketing communication opt-out mechanism and clarifies that transactional communications continue after opt-out, which is relevant for CAN-SPAM compliance in the US an…
This provision establishes Zendesk's stated data retention framework, which engages GDPR Article 5(1)(e) storage limitation requirements and equivalent principles under other regional frameworks, and…
The notice does not specify concrete retention periods for most data categories, which means the duration Zendesk holds your data is determined by Zendesk's internal policies and legal obligations ra…
This provision establishes a consent-based data sharing mechanism with real estate professionals that is operationally central to Zillow's business model and relevant to users' expectations about who…
This provision establishes Zillow's stated compliance posture under COPPA, which governs online collection of personal information from children under 13 and is enforced by the FTC.
This provision operationalizes Zillow's compliance with CCPA/CPRA and analogous state privacy statutes by establishing the rights framework, request process, and response obligations applicable to co…
These rights give California consumers meaningful control over their personal data, including the ability to stop Zillow from sharing home search and contact data with advertisers and partners.
This provision operationalizes non-discrimination protections by explicitly prohibiting price disparities, service denials, and quality reductions tied to privacy right exercise. The clause establish…
Retention period disclosures are required under CCPA/CPRA and are relevant to consumer deletion rights; indefinite or purpose-based retention policies without specific timeframes may be subject to re…
Personal data you provide may be converted into de-identified or aggregated form and used for any commercial purpose, including analytics, product development, or sale to third parties, without furth…
Employment platforms that collect detailed personal data, including resumes and application history, have heightened obligations under laws like COPPA in the U.S. and GDPR Article 8 in the EEA when m…
Declining to provide certain personal data could result in loss of access to ZipRecruiter's job search or recruiting services, framing data provision as a prerequisite for service access rather than …
This provision establishes the range of data subject rights Zoom recognizes under applicable law and the mechanism by which users can exercise them. For enterprise customers, understanding which righ…
This provision establishes a minimum age requirement of 18 with a parental consent exception, and the agreement's terms apply to any minor who uses the platform with parental consent. The broad servi…
Knowing you have the right to contact eBay's Privacy Team and exercise data rights is important for users who want to access, correct, delete, or port their personal information.
Create a free account and watch the platforms that matter to you. We'll email you the moment something changes.
A privacy rights clause is a provision in a platform's terms of service or privacy policy governing privacy rights-related rights, obligations, or restrictions.
ConductAtlas tracks 284 platforms with privacy rights clauses - roughly 83% of platforms in the archive. 583 are classified as high severity.
Severity reflects the magnitude of rights waived, availability of opt-out, breadth of users affected, financial or legal exposure created, and the degree of discretion retained by the platform.