Bank account details and tax identification numbers are among the most sensitive financial data points a consumer can share, and their collection by an online platform creates meaningful exposure to financial fraud if the data is compromised.
Plaid
· Plaid End User Privacy Policy
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is receiving and handling their bank login information.
Plaid
· Plaid Terms of Use
This provision establishes the core data collection mechanism through which Plaid accesses sensitive nonpublic personal financial information, implicating GLBA, CCPA, and GDPR obligations for both Plaid and its developer partners.
eBay
· eBay Privacy Notice
The collection and retention of credit card numbers and bank account details by eBay and its payment affiliates creates significant financial data security obligations and exposure risk for users if security controls fail.
Fitness and health-related data is among the most sensitive categories of personal information, and its collection, use, and sharing are increasingly regulated under state biometric and health data privacy laws.
DeepL
· DeepL Privacy Policy
This provision establishes a material operational distinction between free and paid service tiers with respect to how submitted text and document content is processed beyond the immediate translation request. Organizations and individuals transmitting sensitive, confidential, or proprietary content through the free service tier should be aware that the policy authorizes this training use.
Google
· Google Analytics Terms of Service
This provision incorporates by reference a separate data processing agreement governing GDPR compliance, meaning the full scope of GDPR-applicable data processing obligations for EU/EEA, Swiss, and UK account holders is not contained within this document alone. Account holders must separately review and comply with the Google Ads Data Processing Terms, and warrant compliance on behalf of their clients as well.
OpenAI
· OpenAI Enterprise Privacy
A DPA incorporating SCCs is a legal requirement under GDPR for transferring personal data from the EU/EEA to a third country such as the United States. The document states this is available but requires the customer to request it, meaning it is not automatically in place.
OpenAI
· OpenAI Enterprise Privacy
This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for any transfer of EU personal data to a third country; the availability of SCCs via an executed DPA is the operative compliance step for EU customers.
The provision operationalizes statutory privacy rights within Headspace's service terms, establishing procedural obligations for Headspace to comply with GDPR and UK GDPR requirements and defining the timeline and scope of Headspace's response obligations.
The clause establishes a user-controllable mechanism for limiting data retention and personalization processing, while specifying that conversation data continues to be used for AI model improvement regardless of the setting's status.
This provision establishes a two-tier consent structure for DNA data: baseline collection required for service delivery and an optional research consent layer governing use and external sharing of genetic and health information. Compliance review should confirm the research consent mechanism satisfies requirements for explicit, specific, and withdrawable consent under applicable genetic privacy and data protection frameworks.
23andMe
· 23andMe Privacy Statement
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Gemini
· Gemini Privacy Policy
This provision establishes the regulatory framework applicable to Gemini's data handling practices. By asserting GLBA status, Gemini indicates its privacy obligations derive from federal banking privacy standards rather than state-level privacy laws, which may impose different notice, consent, or data handling requirements.
The operational significance is that the scope of privacy rights available to users varies based on which federal financial privacy regime applies to their information. This creates a tiered privacy framework where GLBA-governed information is not subject to the same deletion and disclosure obligations as information governed by state privacy laws.
Gemini
· Gemini Privacy Policy
The provision establishes the regulatory framework governing Gemini's privacy obligations by reference to federal law rather than state-by-state regimes. This designation determines which privacy statutes and consumer rights provisions apply to the institution's data handling practices.
Gemini
· Gemini Privacy Policy
This claim directly limits which privacy rights you can exercise as a US consumer, potentially removing protections you might expect under state laws like CCPA.
Shein
· Shein Terms and Conditions
The provision establishes the operational framework for the service to acknowledge and handle GPC signals, a standardized mechanism through which users can communicate privacy preferences to websites. This affects how the service processes requests to opt out of data sales or sharing activities covered under applicable privacy regulations.
The collection of biometric data for identity verification is subject to specific state laws including Illinois BIPA, which imposes strict notice, consent, and deletion requirements, and the policy's retention of this data may interact with those obligations.
Submitting a government ID and selfie creates a detailed identity record held by OnlyFans and its third-party processors, which if breached or misused could expose Creators to serious identity theft risk.
The collection of Social Security numbers and government-issued IDs represents a high-risk data category because these identifiers, if exposed in a breach, can enable identity theft and fraud. Users should understand that this data is mandatory for account creation due to federal regulatory requirements and is retained by the platform.
StockX
· StockX Privacy Policy
Government-issued ID is among the most sensitive categories of personal data and its collection by a consumer marketplace creates heightened security and misuse risks if not properly protected.
Stripe
· Stripe Privacy Policy
Collection of government-issued identification data engages heightened sensitivity requirements under multiple privacy frameworks and triggers specific obligations regarding secure storage, limited retention, and restricted sharing under applicable identity verification and financial services regulations.
Gusto
· Gusto Privacy Policy
Health and benefits data is among the most sensitive personal information category, and its collection by a payroll platform creates potential obligations under HIPAA and heightened risks if exposed.
Health and fitness data is among the most sensitive categories of personal information, and its collection through always-connected hardware means Peloton builds a detailed picture of your physical condition and activity over time.
This provision identifies collection of health metrics that, while not covered by HIPAA in a consumer app context, are classified as sensitive personal information under CCPA/CPRA and subject to FTC guidance on health data. Menstrual cycle and reproductive health data have received specific regulatory and legislative attention since 2022.
Apple
· Apple App Store Review Guidelines
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Health and prescription data is among the most sensitive personal information, and its collection by a company that also operates digital advertising programs creates significant privacy considerations for consumers.
Garmin
· Garmin Privacy Statement
This data is among the most sensitive personal information that can be collected, and its exposure, misuse, or breach carries significant personal and legal consequences, particularly for reproductive health data given the current legal environment in some U.S. states.
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.