Whoop
· Whoop Terms of Use
The agreement discloses collection of a range of physiological and biometric-adjacent data categories on a continuous basis; the handling of this data is governed primarily by the Privacy Policy rather than these Terms, and the Terms incorporate the Privacy Policy by reference without reproducing its data sharing or retention provisions here.
OpenAI
· OpenAI Enterprise Privacy
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualifying customers but does not specify which services are HIPAA-eligible, requiring separate confirmation.
OpenAI
· OpenAI Data Processing Addendum
This provision places the compliance burden on the operator to identify when HIPAA applies to their use case and to execute a BAA before submitting any protected health information. Using the API with PHI without a BAA in place would constitute a potential HIPAA violation by the operator.
OpenAI
· OpenAI Enterprise Privacy
This provision establishes that API-based deployments handling protected health information may be eligible for BAA coverage, which is a prerequisite for using a third-party vendor under HIPAA. The provision specifies API deployments; compliance teams should confirm whether ChatGPT Enterprise or other product tiers are also within scope of the BAA.
This classification subjects Headspace to HIPAA's security, privacy, and breach notification requirements as a business associate, establishing a specific regulatory framework for how protected health information is handled. The provision creates institutional obligations for data protection standards and audit/compliance procedures that differ from standard commercial privacy frameworks.
Video footage and sensor data from inside a subscriber's home represent some of the most sensitive categories of personal information, and the policy's scope for using and sharing this data deserves careful consumer attention.
ADP
· ADP Privacy Statement
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity in some jurisdictions and that trigger specific regulatory obligations regarding accuracy, retention, and security.
The notice explicitly authorizes human access to conversation content, and the policy advises users not to submit anything they would not want reviewed, signaling that conversation content is not treated as fully private.
Government-issued identity documents and tax information are among the most sensitive categories of personal data, and making their submission mandatory means you cannot use those features of the service without providing them, with all associated sharing and retention risks described elsewhere in the policy.
Square
· Square Privacy Notice
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
Uber
· Uber Privacy Notice
Facial image data and government ID copies constitute sensitive personal data in multiple jurisdictions, and facial recognition or matching may qualify as biometric data under laws such as Illinois BIPA, triggering consent requirements and restrictions on retention and sharing.
This provision authorizes collection of highly sensitive personal and financial data categories, including Social Security Numbers and bank account information, from both Suppliers and Buyers. The data collection is positioned as discretionary rather than universal, but the categories listed represent the most sensitive class of personal identifiers under US and international privacy frameworks.
Plaid
· Plaid Terms of Use
This provision establishes a dual-role data use structure in which Plaid acts both as a service provider to developer partners and as an independent data user, creating compliance questions regarding whether downstream independent use is adequately disclosed to consumers at the point of consent.
Inferenced profiles can be used in ways you may not anticipate, including marketing, risk scoring, and product targeting, and may reflect characteristics you have never directly disclosed to Equifax.
PayPal
· PayPal Privacy Statement
This provision discloses that PayPal may derive sensitive attributes, including income and creditworthiness estimates, from transaction behavior without requiring separate consent for each inferred attribute, and that these inferences may be used in product recommendations and risk assessments.
This provision matters because IP addresses can be used to identify a person's approximate physical location and internet service provider, and when combined with a specific wallet address, can potentially link on-chain financial activity to a real-world identity.
SoFi
· SoFi Privacy Notice
The use of third-party tracking technologies for behavioral advertising may constitute 'sharing' personal information under CCPA/CPRA, and the consent management implementation directly affects whether opt-out signals are properly recognized and applied.
This clause establishes the jurisdictional and operational framework for X's data handling practices. By conditioning consent on service use rather than requiring affirmative opt-in, the provision establishes a consent mechanism that applies to all cross-border data transfers conducted by X and its corporate affiliates.
This clause provides the contractual basis for international data transfers required by Google Ads operations. Advertisers and their legal teams should evaluate whether the Standard Contractual Clauses referenced reflect the current European Commission SCCs adopted in 2021 and whether a transfer impact assessment has been conducted in accordance with EDPB guidance.
Personal data of EU, UK, and other non-US users may be transferred to and stored in the United States, which requires an adequate legal transfer mechanism under GDPR and UK GDPR to ensure the data receives equivalent protection.
GitHub
· GitHub Privacy Statement
The policy states GitHub relies on Standard Contractual Clauses for international transfers, which is the standard legal mechanism post-Schrems II; however, adequacy of these transfers depends on supplementary technical and organizational measures that are not detailed in the policy itself.
As your internet service provider, Xfinity has a privileged position to observe your online behavior at the network level, and the policy indicates this data may be used for advertising purposes, which engages both FCC and FTC jurisdiction.
Most people assume they only share data with services they have actively signed up for; this provision means Calendly may have your data simply because a colleague or business contact uses the platform.
Business users who share booking pages publicly are treated as the data controller for all information submitted by meeting invitees, meaning GDPR, CCPA, and other privacy obligations fall on the customer, not Calendly.
23andMe
· 23andMe Privacy Statement
The clause establishes the operational mechanism for research data aggregation and clarifies that participation is not permanent or irrevocable, permitting users to withdraw from the research program prospectively.
Job application data is among the most personal information a user can provide, and its classification as both Sensitive Personal Information and professional data means it carries heightened protection obligations under GDPR and CCPA/CPRA.
Apple
· Apple App Store Review Guidelines
This provision prohibits the data collection and advertising practices in child-directed apps that are most commonly associated with privacy risks to minors, including behavioral advertising identifiers, third-party analytics, and social features.
The policy states disclosure may occur based on Coinbase's good faith belief, not solely on legally compelled orders, and may proceed without notifying the user, which means users may not know when their financial and identity data has been disclosed to government authorities.
TikTok
· TikTok Community Guidelines
When law enforcement requests your data, TikTok's guidelines determine what information is disclosed, under what legal standards, and whether you are notified, which directly affects your privacy and legal exposure.
Ring
· Ring Privacy Notice
Your home security footage, which may capture activity inside and around your home, can be disclosed to law enforcement without your direct consent in response to legal process.