Roblox
· Roblox Privacy and Cookie Policy
This provision operationalizes COPPA's data minimization requirement for child users and establishes three specific remedial actions Roblox states it will take upon receiving excess personal information from under-13 users. The provision also reflects the policy's stated commitment to filtering public communications from child users to remove personal information.
This provision establishes age-based access controls and a COPPA compliance commitment. The mechanism for enforcement relies on user self-representation at account creation rather than independent age verification, which is typical but creates a gap between stated policy and practical enforcement.
Parents are responsible for establishing and managing accounts for younger children, and Microsoft's platform relies on parental consent mechanisms to comply with COPPA and equivalent international laws, meaning parents should actively review and configure Family Safety settings.
Microsoft
· Microsoft Services Agreement (Legacy)
This clause implements compliance with the Children's Online Privacy Protection Act (COPPA), which mandates verifiable parental consent before collecting personal information from children under 13. The provision establishes the procedural mechanism by which Microsoft obtains parental authorization before account creation.
The minimum age threshold of 16 is higher than COPPA's 13-year statutory minimum, which means Substack has adopted a stricter standard that also captures 13 to 15-year-olds who might otherwise legally use other platforms.
The policy reserves the right to transfer all user personal data, including learning history, identifiers, and payment information, to a third party in the context of a corporate transaction, without requiring separate user consent at the time of transfer.
Fitbit
· Fitbit Privacy Policy
A change in ownership could mean your sensitive health and fitness data, collected under Fitbit's current privacy practices, is governed by a different company's policies, potentially with different sharing and retention practices.
Medium
· Medium Privacy Policy
This provision establishes that personal data may be disclosed to prospective acquirers or transaction counterparties prior to deal completion, which creates data exposure outside Medium's direct operational relationships and may engage GDPR requirements for lawful transfer basis during pre-transaction due diligence.
A future acquirer of Perplexity would receive your historical query data and account information, and may operate under a different privacy policy than the one you originally agreed to.
RunPod
· RunPod Privacy Policy
This provision permits transfer of user personal data to third parties as part of corporate transactions, including during the negotiation phase prior to transaction completion, which may occur without direct user notification depending on the transaction structure.
Rumble
· Rumble Privacy Policy
This provision establishes that all collected personal data is transferable to acquiring entities without requiring individual user consent beyond notification, which is a standard U.S. commercial practice but may require evaluation under GDPR, Canadian, and other international privacy frameworks depending on the nature and destination of any transfer.
A change in ownership could result in your personal data being controlled by a different company with different privacy practices, and you may not have advance notice or a meaningful ability to prevent the transfer.
This clause means your personal data, including identity documents, payment information, and precise location history, could be transferred to a new owner whose privacy practices may differ from FanDuel's current policy, with no opt-out mechanism described for this scenario.
OpenAI
· OpenAI Privacy Policy
This provision authorizes transfer of personal data during corporate transactions, including during the negotiation phase, without requiring individual user notification prior to the transfer, which may affect the continuity of the privacy protections users accepted.
This provision authorizes disclosure of personal information to potential and actual acquirers, and separately acknowledges that in insolvency proceedings Pinecone may not be able to control how personal data is treated, which creates uncertainty about downstream data handling.
The policy authorizes transfer of user personal data, including account information and transaction records, to acquiring or successor entities as part of corporate transactions, without requiring user notification or consent at the time of transfer.
BeReal
· BeReal Privacy Policy
A corporate transaction could result in your personal data being controlled by an entirely different company with different privacy practices, and you may have limited ability to prevent this transfer.
Personal data could transfer to a different company with potentially different privacy practices in a corporate transaction, and users may have limited ability to prevent this under the terms as stated.
CPNI is a legally protected category of telecommunications data; how Verizon uses it for marketing purposes is subject to FCC rules that impose specific consent and opt-out standards distinct from general commercial privacy law.
This provision identifies Verizon's obligations as a telecommunications carrier under FCC CPNI rules, which impose sector-specific consent and use restrictions on call detail and network usage data beyond those required by general consumer privacy law. Compliance with these obligations is enforced by the FCC.
T-Mobile
· T-Mobile Terms and Conditions
CPNI includes sensitive call detail records and location-adjacent usage data; without opting out, this data can be used to market additional services to you across T-Mobile's family of companies.
CPNI use authorization establishes the operational scope of how telecommunications carriers may leverage call detail records, service usage patterns, and related metadata for commercial purposes within their own marketing operations, subject to regulatory frameworks governing such use.
CPNI is a federally protected category of information that carriers are generally prohibited from sharing with outside companies without your consent; however, the policy asserts T-Mobile can use it internally for marketing unless you opt out, which is the standard carrier practice under current FCC rules.
This provision establishes a data controller boundary that places responsibility for subscriber data governance on individual Creators when Substack acts as a processor on their behalf. The practical implication is that subscriber privacy rights and data handling practices vary across publications, and Substack's policy does not govern those interactions, which may require subscribers to review multiple separate privacy policies.
PayPal
· PayPal User Agreement
This provision authorizes ongoing credit report access beyond initial account opening, triggered by PayPal's internal risk assessment, which may result in multiple credit inquiries over the life of the account.
Cross-border transfers of personal data to countries without equivalent data protection standards create potential risk that your data will be handled under a less protective legal framework than where you live.
This provision addresses cross-border data transfers, which engage GDPR adequacy and standard contractual clause requirements for EU/EEA users and analogous frameworks in other jurisdictions. The policy asserts that appropriate safeguards are in place but does not specify the legal transfer mechanisms used.
Users in the EU, UK, and other jurisdictions with data export restrictions need to know that their data may be processed in countries with different privacy standards, and that legal safeguards are promised but not specifically named.
This provision frames Canadian user consent to cross-border data transfer as implicit in accepting the privacy policy, which may require evaluation against Canadian privacy legislation governing cross-border transfers and accountability obligations.
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of those transfers could be called into question.