The policy asserts user consent to international data transfers through continued use of the service; however, under GDPR, consent obtained in this manner (through terms of service acceptance rather than explicit, informed consent) may not constitute a valid transfer mechanism, and the specific lawful transfer mechanism for EU/UK users is not identified.
Eufy
· Eufy Privacy Policy
Data transfers to China are subject to Chinese data law requirements including the Personal Information Protection Law (PIPL) and potential government access obligations that differ materially from EU GDPR or US privacy frameworks, which may affect what protections apply to your data.
This provision establishes that activity data generated on Threads is not siloed within the Threads product but may be combined with data from other Meta platforms and third-party sources to build advertising profiles and inform ad targeting across Meta's ecosystem. The scope of this combination affects users regardless of whether they actively use other Meta products.
This provision establishes the legal basis and operational scope under which Meta links behavioral, interest, and activity data across its entire product family and external sources, creating a unified advertising profile that encompasses on-platform and off-platform user behavior.
This provision means that a child's activity in YouTube Kids can feed into Google's broader data ecosystem when a Google Account is used, extending the data use well beyond what many parents might expect from a dedicated kids' app.
Fly.io
· Fly.io Privacy Policy
This provision places legal compliance responsibility for end-user data squarely on the deploying developer or business, which may expose them to regulatory liability if they have not established appropriate data protection agreements.
Slack
· Slack Privacy Policy
Most Slack users encounter the service through an employer or organization, meaning their message content is legally under the employer's control and Slack's obligations run to that employer, not the individual user.
This provision means that individuals whose personal data is processed through a Google Cloud-powered application have no direct rights under this public notice; their protections depend entirely on what the deploying business negotiated with Google.
Cohere
· Cohere SaaS Agreement
The agreement authorizes use of customer-submitted inputs and model outputs for model training by default; enterprise customers transmitting confidential, regulated, or sensitive data should confirm their opt-out status before using the API in production.
For business users, this distinction determines who controls your data and what rights apply: workspace content is governed by your agreement with ClickUp as a processor, while separately collected behavioral data is governed by ClickUp's own controller decisions.
Pinecone
· Pinecone Data Processing Addendum
This clause places the entire legal burden of ensuring lawful processing, including obtaining data subject consent where required, on the Customer rather than Pinecone. Submitting special category data in violation of this clause may constitute a breach of both the DPA and applicable Data Protection Laws.
This provision allocates the legal and compliance burden for contact list legality, consent documentation, and anti-spam law adherence entirely to the customer, creating direct regulatory exposure for customers whose contact acquisition or consent management practices are not compliant with GDPR, CAN-SPAM, CASL, or other applicable frameworks.
This provision places the legal compliance burden for Contact Data on the Customer as data controller, creating direct exposure under GDPR, CCPA, and other applicable privacy laws if data is transferred to HubSpot without adequate lawful basis, consent, or required disclosures to data subjects.
Twilio
· Twilio Terms of Service
This allocation of responsibility establishes that Twilio operates as a messaging infrastructure provider without monitoring obligations for customer-side regulatory compliance. The provision defines the operational boundary between Twilio's platform obligations and the customer's independent compliance obligations under messaging and telemarketing law.
This program uses network-level behavioral data, including browsing history and app activity, for commercial advertising purposes without requiring you to affirmatively consent before enrollment.
This provision authorizes Verizon to use network-level behavioral data, including browsing and app usage activity, as a telecommunications carrier to deliver targeted advertising. As a common carrier, Verizon's use of CPNI-adjacent network data for advertising purposes engages FCC regulatory authority in addition to general consumer privacy frameworks.
This provision establishes a default opt-in enrollment for a program that uses network-level data, including URLs visited and app usage, for advertising profiling. Under FCC CPNI rules, telecommunications carriers have historically been subject to restrictions on using certain network usage data for marketing without affirmative customer consent, and this default enrollment structure may require evaluation against those requirements.
This program uses sensitive browsing and app activity data for advertising without requiring you to affirmatively opt in, meaning your data is being used for ad personalization unless you take action to stop it.
The policy states that profiles maintained about Cash App users may be enriched with externally sourced inferred characteristics and advertising segments from data brokers, which goes beyond transactional data collection and engages CCPA/CPRA rights to know about third-party data sources and opt out of their use.
BeReal
· BeReal Terms of Service
BeReal's core product involves capturing dual-camera photos at random moments, which means the app regularly collects images of your face and surroundings, and the terms govern how that sensitive data is used and shared.
Viewing history and location data are considered sensitive personal information under several state privacy laws, and the sharing of this data with third-party partners for advertising purposes may constitute a data sale under CCPA, giving California residents opt-out rights.
The collection of precise location data and trip details, combined with use for purposes described in a separate Privacy Notice incorporated by reference, means the full scope of data use is not entirely contained within these terms and requires review of an additional document.
Meta
· Llama API Terms of Service
This provision creates a time-sensitive operational obligation that applies upon platform access termination or user request, requiring developers to have implemented data mapping and deletion workflows capable of identifying and purging all Meta platform-sourced data across their systems and sub-processors.
Meta
· Meta Platform Policy
This clause creates an operational obligation for Meta to process data deletion requests within defined parameters, establishing the conditions under which user data must be removed from Meta's systems and the exceptions to that obligation.
Box
· Box Terms of Service
Organizations subject to GDPR, CCPA, or other data protection laws need to ensure they have executed a Data Processing Agreement with Box, as the standard terms alone may not satisfy regulatory requirements for data processor relationships.
Cohere
· Cohere SaaS Agreement
The DPA structure is the primary mechanism through which GDPR, CCPA, and other data protection obligations are operationalized in the agreement; enterprise customers processing personal data through the API must ensure the DPA is executed and that its terms are consistent with their privacy compliance obligations.
OpenAI
· OpenAI API Data Usage Policies
A signed DPA is the primary contractual instrument establishing GDPR Article 28 compliance and CCPA service provider status; without it, enterprise customers may lack documented legal basis for processing personal data through OpenAI services.
Slack
· Slack Terms of Service
The incorporation of a DPA addresses regulatory requirements under data protection regimes such as GDPR and similar frameworks that require explicit contractual terms governing the processing of personal data. This establishes the legal framework for how customer data and end-user data are handled throughout the service relationship.
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
The DPA is a critical companion document for GDPR and CCPA compliance, but it is incorporated by reference rather than appended to the main agreement. Enterprise customers must review the DPA separately to understand their data protection obligations and Perplexity's commitments as a data processor.