Asana
· Asana Privacy Statement
The DPA is the primary contractual document establishing Asana's data protection obligations to enterprise customers. Without a signed DPA, an organization may lack the contractual protections required by GDPR and similar regulations.
The DPA governs GDPR and CCPA compliance for personal data processed through HubSpot, and its terms and obligations are legally binding even though they are in a separate document that many customers may not have read.
This provision establishes that EU and UK data protection obligations are addressed in a separate contractual instrument rather than within the ToS itself, creating a multi-document compliance framework that requires users to locate, review, and execute the DPA separately.
As a payment processor handling card data, Checkout.com's data practices directly affect how sensitive financial information belonging to end customers is stored, processed, and protected.
The terms establish that personal data processing is governed by a separately incorporated DPA, which is the operative compliance instrument for GDPR and CCPA obligations; customers must review and understand the DPA to meet their legal data processing obligations.
For any organization processing personal data of EU residents or other protected individuals on GCP, the DPA establishes the legal framework for that processing and determines whether Google acts as a processor under your instruction or in another capacity.
Fastly
· Fastly Terms of Service
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Auth0
· Auth0 Terms of Service
Auth0 handles login credentials, authentication tokens, and user identity information for the end users of its customers' applications, making the data processing terms central to GDPR, CCPA, and other privacy law compliance for those businesses.
This provision governs the scope of Perplexity's rights to use enterprise-submitted data, which is a primary compliance consideration for organizations deploying AI platforms that process employee queries, customer information, or proprietary business data.
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access, deletion, and opt-out to the deploying business, not to Mixpanel.
Cohere
· Cohere Enterprise Data Commitments
Data residency options are operationally significant for enterprises subject to data localization laws or contractual requirements restricting cross-border data transfers. The availability of these options depends on Cohere's infrastructure and the specific regions offered.
Plaid
· Plaid End User Privacy Policy
Secondary use of financial transaction data for Plaid's own benefit (product development, analytics) is a purpose that goes beyond what you likely intended when connecting your bank account to a specific app, and the adequacy of de-identification for longitudinal financial data is an open technical and legal question.
The clause operationalizes Paramount+'s obligations under California privacy law (CCPA/CPRA) by creating a documented process for opt-out requests and establishing that the company will cascade opt-out instructions to third parties in its service provider and partner network.
The opt-out right is meaningful but requires affirmative action on every browser and device separately, and users outside the listed 19 states may have no enforceable opt-out right under this policy regardless of their preferences.
T-Mobile has experienced multiple significant data breaches affecting tens of millions of customers, making this provision's practical meaning directly relevant; the commitment to notify 'as required by applicable law' means the timing and scope of notification depends on jurisdiction-specific legal requirements, not a uniform standard.
This provision authorizes third-party tracking technology deployment on Walgreens platforms, enabling advertising and analytics partners to independently collect device identifiers, browsing activity, and interaction data. The scope of data accessible to third-party pixels and cookies deployed on health-related pages creates specific regulatory exposure under state health data laws and FTC guidance.
The policy discloses that data sharing with advertising partners may constitute a sale or sharing under CCPA/CPRA, which triggers opt-out rights for California residents and creates compliance obligations for Best Buy regarding the clarity and accessibility of the opt-out mechanism.
Klarna
· Klarna Privacy Policy
A missed Klarna payment could be reported to credit reference agencies and damage your credit score, affecting your ability to get loans, mortgages, or other credit products from unrelated financial providers.
PayPal
· PayPal Privacy Statement
The explicit disclosure that data brokers are among the sources from which PayPal obtains personal information means that data about users may be combined with externally purchased data profiles, which can affect the completeness and sensitivity of the information PayPal holds and uses for targeting and risk assessment.
The provision operationalizes jurisdiction-specific legal obligations while explicitly reserving discretion to deny data subject requests based on lawful criteria. This structures how Anthropic handles access, deletion, and portability requests across different regulatory regimes.
Meta
· Llama API Terms of Service
This provision defines the permissible scope of data use for all platform-integrated applications, establishing that use of user data outside the stated core functionality or Meta's advertising policies constitutes a terms violation that may trigger audit, restriction, or termination of platform access.
This provision establishes a default data-use posture that applies to all API traffic until a developer affirmatively changes a project setting. Developers handling personal data from end users should assess whether this default is consistent with their data protection obligations before deploying.
SoFi
· SoFi Privacy Notice
This provision establishes a passive consent mechanism that triggers full cookie opt-in upon page abandonment for users who have not explicitly engaged with the consent banner, which may require evaluation under CCPA and CPRA requirements for opt-out of sale and sharing of personal information for California residents.
Venmo
· Venmo Privacy Policy
The default public setting means that payment descriptions, which may reveal personal, financial, or relationship information, are visible beyond the two parties to a transaction unless a user actively opts for privacy.
The provision operationalizes a default public visibility model for user profiles and transaction-related content. It allocates responsibility by establishing that users' posted content operates under a public disclosure framework rather than confidentiality protections, and disclaims Poshmark's duty to control third-party access or usage.
This provision states that direct messages, which users may treat as private communications, are processed by X's systems including AI and machine learning tools, for purposes beyond simple delivery to the intended recipient.
The policy discloses that user Inputs submitted through the OpenRouter service are transmitted to third-party LLM providers whose data practices, including model training use, are outside OpenRouter's control and governed by separate terms not incorporated into this policy.
This provision establishes that personal data or sensitive content embedded in user Inputs may be processed by third-party AI providers under terms and data practices that OpenRouter neither governs nor warrants, creating a compliance boundary that enterprise and regulated-industry customers should evaluate independently.
This provision goes beyond standard law enforcement or fraud-prevention disclosures and authorizes FanDuel to share your identifying information with your employer or a sports organization without a court order or your specific consent, which could have professional or legal consequences for users who are athletes, employees of teams, or affiliated with competing platforms.
Genetic data is among the most sensitive personal information that exists — it reveals information about your health, ancestry, and biological relatives. Understanding how it is used and shared is critical before submitting a sample.