This provision describes the consumer rights framework applicable under CCPA/CPRA and analogous state laws. The non-discrimination right and the sensitive personal information limitation right are specific CPRA additions that create distinct operational obligations beyond prior CCPA requirements.
This provision establishes the consumer rights infrastructure for multiple U.S. state privacy statutes, including CPRA, VCDPA, CPA, CTDPA, and TDPSA, and specifies the operational channels available to exercise those rights.
The policy extends privacy rights disclosures beyond California to residents of six additional states, reflecting the expansion of state comprehensive privacy laws, though the specific rights and mechanisms available vary by state.
Depending on which state you live in, you may have additional rights to access, correct, delete, or limit the use and sharing of your personal information that go beyond what the general notice describes.
The number of states with active privacy rights covered by this policy is significant and growing; consumers in these states have concrete legal rights to control their data that go beyond what the general policy describes.
The clause operationalizes state-specific privacy obligations by explicitly recognizing privacy rights regimes beyond California and establishing a centralized mechanism for rights exercise. This reflects Equifax's adoption of a uniform privacy rights framework across multiple state jurisdictions rather than applying differentiated policies based on residency.
State-specific tariffs create a framework where service costs are determined by filed regulatory schedules rather than uniform pricing. This provision operationalizes compliance with state-level telecommunications regulation and establishes the basis for how charges are calculated and justified across different service territories.
State tariffs can define specific rights and limitations that differ from Verizon's general customer agreement, and understanding which state-specific rules apply to your service may affect your pricing, dispute rights, and service conditions.
State tariffs can affect pricing, service terms, and dispute resolution procedures for regulated telecommunications services, and consumers in tariffed states may have different rights than those in non-tariffed states.
This clause operationalizes a statutory consumer protection mechanism by defining the temporal scope of warranty claims, the available remedies, and the conditions under which Global-e may limit their application. The provision establishes that users bear no burden of proof during the first 24 months following delivery.
The stop payment fee represents a discrete transaction charge within the bank's fee schedule structure. This provision clarifies the cost basis for customers initiating stop payment requests and establishes the fee as part of the institution's standard service pricing.
Strava
· Strava Terms of Service
The commercial use of de-identified fitness and location data is disclosed and acknowledged as continuing even after account deletion, which means data derived from your activities may remain in commercial use after you leave the platform.
Stripe
· Stripe Connect Platform Agreement
This provision establishes that the user's operational access to their account data and transaction information may be administered through two channels, either of which may be restricted by the connected platform, affecting the user's visibility into their own account activity.
Stripe
· Stripe Privacy Policy
The provision establishes the operational framework for Stripe Link's core functionality—persistent credential storage across multiple merchant platforms. This mechanism enables streamlined payment processing while defining the scope of data Stripe retains and deploys in the payment authorization workflow.
Stripe
· Stripe Privacy Policy
The dual role designation determines Stripe's obligations and responsibilities under data protection regulations. As a controller, Stripe determines processing purposes and means; as a processor, Stripe processes data on behalf of other controllers. This allocation of responsibility affects liability, compliance obligations, and the contractual relationships governing data handling.
Stripe
· Stripe Terms of Service
This clause establishes the contractual foundation for Stripe's data processing activities and defines the permissible uses of user data within the service relationship. It clarifies that data processing authority derives from explicit user consent rather than unilateral company action.
This data sharing arrangement establishes a direct information flow between the platform and content creators, creating a mechanism by which Teachers receive behavioral and demographic data about their audience. The provision's operational significance lies in defining which user attributes and activity metrics become accessible to the Teacher side of the platform.
DeepL
· DeepL Privacy Policy
This provision authorizes the transfer of user personal data to multiple categories of third-party processors and asserts that GDPR-compliant data processing agreements govern these transfers. Compliance teams should verify the adequacy of these agreements and the completeness of the sub-processor list, particularly for organizations with strict data residency or sub-processor approval requirements.
This provision establishes the operational framework for data access by external service providers and defines the scope of permissible use by those parties. The clause creates contractual obligations on sub-processors to limit their access and use, which structures Tabnine's data governance model across its service delivery chain.
OpenAI
· OpenAI Data Processing Addendum
This clause establishes the procedural framework governing third-party processor engagement under data protection regulations. It conditions sub-processor use on advance notification and creates a structured objection process rather than requiring affirmative approval for each processor change.
OpenAI
· OpenAI Data Processing Addendum
This provision operates as a general authorization for sub-processor changes, meaning operators are deemed to consent unless they actively object within the specified window. Operators who do not monitor the sub-processor list may inadvertently accept new sub-processors without review.
This clause governs the sub-processor oversight mechanism required by GDPR Article 28(2); the practical enforceability of the objection right depends on the notice period length and whether the termination remedy is commercially available to the customer without penalty.
Windsurf
· Windsurf Security & Data Handling
This provision discloses the full subprocessor chain and the conditions under which each provider may access code-derived data, enabling enterprise compliance teams to conduct third-party risk assessments and verify alignment with their vendor approval requirements. The disclosure that multiple analytics dashboard tools may expose code logs for users not on zero-data retention mode is operationally significant for individual user data governance.
OpenAI
· OpenAI API Data Usage Policies
GDPR Article 28 requires processors to obtain prior authorization from the data controller before engaging subprocessors, and the controller must be informed of any intended changes; the subprocessor list is the mechanism for this disclosure.
Windsurf
· Windsurf Security & Data Handling
The document discloses that code data submitted to Windsurf may be processed by multiple third-party compute providers for model training and hosting, which extends the data exposure footprint beyond Windsurf's own infrastructure.
Glean
· Glean Privacy Policy
The provision operationalizes Glean's responsibility for sub-processor oversight by requiring contractual commitments around data limitation and security with downstream processors. The disclosure mechanism allows data subjects to identify which entities process their personal data on Glean's behalf.
OpenAI
· OpenAI Enterprise Privacy
GDPR Article 28 requires processors to obtain controller authorization before engaging sub-processors and to impose equivalent data protection obligations on them. The sub-processor notification mechanism is operationally significant for enterprise customers who must evaluate whether new sub-processors affect their own compliance posture or require updated data transfer assessments.
The clause establishes the operational framework for data processing through external vendors and defines the contractual obligation to impose data protection requirements on those vendors. This determines the scope of entities with authorized access to user personal data and the minimum protective standards applied across the processing chain.
The clause establishes the operational framework through which personal data flows to external service providers across multiple functional categories. This structure defines the scope of authorized data sharing relationships and imposes confidentiality requirements on downstream recipients.
Subprocessors are downstream vendors who also access or process personal data. The terms governing how and when customers are notified of new subprocessors affect whether businesses can maintain adequate oversight of their data supply chain.