This provision determines the allocation of direct regulatory obligations between Smartsheet and its enterprise customers under GDPR and CCPA. Where Smartsheet acts as a processor, enterprise customers bear primary controller obligations for data subject rights fulfilment and breach notification, and must have Data Processing Agreements in place.
This scope exclusion clarifies the division of data governance responsibility between Anthropic and its commercial customers. When Anthropic processes data as a processor rather than a controller, the commercial customer's privacy obligations and disclosures apply, which affects which entity's privacy terms users should consult for data handling practices.
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to Atlassian, and their employer's data governance practices apply to content within the account.
This provision allocates responsibility for personal data governance by designating the customer as the entity responsible for establishing privacy policies and responding to data subject inquiries. The bifurcation clarifies that Smartsheet's primary obligation is to the customer organization, not to individual end-users whose data is processed through the platform.
This distinction allocates legal and operational responsibility between Cloudflare and its customers under data protection frameworks. By defining Cloudflare as processor rather than controller, the provision clarifies that customers retain primary accountability for lawful processing, while Cloudflare's role is limited to executing processing activities per customer direction.
This clause clarifies the data protection framework by delineating AWS's role as a processor rather than controller for customer data stored on AWS infrastructure. It specifies that responsibility for data protection compliance and privacy disclosures transfers to the business customer in their capacity as controller.
This provision establishes a bifurcated data governance structure in which data subject rights requests for customer-submitted data must be directed to HubSpot's business customers, not to HubSpot directly, which affects how data subjects can exercise GDPR and CCPA rights depending on the category of data at issue.
This allocation of data controller responsibility clarifies the operational relationship and regulatory obligations between Cisco, the enterprise customer, and end users under data protection frameworks. It establishes that privacy right requests and data governance determinations flow through the enterprise customer as the primary data controller rather than through Cisco.
ADP
· ADP Privacy Statement
This provision determines who you can hold accountable for your data. For most employees, ADP is not the primary point of contact for data rights, which can make exercising those rights slower or more complex.
This provision establishes the legal responsibility framework for personal data processing. The allocation of controller and processor roles determines which entity bears regulatory compliance obligations under data protection law, including responding to data subject access requests and implementing data protection safeguards.
Fastly
· Fastly Privacy Policy
The distinction between controller and processor roles carries different legal obligations under data protection frameworks such as GDPR. As a controller, Fastly bears primary responsibility for lawfulness of processing; as a processor, it operates under customer direction and instruction. This dual-role designation clarifies Fastly's legal accountability and obligations in different operational contexts.
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare directly, which can make it harder to know where to direct requests.
Writer
· Writer Privacy Policy
The dual-role structure determines Writer's legal obligations and liability framework under data protection regulations. When acting as a processor, Writer's data handling is governed by service agreements with business customers; when acting as a controller, Writer's data practices are governed by this privacy policy and applicable data protection law.
Workday
· Workday Privacy Statement
This clause delineates Workday's operational role and responsibility boundaries in the data processing relationship. By identifying the business customer as the data controller, the provision clarifies that the customer organization—not Workday—bears primary responsibility for determining the lawful basis and purposes of personal data processing.
The absence of clear controller/processor designation creates ambiguity regarding legal responsibilities and data governance obligations under data protection frameworks. This affects the allocation of compliance duties, liability, and data subject rights between CoreWeave and Weights & Biases.
This provision defines the data collection scope for the service's core function. It establishes that conversation content—including user inputs and system outputs—constitutes data Luma AI retains and may process, which is operationally significant for understanding what information the service captures during normal use.
The provision establishes a tiered retention framework that permits users to control the duration conversation data remains accessible in their accounts, with differentiated options based on user age. This defines the operational scope of data persistence within the service infrastructure.
This clause establishes the operational scope of data use for model development, permitting the company to leverage user interactions as training material for service improvement without requiring separate user consent per interaction.
OpenAI
· OpenAI Privacy Policy
This provision establishes a data utilization practice that directly supports the entity's core business function of model training and refinement. The operational significance lies in how user-generated content becomes input for subsequent model iterations without requiring separate consent for each training cycle.
The provision establishes the operational framework for cross-device user identification and third-party advertising partnerships. It creates a mechanism for users to modify tracking preferences while specifying default tracking authorization absent affirmative modification.
Udemy
· Udemy Privacy Policy
The provision establishes the operational framework for first-party and third-party data collection across the platform. This authorization enables both internal analytics operations and integration with external advertising and analytics partners for advertising targeting.
Lime
· Lime Privacy Policy
The provision establishes the operational basis for automated data collection across Lime's services and partner websites. This tracking infrastructure generates the usage and behavioral data that supports Lime's advertising delivery and service improvement functions.
Roblox
· Roblox Privacy Policy
The provision establishes the operational infrastructure through which Roblox collects behavioral data about user interactions with its services. This data collection mechanism supports both service functionality (device recognition, preference retention) and commercial objectives (usage analysis, personalized content delivery, advertising targeting).
Neon
· Neon Privacy Policy
This provision establishes the operational basis for data collection infrastructure that supports service delivery, product improvement, and advertising operations. It defines the scope of tracking technologies deployed across the Neon platform and the purposes for which behavioral and device data are processed.
The provision establishes the operational framework under which Patreon gathers behavioral and usage data through automated tracking tools. This data collection mechanism supports platform functionality, analytics, advertising, and service personalization operations.
Adyen
· Adyen Privacy Policy
The provision establishes the operational basis for Adyen's data collection infrastructure and creates a consent requirement framework that differentiates between essential and non-essential tracking. This structure determines which tracking activities proceed automatically versus those requiring explicit user authorization before implementation.
Notion
· Notion Privacy Policy
This provision establishes the technical mechanisms through which Notion collects behavioral and usage data, and creates authorization for partner entities to conduct independent tracking. The scope of tracking technologies and third-party collection affects the volume and sources of data generated during service use.
This provision establishes the operational framework for Home Depot's collection and analysis of user behavioral data across digital properties. The authorization to deploy third-party tracking mechanisms enables the company to facilitate data sharing with advertising and analytics partners as part of its digital service delivery infrastructure.
The provision establishes the operational scope of data collection mechanisms available to the service and its partners. By authorizing multiple tracking technology categories for distinct purposes—service functionality versus advertising—the clause defines the technical infrastructure through which user activity information is systematically collected and processed.
The monitoring system operationalizes cookie consent compliance by identifying misalignments between consent settings and actual cookie deployment. This enables TikTok to track instances where consent frameworks may not be functioning as configured, supporting audit and compliance documentation.