This clause establishes that the advertiser's documented instructions govern the scope of Google's processing activities. It places on the advertiser the obligation to provide clear, complete, and lawful instructions, and any processing outside those instructions would constitute a potential breach of the agreement.
Suno
· Suno Privacy Policy
Chat-based prompts may reveal personal preferences, creative intent, or sensitive information, and this data is not only used to generate music but is also linked to your broader user profile and may be used for AI training and personalization.
This provision authorizes cross-site and cross-app tracking by third-party advertising companies using persistent identifiers, which is subject to Digital Advertising Alliance and Network Advertising Initiative opt-out mechanisms as well as CPRA opt-out of sharing rights for California residents.
Pika
· Pika Privacy Policy
This process is your primary internal recourse if Pika rejects a privacy rights request, and knowing the 30-day deadline is critical because missing it may limit your options.
Windsurf
· Windsurf Security & Data Handling
The document states that code snippet logs for users without zero-data retention enabled may be accessible to internal communications platforms and analytics tools used by Windsurf staff, meaning data is not restricted to a single system but may be distributed across multiple internal environments.
The policy authorizes international data transfers and asserts that policy acceptance constitutes consent to such transfers; this approach may not satisfy GDPR requirements for lawful transfer mechanisms, which generally require Standard Contractual Clauses, adequacy decisions, or other specified safeguards rather than relying on broad consent through policy acceptance.
Runway
· Runway Privacy Policy
For EU and UK users, international data transfers to the United States require a lawful transfer mechanism under GDPR Chapter V, such as Standard Contractual Clauses. The policy's reliance on user acknowledgment through service use as a consent mechanism for transfers may not satisfy GDPR transfer requirements.
Users outside the US, particularly in the EU and UK, have stronger data protection rights under local law, and transferring data to the US without a specific legal mechanism may not satisfy those legal requirements.
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does not specify which transfer mechanisms Supabase relies on.
Calm
· Calm Privacy Policy
For EU, UK, and Swiss users, the lawfulness of data transfers to the US depends on these mechanisms being properly implemented and maintained.
OpenAI
· OpenAI Data Processing Addendum
This provision establishes the legal mechanism for transferring EU/EEA, UK, and Swiss personal data to OpenAI in the United States, which is a mandatory requirement under GDPR Chapter V. Operators relying on this mechanism should verify the SCCs are properly incorporated and that the associated transfer impact assessment is adequate.
Writer
· Writer Privacy Policy
This provision discloses cross-border data transfers to the United States but does not specify which transfer mechanism (such as standard contractual clauses or the EU-U.S. Data Privacy Framework) applies, which may require evaluation under current GDPR transfer adequacy requirements.
Miro
· Miro Privacy Policy
This provision establishes the legal mechanism for cross-border data transfers, which is a material compliance consideration for EU and UK enterprise customers following Schrems II and the EU-US Data Privacy Framework.
This provision acknowledges that cross-border data transfers may involve jurisdictions with lower data protection standards, a disclosure that directly implicates GDPR Chapter V transfer requirements and UK adequacy framework obligations. The policy does not specify in this section what transfer mechanisms (such as Standard Contractual Clauses) are used, though the EEA/UK section may address this.
The policy states that personal data of non-US users is processed in the United States, which does not have a general federal privacy law equivalent to GDPR, and that transfers are protected through standard contractual clauses and other approved mechanisms, though the adequacy of those mechanisms is subject to ongoing regulatory and legal developments.
EU/EEA users' data transferred to the US must be protected by an adequate transfer mechanism under GDPR; relying on consent as the basis for international transfers may not fully satisfy GDPR requirements in practice.
Gemini
· Gemini Privacy Policy
International data transfers from the EU and UK are subject to GDPR transfer restrictions, and Gemini's compliance with these requirements affects the legal basis for processing EU and UK user data.
Medium
· Medium Privacy Policy
The policy's disclosure of cross-border data transfers without specifying the legal mechanism used for EEA transfers, such as Standard Contractual Clauses or an adequacy decision, creates a compliance documentation gap relevant to GDPR Chapter V requirements enforced by EU supervisory authorities.
For EU and UK users, data transferred to the US must be protected by appropriate legal mechanisms; while SCCs are an accepted GDPR transfer tool, their adequacy in practice depends on the specific supplementary measures implemented alongside them.
Ledger
· Ledger Privacy Policy
Data transferred outside the EEA may be subject to less protective legal regimes, and compliance with post-Schrems II transfer requirements depends on whether Ledger has implemented the 2021 updated SCCs and conducted transfer impact assessments.
Fiverr
· Fiverr Privacy Policy
For EU and UK users, international data transfers carry legal significance because your data may leave a jurisdiction with strong privacy protections and be processed under different legal regimes, with Fiverr relying on Standard Contractual Clauses as the primary safeguard.
For EU and UK users, transferring data to the US requires specific legal safeguards under GDPR and UK GDPR, and asserting broad consent as the transfer mechanism may not meet the required legal standard in all cases.
EU and UK users' data is processed under US law once transferred, and the adequacy of Standard Contractual Clauses as a transfer mechanism is subject to ongoing regulatory and legal scrutiny.
Data transferred to the US is subject to US surveillance laws and may not receive the same legal protections as in the EU or UK, making the adequacy of transfer mechanisms a material compliance question for European organizations.
Twitch
· Twitch Privacy Notice
International data transfers can mean your personal information is processed in countries with different levels of legal privacy protection than your home country, which is particularly significant for EU and UK users.
The policy identifies Standard Contractual Clauses as the primary transfer mechanism for EEA personal data, which requires Datadog to conduct transfer impact assessments where required and to maintain compliant SCC documentation; APEC CBPR participation provides a separate framework for Asia-Pacific transfers.
The policy states that by using the service, users consent to data transfer to the US, which for EU and UK users intersects with GDPR requirements for lawful international data transfer mechanisms that go beyond consent alone.
Data transferred outside the EU or UK may be subject to different legal protections, and the adequacy of Standard Contractual Clauses as a transfer mechanism depends on whether supplementary measures are in place given the privacy laws of the recipient country.
The policy states that data may be transferred internationally and that standard contractual clauses or equivalent mechanisms are used, but does not specify which mechanisms apply to which transfer routes, which is relevant for EU and UK users assessing GDPR transfer compliance.
For EU and UK users, data transfers to the US require legally valid safeguards under GDPR, and the policy's reliance on consent as a transfer mechanism may not satisfy GDPR requirements in all circumstances.