Ancestry
· Ancestry Terms and Conditions
This provision asserts a sublicensable and transferable license over genetic information submitted by users, which is among the most sensitive categories of personal data under multiple regulatory frameworks including GIPA, GINA, and GDPR special category data provisions.
The clause establishes a default authorization for secondary use of genetic data beyond the primary service function, with an opt-out mechanism available to users who wish to restrict such use. This operational structure requires explicit user action to modify the baseline data usage parameters.
GitHub
· GitHub Privacy Statement
The clause operationalizes CCPA/CPRA statutory rights by specifying the mechanism through which California residents may exercise opt-out authority over data sales and sharing practices, establishing GitHub's procedural obligation to receive and process such requests.
This provision operationalizes statutory opt-out rights under state privacy laws, requiring Best Buy to maintain accessible channels through which residents of covered jurisdictions can affirmatively direct the company not to sell or share their personal information.
BeReal
· BeReal Privacy Policy
This provision is structurally unique: unlike most apps that collect photos you choose to share, BeReal's mechanism captures facial imagery and environmental context simultaneously on a randomised timer, meaning users may not always have full control over what is captured.
Stripe
· Stripe Privacy Policy
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who interact with Stripe only through third-party checkouts.
Miro
· Miro Privacy Policy
This provision establishes two distinct legal frameworks governing different categories of data, requiring enterprise customers to manage compliance obligations under both the privacy policy (for controller-level data) and the DPA (for processor-level board content).
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against that company, not HubSpot.
Developers deploying applications on Vercel need to understand that they, not Vercel, are legally responsible for their end users' data under GDPR and similar laws, and they must have their own privacy notices and legal bases for processing.
Suno
· Suno Privacy Policy
This provision operationalizes Suno's compliance obligations under EU data protection law by explicitly acknowledging that EEA residents retain statutory rights independent of the terms. It establishes the regulatory framework governing how Suno handles personal data for this user population.
Workday
· Workday Privacy Statement
Millions of employees use Workday through their employer without realizing that their privacy rights for employment-related data must often be exercised through their employer rather than directly with Workday, which can create confusion when seeking to access or correct personal records.
Stripe
· Stripe Privacy Policy
Many consumers who encounter Stripe only through third-party merchant checkouts may not realize that their direct rights against Stripe are limited in that context, and that they must contact the merchant to exercise certain privacy rights.
This provision states that employer-side administrators have potential access to individual users' Prompts and Outputs, which may include sensitive code, business logic, or personal queries entered during work sessions.
Enterprise customers cannot rely on this policy for any assurances about how their end-user data is handled; they need to review their separate data processing agreement with PlanetScale.
Cursor
· Cursor Privacy Policy
Employees or users whose accounts are provisioned by an organization may not have the same rights or protections described in this policy; their data rights depend entirely on the terms of the agreement between their employer and Anysphere.
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond standard privacy protections.
Hinge
· Hinge Privacy Policy
Biometric data is among the most sensitive personal information because it cannot be changed if compromised, and several US states impose strict legal requirements on how companies collect, store, and delete it.
The explicit separation of Face Recognition Data as a distinct category suggests the platform may process facial recognition data in some contexts, which carries the most stringent biometric data obligations under laws like Illinois BIPA.
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sole party handling this data, raising questions about that provider's own data practices.
Roblox
· Roblox Privacy Policy
This provision discloses collection of facial images for age estimation purposes, which may constitute biometric data collection under applicable state and national laws including Illinois BIPA, Texas CUBI, Washington My Health MY Data Act, and GDPR's special category data provisions. The stated deletion practice upon process completion does not eliminate the collection itself as a regulatory trigger in jurisdictions with strict biometric data consent requirements.
Roblox
· Roblox Privacy and Cookie Policy
This provision authorizes collection of facial images for age estimation purposes, which may trigger obligations under state biometric privacy statutes including Illinois BIPA and Texas CUBI, depending on whether facial geometry data is derived from the images during processing. The stated deletion upon process completion is relevant to retention obligations under those frameworks, but does not necessarily resolve all consent or notice requirements.
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric privacy statute requirements in states like Illinois, which require prior written consent regardless of the intended use.
Eufy
· Eufy Privacy Policy
Biometric facial data is among the most sensitive personal data categories because it is unique and permanent; unlike a password, you cannot change your face. Collection of this data from home security devices implicates strict state laws and requires explicit informed consent.
This provision establishes a material limitation on state privacy rights: because Equifax's core business involves FCRA-governed consumer report data, a substantial portion of the personal information it holds may fall outside the scope of CCPA, CPRA, and comparable state law deletion and access rights, with distinct FCRA dispute procedures applying instead.
The authorization to use credit report data for marketing purposes is broader than many consumers expect and extends for the lifetime of the account, covering a wider range of uses than simple eligibility determination.
Financial account data and transaction records are highly sensitive and subject to specific regulatory protections. This data is retained by Binance.US for regulatory compliance purposes and may be shared with financial partners, regulators, and law enforcement.
Acorns
· Acorns Privacy Policy
This provision establishes the scope of sensitive financial and identity data Acorns collects as a condition of platform use, encompassing data categories that are subject to heightened regulatory obligations under GLBA and that carry elevated risk in the event of unauthorized access or disclosure.
Venmo
· Venmo Privacy Policy
The policy authorizes collection of sensitive financial identifiers and transaction content that, in combination, create a detailed profile of a user's financial behavior and relationships.
Brex
· Brex Privacy Policy
Collection and processing of financial account numbers and credit information in the context of financial services products engages Gramm-Leach-Bliley Act obligations for privacy notices and information security safeguards, in addition to the general privacy policy disclosures.
Zillow
· Zillow Privacy Notice
Financial data submitted for mortgage applications is among the most sensitive personal information category; its use and sharing beyond the immediate loan process warrants careful review.