OpenAI
· OpenAI Enterprise Privacy
This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for any transfer of EU personal data to a third country; the availability of SCCs via an executed DPA is the operative compliance step for EU customers.
The provision operationalizes statutory privacy rights within Headspace's service terms, establishing procedural obligations for Headspace to comply with GDPR and UK GDPR requirements and defining the timeline and scope of Headspace's response obligations.
The clause establishes a user-controllable mechanism for limiting data retention and personalization processing, while specifying that conversation data continues to be used for AI model improvement regardless of the setting's status.
This provision establishes a two-tier consent structure for DNA data: baseline collection required for service delivery and an optional research consent layer governing use and external sharing of genetic and health information. Compliance review should confirm the research consent mechanism satisfies requirements for explicit, specific, and withdrawable consent under applicable genetic privacy and data protection frameworks.
23andMe
· 23andMe Privacy Statement
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Gemini
· Gemini Privacy Policy
This provision establishes the regulatory framework applicable to Gemini's data handling practices. By asserting GLBA status, Gemini indicates its privacy obligations derive from federal banking privacy standards rather than state-level privacy laws, which may impose different notice, consent, or data handling requirements.
The operational significance is that the scope of privacy rights available to users varies based on which federal financial privacy regime applies to their information. This creates a tiered privacy framework where GLBA-governed information is not subject to the same deletion and disclosure obligations as information governed by state privacy laws.
Gemini
· Gemini Privacy Policy
The provision establishes the regulatory framework governing Gemini's privacy obligations by reference to federal law rather than state-by-state regimes. This designation determines which privacy statutes and consumer rights provisions apply to the institution's data handling practices.
Gemini
· Gemini Privacy Policy
This claim directly limits which privacy rights you can exercise as a US consumer, potentially removing protections you might expect under state laws like CCPA.
Shein
· Shein Terms and Conditions
The provision establishes the operational framework for the service to acknowledge and handle GPC signals, a standardized mechanism through which users can communicate privacy preferences to websites. This affects how the service processes requests to opt out of data sales or sharing activities covered under applicable privacy regulations.
The collection of biometric data for identity verification is subject to specific state laws including Illinois BIPA, which imposes strict notice, consent, and deletion requirements, and the policy's retention of this data may interact with those obligations.
Submitting a government ID and selfie creates a detailed identity record held by OnlyFans and its third-party processors, which if breached or misused could expose Creators to serious identity theft risk.
The collection of Social Security numbers and government-issued IDs represents a high-risk data category because these identifiers, if exposed in a breach, can enable identity theft and fraud. Users should understand that this data is mandatory for account creation due to federal regulatory requirements and is retained by the platform.
StockX
· StockX Privacy Policy
Government-issued ID is among the most sensitive categories of personal data and its collection by a consumer marketplace creates heightened security and misuse risks if not properly protected.
Stripe
· Stripe Privacy Policy
Collection of government-issued identification data engages heightened sensitivity requirements under multiple privacy frameworks and triggers specific obligations regarding secure storage, limited retention, and restricted sharing under applicable identity verification and financial services regulations.
Gusto
· Gusto Privacy Policy
Health and benefits data is among the most sensitive personal information category, and its collection by a payroll platform creates potential obligations under HIPAA and heightened risks if exposed.
Health and fitness data is among the most sensitive categories of personal information, and its collection through always-connected hardware means Peloton builds a detailed picture of your physical condition and activity over time.
This provision identifies collection of health metrics that, while not covered by HIPAA in a consumer app context, are classified as sensitive personal information under CCPA/CPRA and subject to FTC guidance on health data. Menstrual cycle and reproductive health data have received specific regulatory and legislative attention since 2022.
Apple
· Apple App Store Review Guidelines
This provision conditions App Store approval for health and medical apps on possession of applicable regulatory credentials, and prohibits monetizing HealthKit health data through advertising, providing a baseline protection for sensitive health information.
Health and prescription data is among the most sensitive personal information, and its collection by a company that also operates digital advertising programs creates significant privacy considerations for consumers.
Garmin
· Garmin Privacy Statement
This data is among the most sensitive personal information that can be collected, and its exposure, misuse, or breach carries significant personal and legal consequences, particularly for reproductive health data given the current legal environment in some U.S. states.
Health data is one of the most sensitive categories of personal information and its collection by an airline, including via third-party intermediaries, raises questions about how long it is retained, who it is shared with, and under what legal basis it is processed.
Whoop
· Whoop Terms of Use
The agreement discloses collection of a range of physiological and biometric-adjacent data categories on a continuous basis; the handling of this data is governed primarily by the Privacy Policy rather than these Terms, and the Terms incorporate the Privacy Policy by reference without reproducing its data sharing or retention provisions here.
OpenAI
· OpenAI Enterprise Privacy
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualifying customers but does not specify which services are HIPAA-eligible, requiring separate confirmation.
OpenAI
· OpenAI Data Processing Addendum
This provision places the compliance burden on the operator to identify when HIPAA applies to their use case and to execute a BAA before submitting any protected health information. Using the API with PHI without a BAA in place would constitute a potential HIPAA violation by the operator.
OpenAI
· OpenAI Enterprise Privacy
This provision establishes that API-based deployments handling protected health information may be eligible for BAA coverage, which is a prerequisite for using a third-party vendor under HIPAA. The provision specifies API deployments; compliance teams should confirm whether ChatGPT Enterprise or other product tiers are also within scope of the BAA.
This classification subjects Headspace to HIPAA's security, privacy, and breach notification requirements as a business associate, establishing a specific regulatory framework for how protected health information is handled. The provision creates institutional obligations for data protection standards and audit/compliance procedures that differ from standard commercial privacy frameworks.
Video footage and sensor data from inside a subscriber's home represent some of the most sensitive categories of personal information, and the policy's scope for using and sharing this data deserves careful consumer attention.
ADP
· ADP Privacy Statement
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity in some jurisdictions and that trigger specific regulatory obligations regarding accuracy, retention, and security.
The notice explicitly authorizes human access to conversation content, and the policy advises users not to submit anything they would not want reviewed, signaling that conversation content is not treated as fully private.