Precise real-time location data is one of the most sensitive categories of personal information because it can reveal where you live, work, worship, seek medical care, and who you associate with. The fact that this data may be shared with partners and licensees extends its reach beyond Apple.
TikTok
· TikTok Privacy Policy
Approximate location is collected by default from IP address and device settings, while precise location collection requires enabling location services; the policy states location services can be disabled in device settings at any time, giving users a direct control mechanism.
Location data is collected passively and continuously even without explicit user consent to GPS tracking, meaning approximate location is inferred from network data regardless of your location permission settings.
Marketo Munchkin creates persistent tracking cookies and associates browsing behavior with known contacts in Teladoc's CRM, meaning a business decision-maker researching telehealth plans for their employees could be identified, profiled, and targeted — and health-adjacent browsing data could become part of that profile.
Metadata about your communication patterns can reveal sensitive information about your relationships, health, religion, or professional activities even when message content remains private, and this metadata is shared with Meta's broader platform.
Your IP address, which can reveal your approximate location and internet provider, is retained for up to a year and is also the data type that can be disclosed to law enforcement under a judicial order.
GitHub
· GitHub Terms of Service
Parents and guardians should be aware that GitHub collects account data from users as young as 13, and minors using the platform are subject to the same terms and content exposure as adults.
While Google provides stronger data use protections for minors and students, data is still collected and retained, and the onus is on school administrators to configure appropriate settings — creating a compliance gap for underfunded or under-resourced educational institutions.
Netflix
· Netflix Privacy Statement
The policy's assertion that Netflix does not knowingly collect personal information from children under 13 engages COPPA obligations; however, the presence of Kids Profile features and the collection of viewing and usage data for profiles associated with child accounts may require evaluation under applicable children's privacy standards.
Calm
· Calm Privacy Policy
Mood and reflection data is among the most personal information a user can share with a wellness app; understanding how this data is stored, used, and potentially shared is important for users trusting Calm with their mental wellness journey.
Tag management systems can load dozens of downstream tracking pixels and scripts from advertising and analytics partners; the full extent of third-party data collection is determined by the tag container configuration, which is not visible to users from the privacy notice alone.
Netflix
· Netflix Privacy Statement
Gaming data collection is an emerging privacy frontier with limited specific regulation, and Netflix's detailed gameplay tracking creates a behavioral profile that extends significantly beyond video streaming data.
Netflix
· Netflix Privacy Statement
The Netflix Games data collection layer adds device-level identifiers, gameplay behavioral data, and social visibility of certain game data on top of the standard Netflix data collection, expanding the overall data profile Netflix holds about users who play games.
PayPal
· PayPal Privacy Statement
This provision discloses that data collection and the associated Privacy Statement obligations apply even to individuals who have not affirmatively created a PayPal account, and that historical transaction data collected before account creation may be linked to a new account retroactively.
PayPal
· PayPal Privacy Statement
This provision means that people who have never agreed to PayPal's terms of service may still have their personal and transaction data collected, and that data may be retroactively linked to a formal account, expanding PayPal's data profile of that individual.
You can have a data profile at Pinterest without ever signing up, which limits your ability to exercise standard account-based privacy controls and raises questions about the adequacy of notice provided to non-users.
People who have never interacted with ZipRecruiter may have their professional contact information held and used by the platform without their knowledge or direct consent.
This provision describes data collection that occurs outside the LinkedIn platform, meaning browsing behavior on third-party websites carrying LinkedIn tracking elements contributes to LinkedIn's profile of your interests and is used for ad targeting and personalization.
The 90-day advance notice requirement, jointly selected auditor, and customer-borne costs collectively create a high practical threshold for exercising on-site audit rights, which may limit their utility as a real-time compliance verification tool. These conditions are notable relative to some enterprise DPA frameworks that impose shorter notice periods or allow customer-selected auditors.
Open Banking access gives Revolut visibility into your full financial picture across multiple institutions, which is more extensive than data collected solely from your Revolut account activity.
Stripe
· Stripe Privacy Policy
Millions of people who have never signed up for Stripe may have their data collected and profiled simply by checking out on a merchant website, without realizing Stripe is involved.
Most people have no idea Cloudflare is collecting their data, because they interact with the website they're visiting, not with Cloudflare directly — yet Cloudflare still processes their personal information.
Because Cloudflare handles a significant portion of global internet traffic, this passive collection affects an enormous number of people who have no direct relationship with Cloudflare and may be unaware their data is being collected.
Lyft
· Lyft Privacy Policy
Financial data is highly sensitive and its collection and storage by Lyft creates potential exposure if there is a data breach or unauthorized access.
Fiverr
· Fiverr Privacy Policy
Your financial data including billing addresses and transaction history is retained by Fiverr for an unspecified period and shared with payment processing partners, creating potential exposure if those third parties experience a data breach.
Financial data collection through WhatsApp's payments features introduces a category of sensitive personal information beyond standard messaging metadata, and this data is subject to the same broad Meta sharing framework described elsewhere in the policy.
Steam
· Steam Privacy Policy
Valve acts as an intermediary for your payment data rather than fully delegating to the payment processor, meaning your card details pass through Valve's systems — users should ensure Valve's PCI DSS compliance.
Fly.io
· Fly.io Privacy Policy
While using a third-party payment processor reduces PCI DSS risk, your billing and payment data is still shared with and stored by that third party, introducing additional vendor risk.
Collection and storage of payment card data implicates Payment Card Industry Data Security Standards (PCI DSS) and creates financial fraud risk for users if the data is not adequately secured.
Fly.io
· Fly.io Privacy Policy
Understanding exactly what personal data is collected is the foundation of any privacy rights you may wish to exercise, including deletion or access requests.