Roblox
· Roblox Privacy Policy
This provision establishes a two-year post-deletion retention period for persistent identifiers, which creates a materially longer data lifecycle than account deletion alone would suggest. Under GDPR, retention beyond what is necessary for the original purpose requires a documented lawful basis and proportionality justification; under CCPA and similar state laws, users' deletion rights may be subject to exceptions for security and fraud prevention purposes.
Open-ended retention language means Equifax may hold sensitive personal and financial data for extended periods, and consumers have limited visibility into how long specific data types are retained unless they submit access requests.
Fastly
· Fastly Privacy Policy
Vague retention language without specific time limits makes it difficult for users to predict how long their data will be held or to plan deletion requests effectively. GDPR requires that retention periods be specified or determinable.
Open-ended retention language means that sensitive data including vehicle location history and driving behavior may be held indefinitely, increasing the risk of exposure and limiting consumers' practical ability to have data deleted.
Zoom
· Zoom Privacy Statement
This provision establishes that Zoom does not commit to a fixed retention period for most personal data, instead tying retention to service needs and legal requirements. The carve-out for legitimate business purposes means some data may be retained beyond the period you actively use the service.
Target
· Target Privacy Policy
Open-ended retention language means Target does not commit to deleting your data after a fixed period, which has practical implications for the scope of data available for advertising, legal discovery, or potential data breaches over time.
Retention periods determine how long your home security footage, alarm history, and account data remain accessible to SimpliSafe and potentially to third parties including law enforcement, making this a key parameter in your overall privacy risk.
Zelle
· Zelle Privacy Policy
These retention periods determine how long your personal information, including fraud reports you submitted, remains in Zelle's systems and available for potential disclosure to third parties or law enforcement.
Medium
· Medium Privacy Policy
Without fixed retention periods, your data could be held for an extended time after you stop using Medium, and you may need to actively request deletion to ensure your information is removed.
This provision establishes an open-ended retention standard that does not specify maximum retention durations for sensitive data categories such as Social Security numbers, financial account data, or credit history, which may require further evaluation under GDPR's storage limitation principle and CPRA's data minimization requirements.
The absence of fixed, disclosed retention periods for most data categories makes it difficult for users to understand how long their information is held or to exercise time-based deletion rights with certainty.
Without fixed retention periods, users cannot know how long their data will be held, which limits their ability to plan for or request deletion of their information.
Without specific retention periods, users and organizations cannot easily predict how long their data remains in Calendly's systems, which complicates data minimization and deletion compliance efforts.
Without defined retention periods, users have no clear expectation of when their query history, account data, or interaction records will be deleted, and data may be retained indefinitely under broad business purpose justifications.
The cookie-dependent opt-out mechanism means your data sale opt-out can be inadvertently reset simply by clearing your browser history or cookies, requiring ongoing vigilance to maintain the protection.
Ledger
· Ledger Privacy Policy
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is material context for evaluating these assurances.
This language limits Craigslist's liability in the event of a data breach, and means users cannot rely on a contractual security commitment when entrusting the platform with personal and financial information.
Plaid
· Plaid End User Privacy Policy
Given that Plaid handles highly sensitive financial data including account credentials and transaction histories for a large portion of the US fintech user base, the adequacy of its security practices is directly material to consumer risk.
Meta
· Llama API Terms of Service
This provision establishes a contractual security standard obligation for developers that runs parallel to, and must be assessed against, applicable regulatory security requirements such as GDPR Article 32 and the FTC's security expectations under the FTC Act and Safeguards Rule.
This provision establishes that personal data may be transferred to prospective acquirers or transaction counterparties prior to completion of a corporate transaction, without individualized user consent at the time of transfer.
A corporate transaction could result in your neighborhood, location, and behavioral data being transferred to a new entity with different privacy practices, potentially with limited user recourse.
TikTok
· TikTok Privacy Policy
This provision states that user data may be transferred to a new or acquiring entity even during negotiation stages, before any transaction is completed, and without individual user notice or consent at the time of transfer.
Canva
· Canva Privacy Policy
This provision authorizes sharing of behavioral and device data with third-party ad and analytics networks, which has implications for CCPA opt-out rights and GDPR consent requirements for tracking-based advertising.
This provision may trigger CCPA/CPRA obligations regarding the sale or sharing of personal information with advertising partners, requiring ElevenLabs to offer California residents an opt-out mechanism. Under GDPR, sharing with advertising partners requires a valid legal basis, typically consent or a documented legitimate interests assessment.
Fastly
· Fastly Privacy Policy
Cross-site tracking by advertising and analytics companies is a primary mechanism through which personal data is aggregated and profiled at scale. For EU users, this activity typically requires explicit consent under the ePrivacy Directive and GDPR.
Uber
· Uber Privacy Notice
This clause establishes that driver data including location history, trip records, and identity information may be disclosed to law enforcement and government agencies, potentially including intelligence agencies, without prior notice to the driver.
Uber
· Uber Privacy Notice
This provision authorizes sharing of sensitive location and behavioral data with insurance partners, which may affect insurance rating, claims outcomes, and coverage eligibility, and creates third-party data flows that require assessment under applicable data protection and insurance regulatory frameworks.
This provision establishes that Minecraft user data, including account identifiers, gameplay data, and device information, may be processed across Microsoft's global affiliate network. Compliance teams should evaluate whether the categories of data shared with affiliates and the purposes for which sharing occurs are disclosed with sufficient specificity to meet GDPR transparency requirements.
Twilio
· Twilio Privacy Notice
The notice authorizes disclosure of personal information to an undefined number of third-party service providers across functional categories including advertising and analytics, as well as to corporate affiliates, which may include entities operating under different privacy standards.
Writer
· Writer Privacy Policy
This provision establishes the categories of third parties with whom Writer shares personal information, which is relevant to GDPR sub-processor obligations, CCPA/CPRA sale or sharing determinations, and enterprise data processing agreement requirements.