Rumble
· Rumble Privacy Policy
This provision establishes the procedural mechanism through which users may exercise deletion rights, which is a required operational disclosure under CCPA and CPRA for covered businesses, and creates compliance obligations regarding response timelines and verification procedures.
Cohere
· Cohere Enterprise Data Commitments
The right to request data deletion is a core data governance right for enterprise customers and aligns with regulatory requirements under GDPR and CCPA. The document's recognition of this right indicates a process is available, though the specific mechanism and timeline are not fully detailed in the commitments page.
Ring
· Ring Privacy Notice
The ability to delete your Ring account data, including stored videos, is a fundamental privacy right under laws like GDPR and CCPA, and Ring's stated commitment to user control implies these mechanisms should be available.
The clause operationalizes data deletion rights by defining the boundaries of those rights through enumerated retention exceptions. This establishes the conditions under which Spotify's obligation to delete data upon user request does not apply, creating a framework for balancing deletion requests against institutional, legal, and protective obligations.
Third-party disclosure provisions determine which external entities receive user personal information and under what conditions, a material consideration for enterprise customers whose employees or end-users interact with CoreWeave's platform.
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to understand their data processing rights and obligations.
Miro
· Miro Terms of Service
For business customers under GDPR or other data protection laws, the DPA is the operative legal instrument defining Miro's obligations as a data processor, and the subprocessors list determines which third parties may access the personal data you upload to Miro.
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechanisms for personal data processed through Atlassian products.
The specific obligations, data subject rights, sub-processor disclosures, and security measures that protect your personal data under GDPR are governed by the DPA, which is not reproduced in the main terms and requires separate review.
The terms explicitly state that customer prompts and content submitted through Bedrock inference are not used to train Amazon foundation models by default, which is a material data handling commitment relevant to customers submitting proprietary or sensitive data.
AWS
· AWS Customer Agreement
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and maintenance). For customers processing personal data on AWS, this provision works in conjunction with the separately available Data Processing Addendum, which governs GDPR and equivalent regulatory obligations.
Developers and businesses using LangSmith's tracing and evaluation features may transmit sensitive data, personal information, or proprietary business logic to LangChain's infrastructure, and the terms governing how that data is processed are material to compliance with GDPR, CCPA, and industry-specific regulations.
Vercel
· Vercel Terms of Service
For businesses and developers who deploy applications handling personal data, the quality and scope of these data protection commitments directly affects GDPR and CCPA compliance obligations and the adequacy of Vercel as a data processor.
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper legal basis.
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is processed, stored, and protected, which is critical for GDPR and CCPA compliance.
Incorporating the privacy policy by reference means changes to that document affect your rights under this agreement, and the acknowledgment that transmissions are never fully secure may affect any expectation of confidentiality for data transmitted through Cloudflare's network.
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a direct relationship with or awareness of D&B.
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within the customer's instructed purposes or constitute independent controller activity.
GOAT
· GOAT Privacy Policy
Open-ended retention periods mean your data could be held indefinitely under broad business justifications, with limited ability for users in most jurisdictions to compel deletion beyond what specific privacy rights provide.
Udemy
· Udemy Privacy Policy
This provision establishes the temporal scope of Udemy's data processing activities and determines how long personal data including learning activity, payment records, and communications content remains subject to Udemy's use and sharing permissions.
StockX
· StockX Privacy Policy
Without specific retention periods defined for different data types, users cannot easily predict when their personal information, including sensitive data like government IDs, will be deleted.
The absence of fixed retention timelines means users cannot rely on a defined period after which their data will be deleted, and the scope of legitimate retention grounds is broad.
The absence of specific retention periods for individual data categories, particularly voice recordings and voice models, creates potential tension with GDPR's data minimization and storage limitation principles, which require that retention periods be specified or determinable.
Open-ended retention language tied to 'business needs' and 'legal obligations' without specific retention periods means consumers have limited visibility into how long sensitive data such as location records, call logs, and financial information is actually stored.
The absence of defined retention periods for specific data types like authentication logs means Cisco may retain this data for an extended and indeterminate period, which is relevant to privacy rights and data minimization requirements.
The absence of specific retention periods for individual personal information categories, particularly health and pharmacy data, creates compliance considerations under CCPA/CPRA's data minimization requirements and HIPAA's record retention standards. Retention periods that are not bounded by specific timelines may face scrutiny under CPRA's proportionality standard.
Open-ended retention periods tied to broadly defined purposes such as 'legal obligations' and 'enforcing agreements' may result in personal data being retained for extended periods without a clear maximum duration disclosed to consumers.
Intuit
· Intuit Privacy Statement
Open-ended retention language tied to legal obligations and dispute resolution means sensitive financial data, including tax records and government identifiers, could be retained for extended periods without a specific deletion deadline.
The absence of specific retention periods for sensitive financial and identity data means Public may retain your SSN, trading history, and financial account information for an indeterminate period after you close your account.
The retention standard is tied to broadly stated purposes rather than specific time periods, which means the duration of data retention may vary and is not fixed to a defined schedule visible to users.