Third-party tracking on the Duo website means your browsing behavior may be shared with advertising and analytics partners outside of Cisco, and you may be tracked across websites if third-party cookies are in use.
Cohere
· Cohere Privacy Policy
Cookie and tracking data collection is subject to consent requirements in the EU under the ePrivacy Directive and GDPR, and the policy states that a cookie consent tool is available, which is relevant to users who want to limit tracking on the website.
Replit
· Replit Privacy Policy
Cookies and tracking technologies may be used to collect behavioral and device data that is shared with advertising and analytics partners; browser-level cookie blocking is disclosed as a control mechanism, but the policy does not specify whether a cookie preference center or granular consent mechanism is available.
This provision establishes a minimum age of 16 for platform use, which is above the COPPA threshold of 13, and commits Substack to deleting data collected from under-16 users upon discovery. The provision does not describe specific technical age verification mechanisms, which may be relevant to assessing COPPA compliance in practice.
This provision permits the transfer of personal information to acquirers or transaction counterparties in the context of a corporate transaction. Under CCPA and GDPR, such transfers may require notification to data subjects and, in certain cases, may be subject to additional consent or objection rights depending on the nature of the processing change.
This provision permits personal information to transfer to successor entities in a corporate transaction, which may result in users' data being governed by a different entity's privacy practices following a transaction.
Notion
· Notion Privacy Policy
This provision authorizes transfer of user personal data to a successor entity in a corporate transaction without requiring individual user consent at the time of the transaction, which is a standard but material clause for users who store sensitive content in their Notion workspace.
The policy authorizes disclosure of all categories of personal data described in the document in the event of a merger, acquisition, or bankruptcy, without specifying user notification obligations or the ability to opt out prior to such transfer.
In a corporate transaction, your personal information becomes a transferable asset, and the new entity may have different privacy practices, potentially affecting how your data is used even if you did not consent to the change.
If your personal and financial data is transferred to or stored in other countries, it may be subject to different legal protections than those in your home jurisdiction, and applicable local law may permit access by foreign governments or other entities.
The policy's use of a group-level data controller definition, with the specific responsible entity identified only in Section 12, is operationally significant under GDPR, which requires clear identification of the data controller and their contact details in privacy notices. Users and compliance teams must consult Section 12 to determine which entity holds data controller responsibility for a specific service or jurisdiction.
GitHub
· GitHub Copilot Business Privacy Statement
CSA STAR Level 2 certification provides cloud-specific security assurance that is frequently referenced in enterprise cloud procurement policies and may satisfy cloud security requirements in data protection agreements and customer contracts.
Groq
· Groq Privacy Policy
Consumers engaging with Groq's support team should be aware that their conversations, which may include sensitive account or billing information, may be recorded and retained.
Medium
· Medium Privacy Policy
Linking a third-party account to Medium means that data flows from that platform to Medium, potentially expanding the scope of personal information Medium holds about you beyond what you provided directly.
Suno
· Suno Privacy Policy
Using third-party login passes some of your profile data from those platforms to Suno, meaning your data footprint on Suno begins before you manually enter any information.
RunPod
· RunPod Privacy Policy
Having a clear contact point for privacy inquiries is a baseline requirement under GDPR and a good practice under CCPA; users should know this channel exists if they need to exercise data rights.
This clause governs the disposition of advertiser personal data at the end of the service relationship, implementing the GDPR Article 28(3)(g) requirement. Advertisers should understand the procedures for exercising this right and confirm what data categories are covered, including data stored in Google's ad serving and reporting infrastructure.
OpenAI
· OpenAI Data Processing Addendum
This provision establishes the operator's right to data deletion or return at contract end, which is a standard GDPR Article 28(3)(g) requirement. Operators should confirm what process applies and what data categories are covered, including any data that may have been used in fine-tuning or logged for safety purposes.
Users who delete conversations expecting immediate removal should know that the data may remain in Anthropic's systems for up to 30 days, during which it could potentially be subject to the uses described elsewhere in the policy.
OpenAI
· OpenAI Privacy Policy
Data portability provisions establish operational procedures for users to obtain copies of their information and transfer it to other services. This mechanism affects how OpenAI manages user data requests and the technical infrastructure required to facilitate data retrieval.
This clause establishes a data portability mechanism that allows account holders to retrieve and transfer their stored content independent of Google's services. The authorization applies to the full scope of content maintained within a Google Account.
This provision establishes Salesforce's legal framework for cross-border data transfers from European jurisdictions to the United States, creating accountability mechanisms through DPF certification that include liability for onward transfers to third parties. The certification satisfies regulatory requirements under EU and UK data protection law that would otherwise restrict such transfers.
The policy does not specify fixed retention periods for most data categories, meaning data could be retained for extended periods based on broadly defined business needs, which affects the practical value of deletion rights.
Gusto
· Gusto Privacy Policy
Without specific retention periods disclosed for sensitive data categories like SSNs and bank account information, users cannot easily assess how long their most sensitive data remains in Gusto's systems.
Because retention periods vary significantly by data type and product and are not fixed, users cannot determine with certainty how long specific categories of their personal data will be held by Microsoft.
Auth0
· Auth0 Privacy Policy
The absence of specific retention periods for most data categories means users cannot easily determine how long their information is kept or plan deletion requests around a known timeline.
Canva
· Canva Privacy Policy
The policy does not specify defined retention periods for particular data categories, which is relevant to GDPR's data minimization and storage limitation principles and may be a point of inquiry for compliance teams or data subject rights requests.
The absence of specific retention periods makes it difficult for users to know how long their prompts, images, and account data are stored, and creates compliance ambiguity under GDPR's data minimization and storage limitation principles.
Acorns
· Acorns Privacy Policy
The retention standard stated in this provision is broadly defined by reference to service necessity, legal obligations, dispute resolution, and agreement enforcement, without specifying maximum retention periods for particular data categories, which may create compliance ambiguity under regulations that impose specific retention period requirements or data minimization obligations.
This provision establishes a purpose-based and legally required retention framework without specifying concrete retention periods for any category of personal data. The absence of defined retention timelines may complicate data subject deletion requests and may require evaluation under GDPR's storage limitation principle, which requires that data not be kept longer than necessary.