Upwork
· Upwork Privacy Policy
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of SCCs requires a transfer impact assessment to be conducted and documented.
Post-Schrems II, the adequacy of SCCs for US transfers depends on supplementary measures, and multiple EU DPAs have found SCC-based transfers to US ad tech companies non-compliant — creating ongoing legal uncertainty for EU users whose data is transferred.
Strava
· Strava Privacy Policy
EU and UK users' data is processed in the United States, which is subject to US surveillance laws; Standard Contractual Clauses are the primary transfer mechanism but their adequacy has been contested, and users should be aware that their data crosses jurisdictional boundaries.
Garmin
· Garmin Privacy Statement
Standard Contractual Clauses are the primary mechanism used to legally authorize EU personal data transfers to countries like the U.S., and their validity has been subject to legal challenge; understanding this mechanism helps EU users know the basis on which their data leaves the EU.
EU and UK users' personal data is subject to US legal frameworks once transferred, and the adequacy of standard contractual clauses as a transfer mechanism has been subject to legal challenge and regulatory scrutiny.
OpenAI
· OpenAI Data Processing Addendum
SCCs are the primary legal mechanism enabling EU-to-US personal data transfers following the invalidation of Privacy Shield. The DPA's incorporation of SCCs is essential for EU and UK customers to lawfully transfer personal data to OpenAI's US-based infrastructure.
Canva
· Canva Privacy Policy
Your personal data may be processed in countries outside the EU and UK that have different privacy standards, and the legal mechanism protecting your data in those transfers is a contractual agreement rather than an independently assessed adequacy determination.
EU, UK, and Brazilian users should know their data may be transferred to the US or other countries with different privacy protections, though Bluesky states it uses legally recognized transfer mechanisms to protect that data.
Medium
· Medium Privacy Policy
Users in the EU and other countries with strong data protection laws should be aware that their data is transferred to a jurisdiction where equivalent legal protections may not apply, which affects what remedies are available if data is mishandled.
This provision establishes the legal basis for cross-border transfers of EEA, Swiss, and UK personal data to the US and other jurisdictions, but does not specify which SCC module is in use or identify the supervisory authority overseeing the transfer.
Netflix
· Netflix Privacy Statement
International data transfers from the EU/EEA and UK to countries without an adequacy decision require specific legal mechanisms under GDPR and UK GDPR; the policy's reference to transfer mechanisms indicates reliance on Standard Contractual Clauses or equivalent arrangements that are subject to ongoing regulatory scrutiny.
Even if you opt out, State Farm can still share your personal financial and insurance data for 'everyday business purposes,' meaning the opt-out provides only partial protection against intra-family data use.
The opt-out right is meaningful but narrower than it may appear: transaction and experience data continues to flow internally regardless of your preference, and the opt-out does not protect your data in the event of a corporate restructuring or line-of-business transfer.
Your financial and personal data is shared across a global corporate group and multiple third-party organisations, meaning your data leaves Revolut's direct control and may be processed in jurisdictions with different privacy standards.
Your personal data may be transferred to entities in jurisdictions that do not have EU adequacy decisions, meaning the legal protection depends on the quality and enforcement of the standard contractual clauses in place.
Your sensitive financial information could be shared with other companies for advertising purposes without you necessarily being aware, impacting your privacy.
This provision allows your insurance profile, payment history, and claims data to be accessed by marketing partners beyond the State Farm family of companies, expanding the universe of entities that hold your sensitive financial data.
Chime
· Chime Privacy Policy
Joint marketing sharing means your financial data can be used to market products from partner companies to you, and you have no legal right to prevent this under the federal GLBA framework.
Roblox
· Roblox Privacy Policy
Understanding when Roblox may disclose personal data to law enforcement, particularly for a platform with a large minor user base, is material for users and parents who rely on the platform for daily social interaction.
This provision means that your Threads posts, private messages, location data, and device identifiers could be disclosed to authorities without your knowledge, with the threshold being Meta's 'good-faith belief' rather than a confirmed legal obligation.
Stripe
· Stripe Privacy Policy
Payment processors handling financial transaction data are commonly subject to law enforcement requests including subpoenas, court orders, and regulatory demands, and the policy's disclosure of government sharing is relevant to consumers whose financial data Stripe holds.
Given Google's vast data holdings — including search history, emails, location history, and private communications — government access to Google's data can reveal extremely sensitive information about individuals' associations, movements, political views, and private life, often without the user's knowledge.
This provision authorizes Bluesky to share your data, including unencrypted direct messages, with law enforcement or government agencies based on the company's good faith belief, which extends beyond strictly legally compelled disclosures.
Uber
· Uber Privacy Notice
This provision authorizes Uber to disclose personal data including trip records, location history, and account information to law enforcement or government agencies without requiring a court order in all circumstances, relying instead on Uber's own assessment of whether disclosure is 'in accordance with' applicable law.
Gemini
· Gemini Privacy Policy
As a cryptocurrency exchange with KYC and AML obligations, Gemini is subject to regulatory requirements to report suspicious activity and respond to lawful requests for user data from government authorities.
Your Claude conversations — which may contain highly sensitive personal information, legal questions, medical queries, or confidential business information — can be disclosed to government authorities or in litigation without your prior notice in many circumstances.
As a home security company, SimpliSafe holds detailed records of who enters and exits your home, when alarms trigger, and potentially video footage of your residence, all of which could be subject to law enforcement requests.
Tinder
· Tinder Privacy Policy
For users whose sexual orientation or relationship status is sensitive in their jurisdiction, disclosure of Tinder data to law enforcement represents a meaningful safety risk — particularly for LGBTQ+ users in regions where same-sex relationships may be criminalized.
Your financial records, identity documents, and transaction history can be shared with government authorities without your knowledge, which is particularly significant given the regulatory scrutiny of cryptocurrency platforms.
Because Nextdoor holds your precise home address and neighborhood activity history, law enforcement disclosures could expose your physical location and community activity to government agencies, which has significant safety and civil liberties implications.