Lyft
· Lyft Privacy Policy
Drivers' sensitive personal data including criminal history and identity documents is shared with multiple third parties outside of Lyft's direct control.
Uber
· Uber Privacy Notice
The notice provides access and deletion rights but includes a broad retention carve-out for legal, safety, and business purposes, which may significantly limit the practical scope of deletion rights depending on how broadly Uber applies these categories.
Slack
· Slack Terms of Service
Individual users of Slack at work should be aware that their employer — not Slack — controls their workspace data and may access their communications without notice.
Stripe
· Stripe Privacy Policy
Millions of consumers interact with Stripe only through third-party merchant checkouts and may not realize that to delete or access their payment data held by Stripe, they must go through the merchant who collected it, creating a practical barrier to exercising data rights.
Microsoft
· Microsoft Privacy Statement (Legacy)
Many people use Microsoft products at work or school without realizing that Microsoft's consumer privacy protections do not apply — their employer or institution controls their data and sets the privacy rules.
EU users interacting with CoreWeave's cloud platform need to know whether their data is processed lawfully and whether adequate safeguards exist for any transfers of their data outside the EU/EEA.
EU and UK data protection law provides some of the strongest privacy rights globally, and the use of Standard Contractual Clauses for transfers to the US means those rights travel with your data, though the practical enforceability depends on the transfer mechanism's ongoing validity.
The DPF is the current post-Schrems II mechanism for EU-US data transfers, but its legal adequacy has been challenged and could be invalidated, which would affect the lawfulness of TaskRabbit's data transfers.
Figma
· Figma Privacy Policy
EU users have strong legally enforceable rights over their personal data, and the lawfulness of Figma transferring their data to the US depends on whether adequate transfer safeguards are in place.
Your personal data does not stay only with Ticketmaster; it flows to multiple third parties who may use it independently, including for their own marketing, and you may have limited visibility into what each Event Partner does with your information once received.
The external processing carve-out means that third-party vendors and affiliates may access your child's data as processors, even without specific parental consent for each such transfer, provided they operate under Google's instructions and privacy commitments.
Stripe
· Stripe Privacy Policy
The policy authorizes sharing of payment and identity data with a broad category of Financial Partners, which includes entities consumers may not have a direct relationship with or awareness of.
Because McDonald's franchisees are independent business operators rather than direct McDonald's employees, data shared with them may be subject to different privacy practices and accountability structures than data retained by McDonald's corporate.
Stripe
· Stripe Privacy Policy
Your payment card details, transaction history, and identity data may be shared with dozens of third-party financial institutions and intermediaries, creating a wide data footprint beyond Stripe itself.
Zelle
· Zelle Privacy Policy
Victims of Zelle fraud who report scams through the website may not realize their personal information and fraud details will be disclosed to the financial institution of the person who received the funds, which could have implications for dispute resolution and financial recovery.
Extensions dramatically expand the data sharing surface beyond Google, creating a chain of data processors whose privacy practices users are expected to independently evaluate — a significant consumer protection gap.
The terms authorize sharing of conversation content with third-party extension providers, whose data practices are governed by their own policies rather than Google's, meaning users interacting with extensions should review each third party's privacy terms.
The inclusion of generative AI services in the list of data-sharing recipients is a notable disclosure that may not have been expected by users, and raises questions about what personal data specifically flows to AI systems and for what purposes.
This characterization limits 23andMe's obligations regarding the clinical accuracy and diagnostic utility of its results, and is related to a separate research consent process that governs how genetic data may be used in research activities.
Affirm
· Affirm Privacy Policy
Under GLBA, non-affiliate sharing for marketing requires you to be given a chance to opt out — if you don't act, your financial data may be used for marketing purposes by companies you've never heard of.
The GLBA notice establishes your rights regarding financial data sharing, including what categories of information are shared, with whom, and what opt-out rights you have. As a financial services provider, Cash App has specific legal obligations under GLBA that supplement the general privacy policy.
Your Xbox messages, voice recordings, and account data could be disclosed to government authorities not just under a court order but also when Microsoft unilaterally determines it is necessary to protect safety or its own interests — a broad discretionary standard.
Uber
· Uber Privacy Notice
This provision means your trip history, location data, payment information, and communications could be disclosed to government authorities based on legal process or Uber's own assessment of necessity, which has implications for privacy and civil liberties.
Your browsing data and IP address held by Cloudflare could be disclosed to government agencies without your knowledge, particularly under national security requests where notification is legally prohibited.
Uber
· Uber Privacy Notice
This provision means your location history, trip records, and communications could be disclosed to government authorities, potentially without your prior knowledge depending on the jurisdiction and legal process involved.
Lyft
· Lyft Privacy Policy
The policy permits disclosure of your trip history, location data, and other personal information to government or law enforcement not only under compulsory legal process but also when Lyft determines it is 'reasonably necessary,' which is a discretionary standard that goes beyond strict legal compulsion.
Stripe
· Stripe Privacy Policy
Your financial transaction records, identity information, and behavioral data can be shared with government agencies or law enforcement without your knowledge or consent in response to legal process.
Airbnb
· Airbnb Privacy Policy
This clause means that law enforcement or government agencies can obtain your personal data, booking records, communications, and identity information from Airbnb through legal process, which is particularly relevant for privacy-sensitive travel.
Understanding when a platform will share your information with law enforcement is particularly important for a platform used predominantly by minors, as both parents and users should be aware of the circumstances under which their data may be disclosed to authorities.
The policy reserves the right to share attendee health and safety data, which may include names, contact details, seat locations, and entry and exit times, with government authorities, which represents a significant disclosure to state actors that consumers may not anticipate when purchasing tickets.