HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and accounting of disclosures that go beyond general privacy law.
Windsurf
· Windsurf Security & Data Handling
Healthcare organizations using Windsurf should be aware that a BAA is described as available for 'significant implementations' rather than as a standard offering, meaning smaller healthcare customers may need to specifically request and negotiate one.
Noom
· Noom Privacy Policy
Many users assume that a health and wellness app is subject to HIPAA protections; this disclaimer clarifies that Noom's data practices are governed by its own privacy policy and applicable consumer privacy laws, not HIPAA's stricter health data standards.
Home lending clients are subject to a wider data sharing network than standard investment clients, and consent to this sharing is embedded in the agreement to begin a loan application, not a separate affirmative opt-in.
HubSpot tracking on this page may involve collection of visitor identifiers, IP addresses, and behavioral data transmitted to HubSpot as a third-party processor. For an enterprise AI platform's Trust page, the presence of undisclosed third-party behavioral tracking requires evaluation under applicable privacy regulations.
This provision establishes that disabling Gemini Apps Activity does not prevent human reviewer access to conversation content, meaning the opt-out control available to users does not fully restrict human processing of their inputs. Compliance teams should evaluate whether this scope of reviewer access and its relationship to user-facing controls satisfies applicable transparency and purpose limitation obligations.
Identity verification requirements for data rights requests are standard but the policy does not specify what information is required or what standards apply, which could result in requests being denied in ways that may not align with regulatory expectations.
Your immigration status can directly affect which Revolut features you can use. Users relying on Revolut for financial services should check whether their visa type qualifies for the features they need before opening an account.
This incorporation by reference mechanism consolidates privacy obligations across Microsoft properties under a single governing document. The operational effect is that personal data practices applicable to Minecraft are defined and modified through the Microsoft Privacy Statement rather than exclusively through the Minecraft-specific privacy policy.
Incorporation by reference creates a multi-layered privacy framework where Minecraft users are subject to both the Minecraft Privacy Statement and the Microsoft Privacy Statement. This structure centralizes data practices across Microsoft products rather than maintaining a standalone Minecraft policy.
This provision establishes the company's operational framework for handling data subject access requests and rights exercises under applicable data protection regimes. The reference to a separate Global Data Subject Rights Policy Statement creates a procedural pathway through which individuals may submit and have processed requests related to their personal data.
The existence of a rights portal is the primary mechanism through which individuals can discover and control what data D&B holds about them, particularly relevant given D&B's data broker status and the likelihood that many individuals are unaware their data is held.
ADP
· ADP Privacy Statement
These rights are meaningful only if ADP can verify your identity and respond within legally required timelines. Because ADP often acts as a processor for employers, some rights may need to be exercised through your employer rather than directly with ADP.
Windsurf
· Windsurf Security & Data Handling
This provision establishes a materially different default data protection posture for individual users compared to organizational plan users, requiring individual users to take an affirmative opt-in action to prevent retention of code snippets and interaction data. Compliance teams assessing GDPR or CCPA obligations for individual developer users should evaluate whether this opt-in structure satisfies applicable data minimization and consent requirements.
The explicit acknowledgment of profiling that infers psychological trends, predispositions, and aptitudes from retail purchase data is notably broad and represents one of the more expansive profiling disclosures in consumer retail privacy notices.
Inference data is one of the more sensitive categories under modern privacy law because it represents conclusions drawn about you that you may not be aware of, and which may affect how you are marketed to or evaluated.
The policy confirms that Midjourney generates and discloses inferences about user characteristics and behavior, which under CCPA and CPRA may be subject to specific opt-out and deletion rights beyond standard data categories.
Behavioral profiling using both first-party usage data and third-party advertising partner data can create inferences about sensitive attributes such as health, political views, or finances, even when that data was not directly provided by the user.
Target
· Target Privacy Policy
Inferences drawn to create consumer profiles are a specifically enumerated category under CCPA/CPRA and analogous state statutes, subject to access rights, deletion rights, and in some contexts correction rights; the breadth of the enumerated inference categories (including psychological trends and aptitudes) extends beyond standard purchase-preference profiling.
Calm
· Calm Privacy Policy
Inferred demographic characteristics can be used to personalize content and advertising without your explicit knowledge, and inferences about protected characteristics may engage additional legal protections in certain jurisdictions.
The policy states that Pinterest builds inferred interest profiles using both on-platform and off-platform activity data, which means the data used to target you reflects a combination of your Pinterest behavior and your broader online activity as observed through partner integrations.
TikTok
· TikTok Privacy Policy
The policy authorizes TikTok to build inferred profiles about demographic attributes and personal interests from collected data, which may then inform ad targeting and content personalization beyond what users have explicitly disclosed.
Inferred profiling can result in a detailed personal profile being built from behavioral signals, which may be used for ad targeting and content personalization without your explicit knowledge of the specific inferences made about you.
This provision establishes that Meta collects a broad set of device-level and network-level identifiers and signals from Threads users across all devices, and combines this data across devices. Cross-device identity linking enables persistent tracking of user behavior across sessions, devices, and contexts beyond the Threads application itself.
The policy authorizes collection of both explicit content, such as posts and profile data, and behavioral data, such as viewing patterns, interaction history, and usage duration, which together can be used to build detailed profiles for advertising and personalization.
Pika
· Pika Privacy Policy
Understanding when and to whom Pika shares your personal information is important for evaluating your privacy exposure, particularly if sensitive information such as your creative content or usage patterns is involved.
Retention periods determine how long your purchase history, location data, and behavioral profiles are held by Instacart and potentially shared with third parties; longer retention periods extend the window during which your data may be used for advertising or other commercial purposes.
Roblox
· Roblox Privacy Policy
Disclosure of practices for sharing information with authorities is relevant to government request transparency and user notice obligations under GDPR, which generally requires disclosure of lawful bases for processing that includes compliance with legal obligations, and under US state privacy laws that require disclosure of law enforcement data sharing.
The inclusion of 'when we believe' disclosure is necessary to protect rights or safety, in addition to legally compelled disclosures, gives T-Mobile discretion to share data with government entities beyond situations of formal legal compulsion.
Users who share sensitive personal information in Claude prompts, such as health details, financial data, or identifying information, should be aware that this data is collected and stored, and could be reproduced in outputs or used for other purposes described in the policy.