Government-issued identity documents and tax information are among the most sensitive categories of personal data, and making their submission mandatory means you cannot use those features of the service without providing them, with all associated sharing and retention risks described elsewhere in the policy.
Square
· Square Privacy Notice
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
Uber
· Uber Privacy Notice
Facial image data and government ID copies constitute sensitive personal data in multiple jurisdictions, and facial recognition or matching may qualify as biometric data under laws such as Illinois BIPA, triggering consent requirements and restrictions on retention and sharing.
This provision authorizes collection of highly sensitive personal and financial data categories, including Social Security Numbers and bank account information, from both Suppliers and Buyers. The data collection is positioned as discretionary rather than universal, but the categories listed represent the most sensitive class of personal identifiers under US and international privacy frameworks.
Plaid
· Plaid Terms of Use
This provision establishes a dual-role data use structure in which Plaid acts both as a service provider to developer partners and as an independent data user, creating compliance questions regarding whether downstream independent use is adequately disclosed to consumers at the point of consent.
Inferenced profiles can be used in ways you may not anticipate, including marketing, risk scoring, and product targeting, and may reflect characteristics you have never directly disclosed to Equifax.
PayPal
· PayPal Privacy Statement
This provision discloses that PayPal may derive sensitive attributes, including income and creditworthiness estimates, from transaction behavior without requiring separate consent for each inferred attribute, and that these inferences may be used in product recommendations and risk assessments.
This provision matters because IP addresses can be used to identify a person's approximate physical location and internet service provider, and when combined with a specific wallet address, can potentially link on-chain financial activity to a real-world identity.
SoFi
· SoFi Privacy Notice
The use of third-party tracking technologies for behavioral advertising may constitute 'sharing' personal information under CCPA/CPRA, and the consent management implementation directly affects whether opt-out signals are properly recognized and applied.
This clause establishes the jurisdictional and operational framework for X's data handling practices. By conditioning consent on service use rather than requiring affirmative opt-in, the provision establishes a consent mechanism that applies to all cross-border data transfers conducted by X and its corporate affiliates.
This clause provides the contractual basis for international data transfers required by Google Ads operations. Advertisers and their legal teams should evaluate whether the Standard Contractual Clauses referenced reflect the current European Commission SCCs adopted in 2021 and whether a transfer impact assessment has been conducted in accordance with EDPB guidance.
Personal data of EU, UK, and other non-US users may be transferred to and stored in the United States, which requires an adequate legal transfer mechanism under GDPR and UK GDPR to ensure the data receives equivalent protection.
GitHub
· GitHub Privacy Statement
The policy states GitHub relies on Standard Contractual Clauses for international transfers, which is the standard legal mechanism post-Schrems II; however, adequacy of these transfers depends on supplementary technical and organizational measures that are not detailed in the policy itself.
As your internet service provider, Xfinity has a privileged position to observe your online behavior at the network level, and the policy indicates this data may be used for advertising purposes, which engages both FCC and FTC jurisdiction.
Most people assume they only share data with services they have actively signed up for; this provision means Calendly may have your data simply because a colleague or business contact uses the platform.
Business users who share booking pages publicly are treated as the data controller for all information submitted by meeting invitees, meaning GDPR, CCPA, and other privacy obligations fall on the customer, not Calendly.
23andMe
· 23andMe Privacy Statement
The clause establishes the operational mechanism for research data aggregation and clarifies that participation is not permanent or irrevocable, permitting users to withdraw from the research program prospectively.
Job application data is among the most personal information a user can provide, and its classification as both Sensitive Personal Information and professional data means it carries heightened protection obligations under GDPR and CCPA/CPRA.
Apple
· Apple App Store Review Guidelines
This provision prohibits the data collection and advertising practices in child-directed apps that are most commonly associated with privacy risks to minors, including behavioral advertising identifiers, third-party analytics, and social features.
The policy states disclosure may occur based on Coinbase's good faith belief, not solely on legally compelled orders, and may proceed without notifying the user, which means users may not know when their financial and identity data has been disclosed to government authorities.
TikTok
· TikTok Community Guidelines
When law enforcement requests your data, TikTok's guidelines determine what information is disclosed, under what legal standards, and whether you are notified, which directly affects your privacy and legal exposure.
Ring
· Ring Privacy Notice
Your home security footage, which may capture activity inside and around your home, can be disclosed to law enforcement without your direct consent in response to legal process.
The policy discloses collection of precise geolocation and financial account details, both of which are classified as sensitive personal information under CPRA and trigger additional rights including the right to limit use, which must be operationally distinct from general opt-out mechanisms.
Lime
· Lime Terms of Service
Precise geolocation data is among the most sensitive categories of personal data. It can reveal where you live, work, and spend time, and may be shared with third parties including advertisers and service providers.
The terms authorize collection and use of real-time GPS location data for advertising purposes in addition to navigation functionality; the detailed scope of data collection is deferred to a separate Privacy Policy incorporated by reference.
BeReal
· BeReal Privacy Policy
Precise geolocation is among the most sensitive categories of personal data because it can reveal where you live, work, worship, and socialise; sharing it with third-party partners expands the number of entities that hold this sensitive information.
This provision states that location data is collected both through explicit permission (precise GPS) and passively through IP address and device settings, and that this data is used for advertising purposes, which creates an ongoing data collection practice that may persist regardless of whether users actively share their location.
Tinder
· Tinder Privacy Policy
Continuous background location collection on a dating app creates meaningful privacy and safety risks, particularly for users in sensitive situations, because precise location data can reveal home addresses, workplaces, and daily routines.
Location data is among the most sensitive categories of personal information because it can reveal your home, workplace, medical appointments, religious practices, and other sensitive patterns of behavior.
This provision establishes that Verizon collects precise location data from multiple technical sources across both Verizon services and, in some circumstances, third-party contexts. Precise location data is classified as sensitive personal information under CPRA and intersects with FCC CPNI location data protections.