Adobe
· Adobe Terms of Use
The opt-out right creates a procedural pathway for users to control whether their content and usage data are subject to Adobe's analytics operations. This affects the scope of data Adobe may process for analytics, insights, and service improvement purposes.
Content Collaborators, who may not be active platform users, are required to submit highly sensitive personal and identity data to OnlyFans, creating privacy obligations for individuals who may not have directly agreed to the platform's terms.
Figma
· Figma Privacy Policy
Professional users who store confidential client designs, proprietary assets, or sensitive business information in Figma should understand that this content is collected and retained by the platform.
Bumble
· Bumble Terms and Conditions
This provision explicitly states that content review rights extend to direct messages between users, which is operationally significant given the private communication context. The clause reserves discretionary review rights while not creating an obligation, which affects the platform's DMCA safe harbor analysis and user expectations regarding message privacy.
The prohibition on interest-based advertising and remarketing is a meaningful child privacy protection, but the use of unique identifiers for contextual advertising means some form of identifier-linked ad delivery still occurs within the app.
Cursor
· Cursor Privacy Policy
This provision establishes the mechanism by which policy modifications take effect without requiring affirmative user consent. It operates as a consent-by-continued-use framework, meaning users must either affirmatively cease use or operate under modified terms, rather than requiring explicit opt-in to policy changes.
This provision determines the allocation of data protection responsibilities between the advertiser and Google. The advertiser, as data controller, bears primary responsibility for establishing a lawful basis for processing, maintaining accurate privacy notices, and responding to data subject rights requests.
Asana
· Asana Privacy Statement
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace content.
Employees and students using Microsoft products through their organization may not be able to exercise data rights (like deletion or access) directly with Microsoft and must instead go through their employer or institution, which may have different privacy practices.
The controller-processor designation determines who bears primary legal responsibility for data protection compliance and how data subject rights must be handled. Under GDPR, the controller (the business customer) retains accountability for ensuring the processor meets required standards.
This clause delineates the scope of Anthropic's Privacy Policy by excluding circumstances where Anthropic processes data under a data processing agreement with a commercial entity. It clarifies that responsibility for personal data handling and disclosure practices shifts to the commercial customer when they act as the data controller, affecting which entity's privacy documentation governs the processing.
This distinction means individual employees using monday.com through a corporate account should look to their employer's privacy policy for rights over their work data, as monday.com does not act as the controller and this policy does not grant rights over that data category.
This provision allocates data governance responsibilities by clarifying Shopify's role as a processor acting under merchant direction, establishing that merchants retain primary accountability for data handling decisions. The clause operationalizes the legal distinction between data controllers (merchants) and processors (Shopify) by directing users to the appropriate party for data practices transparency.
Fastly
· Fastly Privacy Policy
This distinction determines who you can hold accountable for your personal data and where to direct privacy requests. Most end users will not interact with Fastly directly, meaning their primary point of contact for data rights is the company whose website they visited.
This clause delineates the scope of Anthropic's Privacy Policy by carving out commercial use cases where Anthropic provides backend processing services. The distinction clarifies that responsibility for data handling practices lies with the commercial entity that has contracted Anthropic's services, not with Anthropic under this policy.
Many employees who use Smartsheet at work assume they can ask Smartsheet to delete or access their data, but this clause means Smartsheet may redirect those requests to the employer, potentially limiting practical privacy recourse.
Millions of consumers interact with businesses through Zendesk-powered support tools without knowing it; this clause determines that those consumers must pursue their privacy rights through the business, not through Zendesk directly, which can significantly affect their practical ability to exercise rights.
This provision establishes the allocation of data protection obligations between Zendesk and its business customers, determining which party bears controller responsibilities under GDPR, UK GDPR, and equivalent frameworks, and directing data subject rights requests accordingly.
Loom
· Loom Privacy Policy
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
This distinction determines which privacy protections apply to your data. For document content, your rights may depend on the business that sent you the document rather than DocuSign directly, which could limit your direct recourse with DocuSign.
Users accessing Claude through an employer account or third-party application are not covered by this policy and must consult their employer's or operator's data practices separately, which may offer different or fewer protections.
Users should be aware that sensitive personal information shared in AI chat conversations is collected and retained, and may be reproduced in AI outputs, which could have implications for confidentiality if outputs are shared with others.
The 3-year default retention period means conversation data, including any personal information submitted, is stored for an extended period unless the user actively manages deletion. The 36-hour retention window when activity controls are off means there is no option to prevent all retention of conversation content.
The agreement discloses that conversation links create publicly accessible records of potentially sensitive interactions, and Mistral AI expressly disclaims any responsibility for controlling or monitoring access to shared conversations.
Adyen
· Adyen Privacy Policy
Behavioral tracking for advertising purposes requires consent under EU and UK law, and the consent defaults built into Adyen's cookie tool determine whether your browsing data is used for targeted advertising before you make any active choice.
Chase
· Chase Privacy Notice
Your browsing behavior on Chase's digital platforms is tracked and may be used to serve you targeted advertising across the internet, meaning Chase's data collection extends beyond its own services into broader online advertising ecosystems.
Steam
· Steam Privacy Policy
Tracking technologies extend beyond basic cookies to include ad tags and device identifiers, enabling cross-context behavioral tracking that may be used for marketing purposes in addition to operational analytics.
Third-party advertising cookies can result in your browsing behavior on a health and fitness platform being shared with advertising networks, which may draw inferences about your health interests.
Ford
· Ford Terms and Conditions
The cookie consent system determines what tracking technologies collect data about your browsing behavior; choices made at the consent banner affect what data Ford and its advertising partners can collect during your visit.
Even if you have never created a Substack account, your contact details could be collected and stored if someone who has your contact information syncs their phone or address book with Substack's app.